Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been having an issue with users on Macs unable to connect to a CentOS 6.6 build via SSH receiving the following error;"usr/bin/xauth: timeout in locking authority file /media/Volume/DirectoryName/UserName/.Xauthority".
Nothing I found seemed to worked in my attempts to correct this issue until I found a page suggesting I alter the "sestatus" file; (https://twiki.cern.ch/twiki/bin/view...roubleShooting). It suggests I change the 'Current Mode' from 'Enforcing' to 'Premissive'. I tried this and it does work, I can now connect from our Macs to the CentOS 6.6 build.
My Question is, 'is it secure to alter the 'SESTATUS' file in this manner, and that only those with the allowed user account who should be able to access this computer?'
SELinux is an added layer of security over the normal one. It is security access based on context. Like you said you have changed the mode from Enforcing to Permissive, what it will do is it will not disallow any service to make connection just log the instance of it where it finds a violation. In Enforcing mode it wont allow the violation and will deny any service request if violation is found.
Incase you want to use SELinux then instead of disabling it you could have configured SELinux Booleans to allow the service accordingly.
To be honest I haven't seen SELinux in use on many of the production systems. The reason behind that is its complexity. It just adds an overhead.
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including United States Department of Defensestyle mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space tools that have been added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy itself and streamlines the volume of software charged with security policy enforcement.[1][2] The key concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency.
i tried looking into selinux, seemed to be a waste of time. anything that you think it might help with, is already is available in linux or easily accomplished by keeping things simple. my opinion is it's an antiquated kernel mod that is now obsolete, but because it's from the gov't or was started by it, it persists.
i tried looking into selinux, seemed to be a waste of time. anything that you think it might help with, is already is available in linux or easily accomplished by keeping things simple. my opinion is it's an antiquated kernel mod that is now obsolete, but because it's from the gov't or was started by it, it persists.
Selinux is not waste of time if you know how to use and configure it. It is already available in Linux or easily accomplished; no, instead it provides Mandatory Access Control (MAC) or RBAC. Which is an important security measure. It has prevented many unauthorised access. It is also not a antiquated kernel mod and it definitely is not obsolete. It used by Fedora and may be in RHEL/CentOS. Yes it came from NSA USA but that's not the reason it persists. It persists because it adds/enhances security and is actively developed by community.
Gentoo, debian, archlinux have selinux but not enabled by default.
Hi Veerain, While I suspected the ideas you mention in your post, could you elaborate on the process for configuring, at least point to something that explains how to SELinux. Also could you confirm if by making the suggested changes to the "sestatus" file would in fact disable the security of SELinux? Thx.
maybe i don't understand the definition of mandatory/role based access control.
what can selinux do that cannot already be done without it in kernel versions 2.6 or 3?
you said "it has prevented many unauthorised access"
can you give me a specific example?
Does your organization requires production system to be running selinux? Is SELinux part of your design document? It is not about whether to run or not, it is more about whether it is requirement for your organization or not.
As I have mentioned in my previous post I haven't seen selinux to be running on production systems that often. I am also not denying the fact that it is used by many organization which deals in confidential / classified information. So at the end if comes to the same question whether it is require or not.
As I said in my previous post if you want to run SELinux then you might be interested in tweaking SELinux Booleans according to your requirement.
@ veerain,
SElinux is not a waste of time but definitely a headache. Do you know that when you write selinux rules and if you upgrade kernel / selinux it might screw up the rules and you might have to re-write it? You don't want yourself in a situation wherein you locked out yourself and then struggling to get the things in place. SELinux / apparmour (SuSE, same as SELinux) are there in the market but definitely not that common unless you are working for organization which deals in highly confidential or classified documents.
Bottom line is if you are good at SELinux the only go for it. If you are novice or at moderate level it will be a nightmare for you.
An NSA research project called SELinux added a Mandatory Access Control architecture to the Linux Kernel, which was merged into the mainline version of Linux in August 2003. It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement least privilege, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP/RBACPP/CAPP/EAL4+ certifications in June 2007.[11]
SElinux is not a waste of time but definitely a headache. Do you know that when you write selinux rules and if you upgrade kernel / selinux it might screw up the rules and you might have to re-write it? You don't want yourself in a situation wherein you locked out yourself and then struggling to get the things in place. SELinux / apparmour (SuSE, same as SELinux) are there in the market but definitely not that common unless you are working for organization which deals in highly confidential or classified documents.
Bottom line is if you are good at SELinux the only go for it. If you are novice or at moderate level it will be a nightmare for you.
Yes definitely it is difficult. To use selinux we have to know little bit kernel knowhow. And there are not any easy guides explaining all. So it's better to leave it for distro builders/maintainers but for specific applications to support selinux there are docs available.
what can selinux do that cannot already be done without it in kernel versions 2.6 or 3?
you said "it has prevented many unauthorised access"
can you give me a specific example?
I don't have now links for it. But I read them in Fedora release notes / bugs announcement. Though applications had bugs causing them to have privilege escalation but prevented by selinux. Selinux can't stop all kinds of exploits though. And it has about 5 more cpu utilization.
Last edited by veerain; 03-21-2015 at 07:53 AM.
Reason: Minor type error.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.