AppArmor and Selinux
Hi, I'm a Windows user and aspiring Linux migrant. I've been looking at several distros and reading up on anything I should know, and I came across some security issues. Sorry if this sounds idiotic. :-)
While Linux is far more secure than Windows, years of trauma with viruses and other malware has given me this thing about keeping my PC secure (trauma-induced paranoia?). I'd read up on iptables, AppArmor and Selinux, and from what I was able to grasp (not much, I think, correct me if I'm wrong), the latter two are programs (?) you add on top of the system. The same way you put a firewall on top of a Windows PC. And since I'm not only a Linux newbie but also barely above a newbie in terms of computers in general, I don't think I'd want to have to deal with something advanced like Selinux. From what I know, AppArmor is more user-friendly than Selinux except that it's not recommended for real newcomers like me to tinker with, and anyway, Selinux seems more trouble than it's worth. But I tried out some Live CDs of Ubuntu and Linux Mint and saw a selinux folder under filesystems. But I heard that Selinux doesn't come pre-installed at least with Linux Mint -- but what is a Selinux folder doing in the filesystems folder if it's not? Are there more newbie-friendly programs like AppArmor and Selinux? |
IPtables and mandatory access control (the hooks used by SELinux and AppArmor) are both part of the kernel. The application portions of these facilities are only for interfacing to the kernel functionality.
I've used SELinux since it was introduced by Fedora in 2004. Fedora comes with SELinux installed and active. Under normal circumstances as a user you should never need to interact with SELinux - it's invisible. People that recommend disabling it don't understand it. IPtables can be configured with a variety of tools. The basic system configuration tool lets you open well known ports with just a click for example. |
Really? Because from the way people talk about Selinux it seems like some monster application that shuts down everything on the system at worst. Which is why as a newbie (to both linux and computers in general) I didn't want to have to deal with it. Imagine my dismay when I thought that Ubuntu has Selinux pre-installed (?). Wait, on that note, so some distros like Linux Mint who don't have Selinux pre-installed (so they say in their forums) but which include a Selinux folder anyway and have something like libselinux installed...it's not selinux itself? Analogy would be, say, drivers that allow hardware to work?
About iptables...how do I know which ports to close? |
Some basic infrastructure is included for SELinux, even if it's not in use so that software can properly function. As far as the firewall (iptables), the distribution should have provided a safe default configuration (closed). You only need to take action if you are going to open ports.
In the early days of SELinux, the desktop policy (targeted) was incomplete. Many people tried it and had problems, and now tell everyone how horrible it is. Historical posts and long memories make for a bad impression. Also, sometimes people use 'expert' methods without fully understanding them, and end up with badly labeled files. This is the worst case scenario with SELinux, and is usually when people throw in the towel. However, the filesystem can be completely relabeled with: Code:
fixfiles onboot |
I see. Thanks. :-)
|
Quote:
Let me explain: because of the way that the market works with proprietary platforms, what people tend to buy as a 'Firewall' tends to be a real firewall, plus all sorts of other bits and pieces that aren't really a firewall, per se. Windows users tend to expect these extra bits and pieces, but a Linux firewall is really just a firewall (plus, maybe, some other networking set-up stuff, but no virus scanner, for example). Quote:
In any case, for most applications, the use of ports is well documented (/etc/services), but some apps are rather more, err, liberal with their use of ports. This is irritating, but, for something like a workstation there is the possibility of allowing anything that the workstation initiates, but disallowing anything from the outside world that isn't a direct response to what the workstation initiates (I'm not suggesting that this is the most secure policy in the world, but used for the known exceptions to the 'allow this port to that service' rule is not wildly insecure...it does not, for example, protect against local applications going wild and doing something undesirable). AppArmor and SELinux are examples of a different sort of protection, sometimes called application firewalls (which is a bit deceptive, as they aren't all that directly connected with the 'real' firewalls of this world). In essence, these allow you to say 'this application is allowed to use that resource'. So, for example, you might allow your browser to access the internet, but not your word processor. This might be a useful thing to do to protect against some malware being inserted into your wordprocessor and doing all sorts of bad things. (Of course, not having the malware inserted into your Wordprocessor in the first place would be better still, but good security comes in layers.) In part, how easy these things are to use depends on whether they come with pre-canned profiles that you can use and/or good documentation on how to create the profiles that you need, or whether you have to make you own for everything starting from zero. I'm sure that things have improved since the early days, but as macemoneta comments, in the early days, things were not that great. AppArmor has the reputation of being the easier of the two to work with, but how much that matters if you get all the profiles that you need, and it 'just works' is unclear (to me, anyway). Quote:
I'm pretty sure that if you just think 'Linux is bulletproof, it doesn't matter what I do, or how badly I do it', eventually you will find a way of breaking something, even though it may be rather harder to break than Windows. |
All times are GMT -5. The time now is 07:58 AM. |