LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-08-2011, 12:18 AM   #1
yamadataro
LQ Newbie
 
Registered: Nov 2011
Posts: 4

Rep: Reputation: Disabled
AppArmor and Selinux


Hi, I'm a Windows user and aspiring Linux migrant. I've been looking at several distros and reading up on anything I should know, and I came across some security issues. Sorry if this sounds idiotic. :-)

While Linux is far more secure than Windows, years of trauma with viruses and other malware has given me this thing about keeping my PC secure (trauma-induced paranoia?). I'd read up on iptables, AppArmor and Selinux, and from what I was able to grasp (not much, I think, correct me if I'm wrong), the latter two are programs (?) you add on top of the system. The same way you put a firewall on top of a Windows PC. And since I'm not only a Linux newbie but also barely above a newbie in terms of computers in general, I don't think I'd want to have to deal with something advanced like Selinux. From what I know, AppArmor is more user-friendly than Selinux except that it's not recommended for real newcomers like me to tinker with, and anyway, Selinux seems more trouble than it's worth.

But I tried out some Live CDs of Ubuntu and Linux Mint and saw a selinux folder under filesystems. But I heard that Selinux doesn't come pre-installed at least with Linux Mint -- but what is a Selinux folder doing in the filesystems folder if it's not?

Are there more newbie-friendly programs like AppArmor and Selinux?
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 11-08-2011, 12:54 AM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
IPtables and mandatory access control (the hooks used by SELinux and AppArmor) are both part of the kernel. The application portions of these facilities are only for interfacing to the kernel functionality.

I've used SELinux since it was introduced by Fedora in 2004. Fedora comes with SELinux installed and active. Under normal circumstances as a user you should never need to interact with SELinux - it's invisible. People that recommend disabling it don't understand it.

IPtables can be configured with a variety of tools. The basic system configuration tool lets you open well known ports with just a click for example.
 
1 members found this post helpful.
Old 11-09-2011, 01:12 AM   #3
yamadataro
LQ Newbie
 
Registered: Nov 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
Really? Because from the way people talk about Selinux it seems like some monster application that shuts down everything on the system at worst. Which is why as a newbie (to both linux and computers in general) I didn't want to have to deal with it. Imagine my dismay when I thought that Ubuntu has Selinux pre-installed (?). Wait, on that note, so some distros like Linux Mint who don't have Selinux pre-installed (so they say in their forums) but which include a Selinux folder anyway and have something like libselinux installed...it's not selinux itself? Analogy would be, say, drivers that allow hardware to work?

About iptables...how do I know which ports to close?

Last edited by yamadataro; 11-09-2011 at 01:14 AM.
 
Old 11-09-2011, 02:02 AM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 332Reputation: 332Reputation: 332Reputation: 332
Some basic infrastructure is included for SELinux, even if it's not in use so that software can properly function. As far as the firewall (iptables), the distribution should have provided a safe default configuration (closed). You only need to take action if you are going to open ports.

In the early days of SELinux, the desktop policy (targeted) was incomplete. Many people tried it and had problems, and now tell everyone how horrible it is. Historical posts and long memories make for a bad impression. Also, sometimes people use 'expert' methods without fully understanding them, and end up with badly labeled files. This is the worst case scenario with SELinux, and is usually when people throw in the towel. However, the filesystem can be completely relabeled with:

Code:
fixfiles onboot
Just reboot after running that command (as root), and the system will fix any labeling errors. It takes a few minutes, then the system reboots again, and everything is back to normal. It's pretty fool-proof, even if you make a mess of it.
 
Old 11-10-2011, 02:34 AM   #5
yamadataro
LQ Newbie
 
Registered: Nov 2011
Posts: 4

Original Poster
Rep: Reputation: Disabled
I see. Thanks. :-)
 
Old 11-10-2011, 08:18 AM   #6
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,064

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
Quote:
Originally Posted by yamadataro View Post
The same way you put a firewall on top of a Windows
A firewall doesn't tend to be just a firewall to Windows users.

Let me explain: because of the way that the market works with proprietary platforms, what people tend to buy as a 'Firewall' tends to be a real firewall, plus all sorts of other bits and pieces that aren't really a firewall, per se. Windows users tend to expect these extra bits and pieces, but a Linux firewall is really just a firewall (plus, maybe, some other networking set-up stuff, but no virus scanner, for example).

Quote:
Originally Posted by yamadataro View Post
I'd read up on iptables, AppArmor and Selinux, and from what I was able to grasp (not much, I think, correct me if I'm wrong), the latter two are programs (?) you add on top of the system.
Iptables is a real firewall system; in effect it is a simple programming language that allows you complete control on what ports are used and the flow of data between ports. Many people find that that the 'easy' graphical front ends (Firestarter, GUFW, etc, etc) are easier to get going with and do some of the work for you.

In any case, for most applications, the use of ports is well documented (/etc/services), but some apps are rather more, err, liberal with their use of ports. This is irritating, but, for something like a workstation there is the possibility of allowing anything that the workstation initiates, but disallowing anything from the outside world that isn't a direct response to what the workstation initiates (I'm not suggesting that this is the most secure policy in the world, but used for the known exceptions to the 'allow this port to that service' rule is not wildly insecure...it does not, for example, protect against local applications going wild and doing something undesirable).

AppArmor and SELinux are examples of a different sort of protection, sometimes called application firewalls (which is a bit deceptive, as they aren't all that directly connected with the 'real' firewalls of this world). In essence, these allow you to say 'this application is allowed to use that resource'. So, for example, you might allow your browser to access the internet, but not your word processor. This might be a useful thing to do to protect against some malware being inserted into your wordprocessor and doing all sorts of bad things. (Of course, not having the malware inserted into your Wordprocessor in the first place would be better still, but good security comes in layers.)

In part, how easy these things are to use depends on whether they come with pre-canned profiles that you can use and/or good documentation on how to create the profiles that you need, or whether you have to make you own for everything starting from zero. I'm sure that things have improved since the early days, but as macemoneta comments, in the early days, things were not that great. AppArmor has the reputation of being the easier of the two to work with, but how much that matters if you get all the profiles that you need, and it 'just works' is unclear (to me, anyway).

Quote:
Originally Posted by yamadataro View Post
While Linux is far more secure than Windows, years of trauma with viruses and other malware has given me this thing about keeping my PC secure (trauma-induced paranoia?).
Not doing stupid things (not that I know whether you do or don't do stupid things) is also a worthwhile step. For example, the traditional 'Windows model' where you go round the 'net, and find and install user programs from dubious sources is, well, idiotic. Whatever distro you use, use the package manager to get programs and keep stuff up to date.

I'm pretty sure that if you just think 'Linux is bulletproof, it doesn't matter what I do, or how badly I do it', eventually you will find a way of breaking something, even though it may be rather harder to break than Windows.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Selinux-how do i find out what domains have permissions on what type?(selinux policy) vishyc88 Linux - Security 2 11-22-2010 05:27 AM
SELinux vs AppArmor sambesange Linux - Security 4 11-07-2008 10:15 AM
LXer: Novell's comparison of AppArmor and SELinux LXer Syndicated Linux News 0 07-03-2007 11:01 PM
LXer: Novell's AppArmor challenges SELinux LXer Syndicated Linux News 0 02-24-2006 08:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 09:19 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration