Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Good morning. The system is a firewall box with selinux enabled. For a firewall box is there a significant advantage to a strict vs a targeted policy? All local users are 'fully trusted', ie they are me. Which policy would be most effective at preventing an external attack?
For a firewall box is there a significant advantage to a strict vs a targeted policy? All local users are 'fully trusted', ie they are me.
Building on Macemoneta's comments: the difference between the "targeted" and "strict" policy is that with "strict" everything is subject to the policy, confined to a domain. Nothing runs without rules and which means you have to explicitly allow processes to run. By definition a firewall is an single purpose appliance which means no daemons like MTA, DNS and sure as hell no FTP (OK, except your admin SSH on the LAN side or through OOB). If that is your definition too you would have less problems a) closing "regular" loopholes and b) implementing the "strict" policy (because you just don't run a darn thing ;-p).
The "targeted" policy is what you'd call "hard on the outside and chewy on the inside". "Targeted" means that only a set of network-facing daemons run under a restrictive policy. Any processes that don't have a policy and the rest, including root, run in the "unconfined" domain as if SELinux wasn't enabled. If you would have a firewall that runs daemons that aren't covered by a policy only the rules for the "unconfined" domain are in place (about none). If you run daemons that are covered by a policy a transition to another domain, say "unconfined", should be possible since their policies aren't backed by more restrictions (I'm not that far into SELinux (yet) to provide a good, nasty example).
In short: if the box is a "true" firewall then running "strict" will not pose problems that can't be addressed.
Which policy would be most effective at preventing an external attack?
Prevention in the first place means host and network hardening.
IMNSHO that should be done before deciding (and regardless of) which policy you are going to run.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.