LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-07-2007, 11:34 AM   #1
dansawyer
Member
 
Registered: Mar 2005
Posts: 124

Rep: Reputation: 15
fc6 selinux - strict vs targeted


All,

Good morning. The system is a firewall box with selinux enabled. For a firewall box is there a significant advantage to a strict vs a targeted policy? All local users are 'fully trusted', ie they are me. Which policy would be most effective at preventing an external attack?

- Dan
 
Old 02-07-2007, 01:33 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 344Reputation: 344Reputation: 344Reputation: 344
Strict has the higher security, but is more awkward to use. You can read more here.
 
Old 02-07-2007, 03:59 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
For a firewall box is there a significant advantage to a strict vs a targeted policy? All local users are 'fully trusted', ie they are me.

Building on Macemoneta's comments: the difference between the "targeted" and "strict" policy is that with "strict" everything is subject to the policy, confined to a domain. Nothing runs without rules and which means you have to explicitly allow processes to run. By definition a firewall is an single purpose appliance which means no daemons like MTA, DNS and sure as hell no FTP (OK, except your admin SSH on the LAN side or through OOB). If that is your definition too you would have less problems a) closing "regular" loopholes and b) implementing the "strict" policy (because you just don't run a darn thing ;-p).

The "targeted" policy is what you'd call "hard on the outside and chewy on the inside". "Targeted" means that only a set of network-facing daemons run under a restrictive policy. Any processes that don't have a policy and the rest, including root, run in the "unconfined" domain as if SELinux wasn't enabled. If you would have a firewall that runs daemons that aren't covered by a policy only the rules for the "unconfined" domain are in place (about none). If you run daemons that are covered by a policy a transition to another domain, say "unconfined", should be possible since their policies aren't backed by more restrictions (I'm not that far into SELinux (yet) to provide a good, nasty example).

In short: if the box is a "true" firewall then running "strict" will not pose problems that can't be addressed.


Which policy would be most effective at preventing an external attack?
Prevention in the first place means host and network hardening.
IMNSHO that should be done before deciding (and regardless of) which policy you are going to run.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Database Wars Hot Up With Oracle Targeted By Commercial LXer Syndicated Linux News 0 08-21-2006 08:33 AM
LXer: Firefox targeted with exploit code LXer Syndicated Linux News 0 12-14-2005 08:31 AM
FYI: FC3, Punkbuster, selinux-policy-targeted Jimbo99 Linux - Software 15 06-18-2005 09:32 PM
Repeated, targeted port 1025 ACK RST scottman Linux - Security 2 10-06-2004 01:35 AM
Strict DHCP puzz_1 Linux - Networking 8 06-05-2003 12:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration