SELinux

ddaas · 04-19-2005, 08:43 AM

What do you think about SELinux?
Does it really mean a big increase in term of security?
I would like to upgrade from rhel3 to rhel4 and I don't know if SELinux represents a big deal concerning security or it only creates the sensation of security. What do you think?

ddaas

Capt_Caveman · 04-19-2005, 03:11 PM

The default SELinux config in Fedora (and AFAIK in RHL4) is really only a partial implementation of the original SELinux architecture. Currently only a certain number of daemons are using SELinux with a "targeted security policy". Overtime I imagine we'll see a more system-wide implementation. Right now it act as a nice additional layer of security, but I would certainly still advise hardening your system with measures outside of SELinux (I don't ever see it as a total replacement). It will be interesting to see if the LSM module and the kernel hooks themselves become targets in the next step of the "arms race". Along those lines, I'd recommend reading the brief commentary on LSM at the grsecurity site for an alternate perspective.

ddaas · 04-20-2005, 04:32 AM

I've read about LSM at grsecurity and they don't consider it good.
What do you think? Are they right?
Which do you think is better grsecurity or selinux?

I was a litle bit impressed about

Quote:

Demo Systems
One of the best ways to observe the high level of security possible by using SELinux is to visit one of the SELinux demonstration systems provided for public use. Using an SSH client, you can remotely log into a demonstration system as the root user and try to hack your way to escalated privileges. Most likely, you'll completely fail.

One such system is the demonstration system hosted by Gentoo's Hardened Project, described at http://selinux.dev.gentoo.org. Another demonstration system, a Fedora Core system administered by Russell Coker, is described at http://www.coker.com.au/selinux/play.html. Finally, a demonstration system running Debian is described at http://selinux.simplyaquatics.com.

you could log in as root and try to crack the SELinux based Server. That's nice

If no one did it untill now that means that SELinux is real good. But as you say:

Quote:

It will be interesting to see if the LSM module and the kernel hooks themselves become targets in the next step of the "arms race".