[gentoo-user] NSA SELinux kernel support

[gentoo-user] NSA SELinux kernel support

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 661 bytes --]

I was wondering if there was any harm in disabling the NSA SELinux support
in my gentoo-sources based kernel.

The kernel config help for the NSA SELinux options suggests that having
them enabled is optional.

If I understand it correctly, having these options on in the kernel config
alone does not imply that my system is using NSA SELinux. According to
http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch of other things
needs to be taken care of to have SELinux on.

Is SElinux something that the folk here would recommend using on a
personal, rather than a production system? Or would you recommend using
something else, if anything at all?

Thanks.

[-- Attachment #2: Type: text/html, Size: 822 bytes --]

Re: [gentoo-user] NSA SELinux kernel support

[Alec Ten Harmsel]

Context for my replies - I only use Gentoo in a personal setting.

On 01/01/2015 12:01 PM, Alexander Kapshuk wrote:
> I was wondering if there was any harm in disabling the NSA SELinux
> support in my gentoo-sources based kernel.

I've never had SELinux enabled in my gentoo kernels.

>
> The kernel config help for the NSA SELinux options suggests that
> having them enabled is optional.

Yup, totally is.

>
> If I understand it correctly, having these options on in the kernel
> config alone does not imply that my system is using NSA SELinux.
> According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch
> of other things needs to be taken care of to have SELinux on.

That's correct - I don't know what software/config one needs, but
SELinux is enabled/disabled/configured in userspace.

>
> Is SElinux something that the folk here would recommend using on a
> personal, rather than a production system? Or would you recommend
> using something else, if anything at all?
>
> Thanks.
>

I would recommend using nothing. From what little I understand about
security-related stuff, SELinux constrains the resources available to
programs (sockets, files, etc.) so vulnerabilities in various server
programs don't lead to an entire system being compromised.

SELinux is the only one I've had a bit of experience with - I run CentOS
(SELinux is enabled by default) for some personal-use-only services that
I want to run without dealing with Gentoo. My first step in a CentOS
install is to disable SELinux (and the firewall, hehe) to avoid dealing
with the pain of wading through documentation for hours on end.

The one use case that seems pretty interesting for personal use is
something I know for sure Ubuntu does - an AppArmor profile for all of
the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of
the same things as SELinux, and the browser profiles guard against rogue
JavaScript from doing bad things.

If I got anything wrong security-wise, I'm sorry, and hopefully someone
corrects it quickly.

Hope this helps,

Alec

Re: [gentoo-user] NSA SELinux kernel support

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 2261 bytes --]

On Thu, Jan 1, 2015 at 7:25 PM, Alec Ten Harmsel <alec@alectenharmsel.com>
wrote:

> Context for my replies - I only use Gentoo in a personal setting.
>
> On 01/01/2015 12:01 PM, Alexander Kapshuk wrote:
> > I was wondering if there was any harm in disabling the NSA SELinux
> > support in my gentoo-sources based kernel.
>
> I've never had SELinux enabled in my gentoo kernels.
>
> >
> > The kernel config help for the NSA SELinux options suggests that
> > having them enabled is optional.
>
> Yup, totally is.
>
> >
> > If I understand it correctly, having these options on in the kernel
> > config alone does not imply that my system is using NSA SELinux.
> > According to http://wiki.gentoo.org/wiki/SELinux/Installation, a bunch
> > of other things needs to be taken care of to have SELinux on.
>
> That's correct - I don't know what software/config one needs, but
> SELinux is enabled/disabled/configured in userspace.
>
> >
> > Is SElinux something that the folk here would recommend using on a
> > personal, rather than a production system? Or would you recommend
> > using something else, if anything at all?
> >
> > Thanks.
> >
>
> I would recommend using nothing. From what little I understand about
> security-related stuff, SELinux constrains the resources available to
> programs (sockets, files, etc.) so vulnerabilities in various server
> programs don't lead to an entire system being compromised.
>
> SELinux is the only one I've had a bit of experience with - I run CentOS
> (SELinux is enabled by default) for some personal-use-only services that
> I want to run without dealing with Gentoo. My first step in a CentOS
> install is to disable SELinux (and the firewall, hehe) to avoid dealing
> with the pain of wading through documentation for hours on end.
>
> The one use case that seems pretty interesting for personal use is
> something I know for sure Ubuntu does - an AppArmor profile for all of
> the web browsers they ship. AppArmor, if I'm not mistaken, does a lot of
> the same things as SELinux, and the browser profiles guard against rogue
> JavaScript from doing bad things.
>
> If I got anything wrong security-wise, I'm sorry, and hopefully someone
> corrects it quickly.
>
> Hope this helps,
>
> Alec
>
>
Understood. Thanks.

[-- Attachment #2: Type: text/html, Size: 3018 bytes --]

[gentoo-user] Re: NSA SELinux kernel support

[James]

Alexander Kapshuk <alexander.kapshuk <at> gmail.com> writes:


> Is SElinux something that the folk here would recommend using on a 
> personal, rather than a production system? Or would you recommend 
> using something else, if anything at all?

Difficult questions with no simple answer. Selinux is used in more places
than routine linux installations. Here is a bit of reading
on SeLinux, it is a sub-project of the Hardened project here at Gentoo and 
it is very robust, but time consuming. 


hth,
James

http://wiki.gentoo.org/wiki/SELinux

http://wiki.gentoo.org/wiki/Project:Hardened

https://source.android.com/devices/tech/security/selinux/index.html

http://www.all-things-android.com/content/selinux-android-and-samsung-knox

Re: [gentoo-user] Re: NSA SELinux kernel support

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 874 bytes --]

On Thu, Jan 1, 2015 at 8:49 PM, James <wireless@tampabay.rr.com> wrote:

> Alexander Kapshuk <alexander.kapshuk <at> gmail.com> writes:
>
>
> > Is SElinux something that the folk here would recommend using on a
> > personal, rather than a production system? Or would you recommend
> > using something else, if anything at all?
>
> Difficult questions with no simple answer. Selinux is used in more places
> than routine linux installations. Here is a bit of reading
> on SeLinux, it is a sub-project of the Hardened project here at Gentoo and
> it is very robust, but time consuming.
>
>
> hth,
> James
>
> http://wiki.gentoo.org/wiki/SELinux
>
> http://wiki.gentoo.org/wiki/Project:Hardened
>
> https://source.android.com/devices/tech/security/selinux/index.html
>
> http://www.all-things-android.com/content/selinux-android-and-samsung-knox
>
>
>
Thanks for the pointers.

[-- Attachment #2: Type: text/html, Size: 1727 bytes --]

Re: [gentoo-user] NSA SELinux kernel support

[Marc Stürmer]

Am 01.01.2015 um 18:01 schrieb Alexander Kapshuk:

> I was wondering if there was any harm in disabling the NSA SELinux
> support in my gentoo-sources based kernel.

It depends on your usage case (desktop or server) and grade of personal 
paranoia.

I know a few administrators how think that enabling SELinux or similar 
stuff (e.g. like AppArmor) should be today mandatory if installing 
servers on the internet.

Then again your mileage may vary.

Re: [gentoo-user] NSA SELinux kernel support

[Alexander Kapshuk]

[-- Attachment #1: Type: text/plain, Size: 594 bytes --]

On Fri, Jan 2, 2015 at 10:03 AM, Marc Stürmer <mail@marc-stuermer.de> wrote:

> Am 01.01.2015 um 18:01 schrieb Alexander Kapshuk:
>
>  I was wondering if there was any harm in disabling the NSA SELinux
>> support in my gentoo-sources based kernel.
>>
>
> It depends on your usage case (desktop or server) and grade of personal
> paranoia.
>
> I know a few administrators how think that enabling SELinux or similar
> stuff (e.g. like AppArmor) should be today mandatory if installing servers
> on the internet.
>
> Then again your mileage may vary.
>
>
Thanks for you input.

[-- Attachment #2: Type: text/html, Size: 1073 bytes --]

Re: [gentoo-user] NSA SELinux kernel support

[Sid S]

> I was wondering if there was any harm in disabling the NSA SELinux support
> in my gentoo-sources based kernel.

There is no harm, but if you were interested a lot of packages come
with policies by default. Currently there is no support for SELinux in
Gentoo for the vast majority of desktop applications. It is a little
bit of work to get anything nonfunctional working. There are
additional modes where you can simply run your user as unconfined and
any services will be restricted by SELinux. grsecurity's RBAC is an
alternative where you simply let it generate a policy based on what it
sees you use.

Notably, Fedora and CentOS enable SELinux by default.

> SELinux is the only one I've had a bit of experience with - I run CentOS
> (SELinux is enabled by default) for some personal-use-only services that
> I want to run without dealing with Gentoo. My first step in a CentOS
> install is to disable SELinux (and the firewall, hehe) to avoid dealing
> with the pain of wading through documentation for hours on end.

http://stopdisablingselinux.com/ - your distribution probably comes
with policies for everything you want to install, anyway...

Re: [gentoo-user] NSA SELinux kernel support

[Alec Ten Harmsel]

On 01/04/2015 09:47 AM, Sid S wrote:
>
>> SELinux is the only one I've had a bit of experience with - I run CentOS
>> (SELinux is enabled by default) for some personal-use-only services that
>> I want to run without dealing with Gentoo. My first step in a CentOS
>> install is to disable SELinux (and the firewall, hehe) to avoid dealing
>> with the pain of wading through documentation for hours on end.
> http://stopdisablingselinux.com/ - your distribution probably comes
> with policies for everything you want to install, anyway...
>
>
>

Thanks for this link - I'll watch that video later this afternoon I think.

Alec

Re: [gentoo-user] NSA SELinux kernel support

[Erik Mackdanz]

Sid S <r030t1@gmail.com> writes:

> your distribution probably comes
> with policies for everything you want to install, anyway...

...until it doesn't, and then what?

I attempted a full conversion a few months back, and was ready to make
some commitment to getting SELinux to work on my personal laptop.  I got
as far as Permissive mode, with a firehose of access violations in the
auditd log.  I had written a couple of scrappy policies to authorize a
few small one-off violations, with the help of audit2allow, but the
firehose was still gushing.

I use offlineimap for fetching mail, which doesn't have a policy.  Now,
if I ever wanted to switch from Permissive to Enforcing, I was required,
as an absolute SELinux n00b, to write a full policy for a non-trivial
mail application.  This is when I turned around.

I could have half-assed it with audit2allow, but security-wise that's a
cop-out.

Inevitably, there will always be some program I want to use with no
existing policy, and I'll constantly have this problem.

I realized that my personal workstation is a place I like to try lots of
software (don't we all like that about Linux?), and SELinux can be a big
wet blanket on the fun at any time.

I'd like to find a middle ground, and it might be Targeted mode (I was
attempting Strict).  Or, it might be a different system like AppArmor.
-- 
Erik Mackdanz

Re: [gentoo-user] NSA SELinux kernel support

[Sid S]

> ...until it doesn't, and then what?

The comment was slightly off-topic and mainly pointed towards his
decision to disable SELinux on a distribution which had enabled it by
default. On Gentoo, if you enable SELinux, see all of the AVCs and
decide to nope right out of there, you are making an informed decision
(by virtue of needing to learn a great deal about SELinux to set it up
in the first place).

> I could have half-assed it with audit2allow, but security-wise that's a
> cop-out.

I'm not sure it's a complete cop-out as long as you read the
suggestions audit2allow is making. The policy you end up with will not
be ideal and will certainly be full of holes, but at least you are
somewhat aware of the risk a given service is to your system.

> I'd like to find a middle ground, and it might be Targeted mode (I was
> attempting Strict).  Or, it might be a different system like AppArmor.

Yeah, my ending suggestion was to run in targeted mode (if you wanted
to bother with SELinux at all) but that mainly serves as a workaround
for Desktop-oriented stuff. Containers or virtualization are also
options.

Re: [gentoo-user] NSA SELinux kernel support

[Alec Ten Harmsel]

On 01/04/2015 09:47 AM, Sid S wrote:
>
>> SELinux is the only one I've had a bit of experience with - I run CentOS
>> (SELinux is enabled by default) for some personal-use-only services that
>> I want to run without dealing with Gentoo. My first step in a CentOS
>> install is to disable SELinux (and the firewall, hehe) to avoid dealing
>> with the pain of wading through documentation for hours on end.
> http://stopdisablingselinux.com/ - your distribution probably comes
> with policies for everything you want to install, anyway...
>

Sid, thanks again. I've just remembered a couple public-facing servers I
administer that run CentOS and I think it's about time to spend an hour
or two learning SELinux for at least the one that runs Redmine.

Alec