[EN] Selinux

[Paraquat]

Hi all.

I'm really into security, and it's one of the reasons why I run Linux (as opposed to Windows, Apple iEverything, etc). To keep my system secure, I do things like turn off Javascript (most of the time), don't install Java, decided to install Gnash instead of Adobe's flash, and so on.

I've become convinced that "mandatory access controls" are a good thing. Selinux is the most well-known example. But few distros have Selinux installed by default (Fedora/Red Hat is the grand exception - kudos to them for that). Ubuntu has AppArmor, but I understand it's relatively lame compared to Selinux. I see there is something similar called Grsecurity, but looks like much work to install (needs specialized kernel). More info about these three MAC systems:

http://www.cyberciti.biz/tips/selinux-vs-apparmor-vs-grsecurity.html

After looking over the possibilities, Selinux seemed like the best bet, and it's supposed to be available for Debian. I decided to install it on Siduction. I followed the instructions here:

http://wiki.debian.org/SELinux/Setup

Disaster. After installing the packages, Siduction would no longer boot. Left me with a dead system, forcing me to reinstall from scratch.

I have no idea if this is just a fault with Debian Unstable, or if the Selinux packages are not being maintained and thus have become poisonous to all flavors of Debian. Or maybe I did something wrong? Or maybe I just need a small tweak to my configuration to make it work? Wish I knew the answer.

Anyway, hoping that some of you out there who are far more skilled at Debian development than I am could look into installing Selinux and report back how to do it properly. It would be a big attraction to Siduction if this feature could be enabled easily.

Thanks in advance,
Paraquat

[ralul]

Package versions symbolizing release dates in this case indicate selinux got no recent love and might be broken for Debian unstable.

Although you should have booted your selinux enabled installation in trial mode at first. Thus seeing where things go wrong with selinux mandatorily enabled.

Are you aware some Desktop applications don't work with selinux? (chromiums sandboxing)

Problems you might encounter using the distro most active on selinux:
https://admin.fedoraproject.org/pkgdb/acls/bugs/selinux-policy?_csrf_token=47e7f1a545bb810d3256ab8c5f7edbe55c2d25a4
As you can see, it is not easy to implement the most perfect security scheme. There had to be US military institutions funding to develop this. There are more easy approaches: Apparmor, Tomoyo, Smack

Keep in mind: The most perfect solution does nothing but good feeling if implemented and configured wrongly.

By the way: What intrusion vectors and risks do you want to fight against?

[Paraquat]

Package versions symbolizing release dates in this case indicate selinux got no recent love and might be broken for Debian unstable.

Thank you for replying, Ralul. Unfortunately, your answer is what I feared most, that Selinux may be broken for Debian Unstable. And I'm not sure if it's any less broken on Stable or Testing - I may give it a try in another partition to find out.

Are you aware some Desktop applications don't work with selinux? (chromiums sandboxing)

I was aware that some apps might choke on Selinux, though I didn't know that Chromium specifically had a problem. I would assume that on Fedora (where Selinux is installed by default), the developers would have to adjust their policy to deal with that - else, no Chromium on Fedora. I haven't run Fedora in several years, so I have no idea how well it plays with popular desktop apps (like Chromium).

As you can see, it is not easy to implement the most perfect security scheme. There had to be US military institutions funding to develop this. There are more easy approaches: Apparmor, Tomoyo, Smack

I have heard that Selinux is not pleasant to configure, though it's supposed to be very good at swatting intrusions once it has been set up. I would be willing to try other alternatives (ie Apparmor) if I was sure they wouldn't cause Siduction to crash and burn (as Selinux did). Have you got any personal experience on Debian with any of the MACs that you suggested?

Keep in mind: The most perfect solution does nothing but good feeling if implemented and configured wrongly.

I couldn't agree more. I'm hoping that someone will put together a Selinux package for Debian Unstable that will "just work". That is to say, properly configured by the developers (I'm not capable of configuring Selinux myself).

By the way: What intrusion vectors and risks do you want to fight against?

Now that's an interesting question. Lately there have been a number of exploits that have hit Linux servers hard. You've probably heard about Linux/Cdorked.A, a very sophisticated exploit that isn't fully understood yet by security experts:

http://www.ananova.com/watch-out-for-sneaky-linuxcdorked-a/

I don't know if Selinux would block Linux/Cdorked.A, but it seems possible. Certainly seems better than just doing nothing besides hoping you're safe.

Thank you again for your message.

cheers,
Paraquat

[ralul]

!!! Dont trust that ananova.com site: They have no clue !!! They advertise a simple web-antivirus that probably provides you a virus !!!

To keep my system secure, I do things like turn off Javascript (most of the time), don't install Java, decided to install Gnash instead of Adobe's flash, and so on.

I thought you were talking about desktop-user security. But Linux/Cdorked is a webserver virus/intrusion system. If you search for security runing a server, YES do further investigate direction selinux,tomoyo,smack ...

But I am not. As a typical desktop user I want to investigate in other tools in the near future: systemd-nspawn

PS: Some recent selinux at Gentoo:
http://packages.gentoo.org/category/sec-policy
Also they provide gresecurity based hardening tools ...

[Smon]

Why an extra kernel? SELinux is integrated in the kernel since 2.6?