Rant: Configuration Rave: SELinux
glen.turner at aarnet.edu.au
Mon Jan 15 14:22:52 CST 2007
All I want is a gateway to my ADSL connection, with a
private subnet for the switch and a private subnet for
the access point. In the long run I want to run a mail
server. For the moment a bit of file/web serving and
printing is fine.
Fedora Core 6
iptables -- one changed line, which is trashed without warning by the
if you later use the GUI config tool.
named.conf -- 122 lines, the distributed config file is not secure
by default and the programs needed for zone signing
dhcpd.conf -- 121 lines. No GUI, most of the file could have been
yum - three changed config lines and 80 lines of script
to automatically reboot the machine at 3AM if packages
smb.conf -- 68 lines, GUI did most of it. GUI trashes manual changes :-(
selinux -- four policy changes, all via GUI. Smooth.
httpd.conf -- 40 changed lines. Tried the GUI first, this actually
trashed the config in a way that would have been
immediately apparent if the programmer had tested it
on a clean install (it wrote a second config file and
the server died oddly after seeing the second Listen
cups.conf -- 15 added lines, done via the nice GUI. Insecure in default
sshd_config -- allows root by default, allows password door knocking
by default, allows all users to have incoming ssh by
default, doesn't hash known_hosts to avoid giving
successful attackers a list of machines to try next.
sysctl.conf -- two changed lines, I want to forward packets and
hosts.[allow|deny] -- 3 added lines, insecure by default, no examples
for popular use cases.
syslog.conf -- 5 changed lines to radically improve performance
fonts/local.conf -- 5 lines of mystery XML added so that
/usr/local/share/fonts can be used for fonts
I bought rather than intermingling these with
system fonts. A clear case where policy would
be better than configuration.
/etc/sudoers -- common use case of allowing wheel group to become
superuser needs configuration. Not clear why since
FC ships with no users in wheel so this configuration
would be secure.
limits.conf -- ensure user-initiated processes die if they allocate
more than 2GB of address space. That's a memory leak
big enough to swap out all other processes and
treacles the machine for a few minutes, but it comes
You really have to wonder how much system testing Red Hat do and
how much analysis of use cases they put into the design of their
With FC6 SELinux is finally ready for everyday use.
The major trap is that most daemons can't do I/O with the console.
So you start the init script and it dies with a SELinux message
being issued. Scared by previous happenings you charge off after
SELinux policies. Wrong. It's something simple, the deamon was
trying to tell you what, but SELinux suppressed the message and
logged that it had done so.
The other trick is that if you want to share content between
server daemons (say Apache, Samba, rsync, FTP) then you need
policy flags that allow the daemons to read "public context"
files and to set the "public content" context on the content.
That takes much longer to write than to do.
But the overall feeling I get is that SELinux is now solid and
has enough tools so that you can debug any problems. The "deny
then debug" approach to my mind is much more satisfactory than
Windows Vista's approach of asking for permission so often that
you click on OK the one time you should not have.
IPv6. It just works. The OS vendors are all doing a good job
here. Shame about the networking vendors.
Jumbo frames. When I request the Interface MTU option and some
stupid hotel tells you the maximum packet length is 50 bytes long
then how about silently ignoring the stupidity (min IPv4 MTU is 576)
rather than configuring a non-working MTU?
And a final rant, why do all the system performance monitoring
tools suck? All those lines of config above are simply dwarfed
by the configuration of Net-SNMP, RRDtool, etc needed to keep
an eye on it.
More information about the linuxsa