Rant: Configuration Rave: SELinux

Glen Turner glen.turner at aarnet.edu.au
Mon Jan 15 14:22:52 CST 2007


All I want is a gateway to my ADSL connection, with a
private subnet for the switch and a private subnet for
the access point. In the long run I want to run a mail
server. For the moment a bit of file/web serving and
printing is fine.

Fedora Core 6
   iptables -- one changed line, which is trashed without warning by the
               if you later use the GUI config tool.
   named.conf -- 122 lines, the distributed config file is not secure
                 by default and the programs needed for zone signing
                 are missing.
   dhcpd.conf -- 121 lines. No GUI, most of the file could have been
                 automatically configured.
   yum - three changed config lines and 80 lines of script
         to automatically reboot the machine at 3AM if packages
         were updated.
   smb.conf -- 68 lines, GUI did most of it. GUI trashes manual changes :-(
   selinux -- four policy changes, all via GUI. Smooth.
   httpd.conf -- 40 changed lines. Tried the GUI first, this actually
                 trashed the config in a way that would have been
                 immediately apparent if the programmer had tested it
                 on a clean install (it wrote a second config file and
                 the server died oddly after seeing the second Listen
   cups.conf -- 15 added lines, done via the nice GUI. Insecure in default
   sshd_config -- allows root by default, allows password door knocking
                  by default, allows all users to have incoming ssh by
                  default, doesn't hash known_hosts to avoid giving
                  successful attackers a list of machines to try next.
   sysctl.conf -- two changed lines, I want to forward packets and
                  overcommit memory
   hosts.[allow|deny]  -- 3 added lines, insecure by default, no examples
                          for popular use cases.
   syslog.conf -- 5 changed lines to radically improve performance
   fonts/local.conf -- 5 lines of mystery XML added so that
                       /usr/local/share/fonts can be used for fonts
                       I bought rather than intermingling these with
                       system fonts.  A clear case where policy would
                       be better than configuration.
   /etc/sudoers -- common use case of allowing wheel group to become
                   superuser needs configuration. Not clear why since
                   FC ships with no users in wheel so this configuration
                   would be secure.
   limits.conf -- ensure user-initiated processes die if they allocate
                  more than 2GB of address space. That's a memory leak
                  big enough to swap out all other processes and
                  treacles the machine for a few minutes, but it comes
                  back fine.

You really have to wonder how much system testing Red Hat do and
how much analysis of use cases they put into the design of their
GUI tools.


With FC6 SELinux is finally ready for everyday use.

The major trap is that most daemons can't do I/O with the console.
So you start the init script and it dies with a SELinux message
being issued. Scared by previous happenings you charge off after
SELinux policies. Wrong. It's something simple, the deamon was
trying to tell you what, but SELinux suppressed the message and
logged that it had done so.

The other trick is that if you want to share content between
server daemons (say Apache, Samba, rsync, FTP) then you need
policy flags that allow the daemons to read "public context"
files and to set the "public content" context on the content.
That takes much longer to write than to do.

But the overall feeling I get is that SELinux is now solid and
has enough tools so that you can debug any problems.  The "deny
then debug" approach to my mind is much more satisfactory than
Windows Vista's approach of asking for permission so often that
you click on OK the one time you should not have.


IPv6. It just works.  The OS vendors are all doing a good job
here.  Shame about the networking vendors.


Jumbo frames. When I request the Interface MTU option and some
stupid hotel tells you the maximum packet length is 50 bytes long
then how about silently ignoring the stupidity (min IPv4 MTU is 576)
rather than configuring a non-working MTU?


And a final rant, why do all the system performance monitoring
tools suck?  All those lines of config above are simply dwarfed
by the configuration of Net-SNMP, RRDtool, etc needed to keep
an eye on it.

More information about the linuxsa mailing list