Rant: Configuration Rave: SELinux
Haarsma, Michael (SAPOL)
michael.haarsma at police.sa.gov.au
Tue Jan 16 00:24:48 CST 2007
Red Hat's recommendation to me long ago, was use Console commands, or
GUI commands, never both. Based on your findings and my usage, over the
years that little tip still holds strong - the 2 still don't play ball.
> -----Original Message-----
> From: linuxsa-bounces at linuxsa.org.au
> [mailto:linuxsa-bounces at linuxsa.org.au] On Behalf Of Glen Turner
> Sent: Tuesday, 16 January 2007 12:31 AM
> To: linuxsa at linuxsa.org.au
> Subject: Rant: Configuration Rave: SELinux
> All I want is a gateway to my ADSL connection, with a
> private subnet for the switch and a private subnet for
> the access point. In the long run I want to run a mail
> server. For the moment a bit of file/web serving and
> printing is fine.
> Fedora Core 6
> iptables -- one changed line, which is trashed without
> warning by the
> if you later use the GUI config tool.
> named.conf -- 122 lines, the distributed config file is not secure
> by default and the programs needed for zone signing
> are missing.
> dhcpd.conf -- 121 lines. No GUI, most of the file could have been
> automatically configured.
> yum - three changed config lines and 80 lines of script
> to automatically reboot the machine at 3AM if packages
> were updated.
> smb.conf -- 68 lines, GUI did most of it. GUI trashes
> manual changes :-(
> selinux -- four policy changes, all via GUI. Smooth.
> httpd.conf -- 40 changed lines. Tried the GUI first, this actually
> trashed the config in a way that would have been
> immediately apparent if the programmer had tested it
> on a clean install (it wrote a second config file and
> the server died oddly after seeing the second Listen
> cups.conf -- 15 added lines, done via the nice GUI.
> Insecure in default
> sshd_config -- allows root by default, allows password
> door knocking
> by default, allows all users to have incoming ssh by
> default, doesn't hash known_hosts to avoid giving
> successful attackers a list of machines to try next.
> sysctl.conf -- two changed lines, I want to forward packets and
> overcommit memory
> hosts.[allow|deny] -- 3 added lines, insecure by default,
> no examples
> for popular use cases.
> syslog.conf -- 5 changed lines to radically improve performance
> fonts/local.conf -- 5 lines of mystery XML added so that
> /usr/local/share/fonts can be used for fonts
> I bought rather than intermingling these with
> system fonts. A clear case where policy would
> be better than configuration.
> /etc/sudoers -- common use case of allowing wheel group to become
> superuser needs configuration. Not clear why since
> FC ships with no users in wheel so this
> would be secure.
> limits.conf -- ensure user-initiated processes die if they allocate
> more than 2GB of address space. That's a memory leak
> big enough to swap out all other processes and
> treacles the machine for a few minutes, but it comes
> back fine.
> You really have to wonder how much system testing Red Hat do
> and how much analysis of use cases they put into the design
> of their GUI tools.
> With FC6 SELinux is finally ready for everyday use.
> The major trap is that most daemons can't do I/O with the
> console. So you start the init script and it dies with a
> SELinux message being issued. Scared by previous happenings
> you charge off after SELinux policies. Wrong. It's something
> simple, the deamon was trying to tell you what, but SELinux
> suppressed the message and logged that it had done so.
> The other trick is that if you want to share content between
> server daemons (say Apache, Samba, rsync, FTP) then you need
> policy flags that allow the daemons to read "public context"
> files and to set the "public content" context on the content.
> That takes much longer to write than to do.
> But the overall feeling I get is that SELinux is now solid
> and has enough tools so that you can debug any problems. The
> "deny then debug" approach to my mind is much more
> satisfactory than Windows Vista's approach of asking for
> permission so often that you click on OK the one time you
> should not have.
> IPv6. It just works. The OS vendors are all doing a good job
> here. Shame about the networking vendors.
> Jumbo frames. When I request the Interface MTU option and
> some stupid hotel tells you the maximum packet length is 50
> bytes long then how about silently ignoring the stupidity
> (min IPv4 MTU is 576) rather than configuring a non-working MTU?
> And a final rant, why do all the system performance
> monitoring tools suck? All those lines of config above are
> simply dwarfed by the configuration of Net-SNMP, RRDtool, etc
> needed to keep an eye on it.
> LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on
> irc.freenode.net To unsubscribe or change your options:
More information about the linuxsa