Wednesday, August 19, 2009

Feeling insecure - thoughts on SELinux

I've decided to run Fedora on my main desktop and enable other distros via virtualization. Yes, too many good solutions to ignore and I paid for the hardware. Anyway, this is not an entry about virtualization, but on SELinux. Fedora enables SELinux by default and I was left to live with the consequences. To try and make sure I get the same five star security on my desktop that enterprise applications get, I decided not to add selinux=0 to the boot command prompt.

I thought I could learn it, wouldn't I be an inferior being if I could not? What does it say about my go-getter attitude? My first encounter with SELinux was when I tried to get ~user/public_html enabled via the Apache Web Server. After I had followed the documentation, I still could not get a seemingly easy feature to work. I dig the web and without knowing too much, I learn about a certain context httpd_user_context_t and use a certain tool and it worked!!!

I had a grin on my face for a few days, I was going to be able to work with SELinux. My next surprise came when I tried to install some software and setroubleshootd very gently pointed me to the cause of the security violation while installing the software and what I could do to fix it (gee, an automated tool, no more worries). My next encouter occurred when I tried to install mediawiki with math enabled (yeah.. I decided to save paper and take notes on the wiki with TeX enabled, but that is a different story). Again, no matter how well I followed the guidelines, I could not get texvc to work :(

Remember to look at /var/log/audit files as root and run audit2allow to get some useful hints with SELinux. SELinux comes with a set of rich GUI tools, be sure to use them as you walk through the seemingly friendly maze of SELinux
I found some help on the mediawiki site that gave me instructions on how to setup SELinux and mediawiki together. To my surprise, I found quite a few software vendors providing additional instructions for setup when SELinux is enabled.

The feeling of being miserable at SELinux set in, I had to now read up and understand the architecture or forgo my new found security infrastructure. Today, I came across a very interesting web page (the wikipedia entry for SELinux),

“...given the threat models and capabilities of the adversaries involved, that's probably appropriate... But that’s not necessarily appropriate for all users. SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.” — Theodore Ts’o
You can only imagine how relieved I was to see this quote
Life is too short for SELinux
I was not alone, others hated it and found it hard to use as well. How pathetic can such happiness be, but I was overjoyed, excited to say the least.

My path forward is to continue to use SELinux, but be less tolerant of its idiosyncrasies. I am working my way through the documentation, but very slowly. I've learnt that my new best friend is "Z". Add "Z" to existing commands in Fedora and magically it shows SELinux information that can be a life saviour at times.
Post a Comment