The annoyance of SELinux is one of the main reasons I avoid using RHEL-based systems whenever possible.
Announcement
Collapse
No announcement yet.
The Performance Cost To SELinux On Fedora 31
Collapse
X
-
Originally posted by pgoetz View Post
I've never gotten a cogent explanation or example of how SELinux provides any substantial security benefits on a modern linux system. And if you're implementing anything which is complicated and not mainstream the very first instruction is always turn SELinux off.
sshd runs as root, it has to for two major reasons, to access the .ssh directory of users homes (for private keys) and to spawn a process as a user on successful authentication. This gives sshd a large amount of power that if exploited, would give an attacker almost unlimited access on the system.
SELinux comes to the rescue here, sshd gets given an selinux tag as does the .ssh directories in home folders, this means SELinux can prevent sshd from accessing files other than the ones it's been tagged with being able to access, even though it's running as root.
There is some overlap though with systemd sandboxing and containers so the use case for SELinux is less than it used to be. But you should never turn SELinux off, set it to permissive mode and fix your policies.
- Likes 3
Comment
-
Originally posted by Britoid View PostBut you should never turn SELinux off, set it to permissive mode and fix your policies.
Comment
-
Originally posted by Spooktra View Post
LOL!!! Permissive mode is a placebo, all it does is set SELinux to run and log but it doesn't actually enforce anything, a system running in permissive mode is not being protected by SELinux at all.
- Likes 4
Comment
-
Originally posted by Britoid View PostSELinux comes to the rescue here, sshd gets given an selinux tag as does the .ssh directories in home folders, this means SELinux can prevent sshd from accessing files other than the ones it's been tagged with being able to access, even though it's running as root.
The arguments for SELinux always sound superficially convincing until you dig into the functional consequences of what is being protected against. I had a coworker explain that SELinux constrained web server access to user's .public_html directories. Now that the 90's are over, who's still using .public_html directories?
- Likes 1
Comment
-
Originally posted by pgoetz View Post
Thanks for engaging, but how could sshd be compromised without someone gaining root on your system, at which point anything is possible? And if not that, once you can get into people's .ssh directories their accounts almost certainly are compromised, allowing direct logins where, again, quite a bit becomes possible.
But that's the point: you don't know what vulnerability will be discovered next. Multiple layers of security help prevent breaches even when a new 0-day or other vulnerability is discovered.
- Likes 4
Comment
-
Originally posted by pgoetz View PostThe annoyance of SELinux is one of the main reasons I avoid using RHEL-based systems whenever possible.
Fedora got its SELinux policies updated and frequently tested which greatly benefit desktop users.
The best practice is to use what the system provided to you. By the way, Android phone uses a variant called SE for Android.
- Likes 3
Comment
Comment