Chris's Wiki :: blog/linux/SELinuxProgramBoundaries Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/SELinuxProgramBoundaries?atomcommentsDWiki2014-07-23T20:06:57ZRecent comments in Chris's Wiki :: blog/linux/SELinuxProgramBoundaries.By Zev Weiss on /blog/linux/SELinuxProgramBoundariestag:CSpace:blog/linux/SELinuxProgramBoundaries:f7df3aded3679e0983e5dd0808028c1fa65b5daaZev Weiss<div class="wikitext"><p>While for the most part I'd agree, there do exist <em>some</em> things SELinux does that are "intra-process" (if you will), such as the execstack/execmem restrictions.</p>
</div>2014-07-23T20:06:57ZBy Ewen McNeill on /blog/linux/SELinuxProgramBoundariestag:CSpace:blog/linux/SELinuxProgramBoundaries:70994508ea8e8254ea3ae3124f630df6bab234c8Ewen McNeill<div class="wikitext"><p>It seems to me there's a reasonable analogy with "firewalls only act at network boundaries": the result of the near ubiquitous deployment of system/enterprise firewalls is that systems mostly get compromised by means other than unexpected connections from the Internet (eg, application vulnerabilities -- including things like Heartbleed).</p>
<p>Yet at this point I think few would argue that packet filtering is not a good idea. (There are some who very vigorously argue that <em>stateful</em> firewalls are not a good idea, with considerable merit in some situations -- state exhaustion is a real thing. But IME even they are generally in favour of stateless packet filters.) It doesn't solve everything, but it does reduce the attack surface (at least from the "outside" -- crunchy outside, and soft chewy centre :-) )</p>
<p>Ultimately I <em>want</em> to like technology like SELinux. And do try to leave it (or AppArmor, etc) enabled on systems unless it becomes infeasible to persuade it to let legitimate users do legitimate things. But I do wish it wasn't seen as a cure all (and was even easier to manage...). It will <em>help</em> with some problems (particularly digging further into the system than the toe hold). But not everything. I look at it as a "process firewall".</p>
<p>Ewen</p>
<p>PS: See also <a href="http://opensource.com/business/14/7/docker-security-selinux">Docker and SELinux</a> -- unlike what some people apparently believe root in a Docker environment isn't completely isolated, even with SELinux.</p>
</div>2014-07-23T06:33:49Z