[Discuss] apache problem

Anderson, Charles R cra at wpi.edu
Wed Jan 9 15:58:38 EST 2019 

On Wed, Jan 09, 2019 at 01:55:25PM -0600, Derek Martin wrote:
> On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote:
> > It can harden a system against attack from without for example by
> > preventing sockets from being bound, similar to iptables.
> 
> It can not do this on a system that is running public services--the
> sockets for such are necessarily bound.  If a machine is not running
> services, then, barring kernel bugs in the network stack itself, it
> will not have vectors of attack that are vulnerable to attack from
> without to begin with.

It can prevent specific applications (process security contexts) from
binding to specific sockets/ports, either for inbound or outbound
connections.  External firewalls cannot do that to my knowledge.

> In most cases, careful privilege separation and file permissions get
> you the bulk of what you need; staying patched gets you the rest.  If
> you can't manage that much, how will you ever figure out what SELinux
> policies you need?

Well, SELinux can be part of a privilege separation strategy.  If for
example, someone managed to break in through Apache and then get a
root shell somehow, their root shell won't have privileges to do
anything beyond what the Apache policy allows.  They won't be able to
add users, make SSH connections, start a new sshd on a different port,
modify binaries, install software packages, run the compiler, turn off
SELinux, erase logs, etc.

> I'm not saying SELinux has no value. I AM saying that I believe for
> the average home user trying to provide some basic services for their
> home network, or even to run a small Internet site, what it provides
> is much more trouble than it's actually worth, and the needed levels
> of security are more easily provided other ways, most of which you
> were probably already doing anyway.

Okay, I guess.  I just think people overstate the "SELinux trouble"
part, especially with the current distro SELinux configuration.  I
wasn't meaning to use "fear" or "FUD" as an argument tactic--I was
just trying to point out the parallels between newbies' or home users'
acceptance of DAC and past arguments that DAC is "too much trouble to
deal with" vs. current arguments that SELinux MAC is too much trouble.

More information about the Discuss mailing list