Re: SELinux on Squeeze?
On Sat, 31 Dec 2011, Laurentiu Pancescu <lpancescu@googlemail.com> wrote:
> is there any difference between i386 and amd64 as to how much protection
> SELinux is able to provide? Earlier, stuff like NX was only available on
> 64-bit processors; are there still such differences?
There has never been any difference in SE Linux support between those
architectures AFAIK.
Support for NX etc is a kernel/hardware issue. AMD64 hardware is more capable
in this regard but there are kernel patches to provide similar things for
i386. I'm not sure of the status of this in Debian.
> > As for Lenny, I expect if you added appropriate entries to /etc/modules
> > or used audit2allow you would have got it working.
>
> It didn't occur to me to add anything to /etc/modules, but I did try to
> add the rules suggested by audit2allow. It compiled the policy, I added
> it, but it still didn't work - I probably did something wrong (I had
> only read the wiki page before and skimmed through the Fedora 5 SELinux
> FAQ). I gave up after a day or so, it was my only system and couldn't
> work. I should have read more before jumping in - mea culpa. Is there
> any other documentation about SELinux except the one linked from the
> wiki, your blog and the NSA paper? Do any Debian administration books
> address SELinux?
I am not aware of Debian books covering SE Linux. But Red Hat has some good
documentation and most of it will apply to Debian.
> > I can't imagine what the benefit would be in using "official" packages
> > that I created and uploaded to Debian over using "unofficial" packages
> > that I created and couldn't get in a Squeeze update because the changes
> > would be too great or I didn't get time to go through the process of
> > applying for them to be put in an update.
>
> Well, your post a few hours ago about getting hacked (in taz's thread)
> scared me into thinking that the official packages might be safer... :)
> OTOH, I know you used to have a public SELinux server with root access
> for anyone to try, so I guess it can't be _that_ bad.
http://etbe.coker.com.au/2011/12/31/server-cracked/
I've just written about that at the above URL. As I note in that post I count
that as a win for SE Linux.
> I remember first considering SELinux after the hacking of a few Debian
> servers some years ago; the post-mortem analysis mentioned that SELinux
> would have prevented it and recommended enabling it if possible (was it
> Wouter's blog?). I also remember Manoj fought quite hard to get SELinux
> included by default in Debian, but many developers opposed it being
> active by default, like in Fedora. Too bad.
From memory that was an exploit of a race condition involving kernel module
loading. The access that triggered the module loading was denied by SE Linux
and therefore it didn't work. The attacker could potentially have written an
exploit that triggered a module load without being stopped by SE Linux, but it
would have been a little harder and probably wouldn't have worked on as many
systems.
But generally if you want to prevent random (as opposed to targetted) attacks
then anything you do to make your system more difficult than the majority will
do some good.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Reply to: