tags:

views:

3238

answers:

13

I want to know if people here typically disable SELinux on installations where it is on by default? If so can you explain why, what kind of system it was, etc?

I'd like to get as many opinions on this as possible.

A: 

I don't have a lot to contribute here, but since its gone unanswered, I figured I would throw my two cents in.

Personally, I disable it on dev boxes and when I'm dealing with unimportant things. When I am dealing with anything production, or that requires better security, I leave it on and/or spend the time tweaking it to handle things how I need.

Weather or not you use it really comes down to your needs, but it was created for a reason, so consider using it rather than always shut it off.

Scott S.
A: 

SELinux requires user attention and manual permission granting whenever (oh, well) you don't have a permission for something. Many people such find that it gets in the way and turn it off.

In recent version, SELinux is more user friendly, and there are even talks about removing the possibility to turn it off, or hide it so only knowledgeable users would know how to do it - and it is assumed just users are precisely those who understand the consequences.

With SELinux, there's a chicken and egg problem: in order to have it all the time, you as a user need to report problems to developers, so they can improve it. But users don't like to use it until it's improved, and it won't get improved if not many users are using it.

So, it's left ON by default in hope that most people would use it long enough to report at least some problems before they turn it off.

In the end, it's your call: do you look for a short-term fix, or a long-term improvement of the software, which will lead to removing the need to ask such question one day.

Milan Babuškov
+7  A: 

I did, three or four years ago when defined policies had many pitfalls and creating policies was too hard and I had 'no time' to learn. This was on not critical machines, of course.

Nowadays with all the work done to ship distros with sensible policies, and the tools and tutorials that exist which help you create, fix and define policies there's no excuse to disable it.

Vinko Vrsalovic
Phew!! I'm not alone!
Luc M
+1  A: 

I hear it's getting better, but I still disable it. For servers, it doesn't really make any sense unless you're an ISP or large corporation wanting to implement fine-grain access level controls across multiple local users.

Using it on a web server, I had a lot of problems with apache permissions. I'd constantly have to run chcon -R -h -t httpd_sys_content_t /var/www/html to update the ACLs when new files were added. I'm sure this has been solved by now, but still, SELinux is a lot of pain for the limited reward that you get from enabling it on a standard web site deployment.

hoyhoy
limited reward? on an internet facing web site? which world are you living in?
Vinko Vrsalovic
I agree with the "limited reward?" question. selinux has saved my web server from being hacked due to a security bug in a package being used by httpd where selinux prevented the exploit from functioning.
Eddie
+1  A: 

I do not disable it, but there are some problems.

Some applications don't work particularly well with it.

For example, I believe I enabled smartd to try and keep track of my raid disks s.m.a.r.t. status, but selinux would get confused about the new /dev/sda* nodes created at boot (I think that's what the problem was)

You have to download the source to the rules to understand things.

Just check /var/log/messages for the "avc denied" messages and you can decode what is being denied.

google "selinux faq" and you'll find a fedora selinux faq that will tell you how to work through these problems.

mike511
+3  A: 

I worked for a company last year where we were setting it enforcing with the 'targeted' policy enabled on CentOS 5.x systems. It did not interfere with any of the web application code our developers worked on because Apache was in the default policy. It did cause some challenges for software installed from non-Red Hat (or CentOS) packages, but we managed to get around that with the configuration management tool, Puppet.

We used Puppet's template feature to generate our policies. See SELinux Enhancements for Puppet, heading "Future stuff", item "Policy Generation".

Here's some basic steps from the way we implemented this. Note other than the audit2allow, this was all automated.

Generate an SELinux template file for some service named ${name}.

sudo audit2allow -m "${name}" -i /var/log/audit/audit.log > ${name}.te

Create a script, /etc/selinux/local/${name}-setup.sh

SOURCE=/etc/selinux/local
BUILD=/etc/selinux/local

/usr/bin/checkmodule -M -m -o ${BUILD}/${name}.mod ${SOURCE}/${name}.te
/usr/bin/semodule_package -o ${BUILD}/${name}.pp -m ${BUILD}/${name}.mod
/usr/sbin/semodule -i ${BUILD}/${name}.pp

/bin/rm ${BUILD}/${name}.mod ${BUILD}/${name}.pp

That said, most people are better off just disabling SELinux and hardening their system through other commonly accepted consensus based best practices such as The Center for Internet Security's Benchmarks (note they recommend SELinux :-)).

jtimberman
A: 

Under Redhat, you can edit /etc/sysconfig/selinux and set SELINIX=disabled.

I think under all versions of linux you can add selinux=0 noselinux to the boot line in lilo.conf or grub.conf.

Scott
+2  A: 

My company makes a CMS/integration platform product. Many of our clients have legacy 3rd party systems which still have important operative data in them, and most want to go on using these systems because they just work. So we hook our system to pull data out for publishing or reporting etc. through diverse means. Having a ton of client spesific stuff running on each server makes configuring SELinux properly a hard, and consequentially, expensive task.

Many clients initially want the best in security, but when they hear the cost estimate for our integration solution, the words 'SELinux disabled' tend to appear in the project plan pretty fast.

It's a shame, as defense in depth is a good idea. SELinux is never required for security, though, and this seems to be its downfall. When the client asks 'So can you make it secure without SELinux?', what are we supposed to answer? 'Umm... we're not sure'?

We can and we will, but when the hell freezes over, and some new vulnerability is found, and the updates just aren't there in time, and your system is unlucky enough to be the ground zero... SELinux just might save your ass.

But that's a tough sell.

Internet Friend
You mean as in it turns out emacs C-m M-c M-butterfly targets remote machines' hard drives just as well as local ones?
Joshua
+1  A: 

Sadly, I turn SELinux off most of the time too, because a good amount of third-party applications, like Oracle, do not work very well with SELinux turned on and / or are not supported on platforms running SELinux.

Note that Red Hat's own Satellite product requires you to turn off SELinux too, which - again, sadly - says a lot about difficulties people are having running complex applications on SELinux enabled platforms.

Usage tips that may or may not be useful to you: SELinux can be turned on and off at runtime by using setenforce (use getenforce to check current status). restorecon can be helpful in situations where chcon is cumbersome, but ymmv.

wzzrd
A: 

I never disabled selinux, my contractor HAVE to use it. And, if/when, some daemon (with OSS license btw) don't have a security policy it is mandatory to write a (good) one. This is not because i believe that selinux is an invulnerable MAC on Linux - useless to put example - but because it augment much the operating system security anyway. For the web app the OSS security better solution is mod_security : so i use both. Most the problem with selinux are on the little or comprensible docu, although the situation is much improved in recent years.

devzero2000
+2  A: 

Yes. It's brain dead. It can introduce breakage to standard daemons that's nearly impossible to diagnose. It also can close a door, but leave a window open. That is, for some reason on fresh CentOS installs it was blocking smbd from starting from "/etc/init.d/smb". But it didn't block it from starting when invoked as "sh /etc/init.d/smb" or "smbd -D" or from moving the init.d/smb file to another directory, from which it would start smbd just fine.

So whatever it thought it was doing to secure our systems - by breaking them - it wasn't even doing consistently. Consulting some serious CentOS gurus, they don't understand the inconsistencies of its behavior either. It's designed to make you feel secure. But it's a facade of security. It's a substitute for doing the real work of locking your system security down.

whit
A: 

If it's on by default I'll leave it on until it breaks something then off it goes.

Personally I see it as not providing any security and I'm not going to bother with it.

Joshua
A: 

A CENTOS box I had as a development machine had it on and I turned it off. It was stopping some things I was trying to do in testing the web app I was developing. The system was (of course ) behind a firewall which completely blocked access from outside our LAN and had a lot of other security in place, so I felt reasonably secure even with SELinux off.

PTBNL