So I just love SELinux these days. It’s so easy to use, clearly grandmothers everywhere should be using it to admin their systems.
I used to think SELinux was just a government inspired masturbatory exercise in protecting systems from themselves. Complex policies could be created (where, usually, only a minimal policy protecting actual likely attack vectors would suffice) and hours upon hours could be wasted figuring out the optimal number of possible context types to use on any given system.
Recently, I upgraded some machines to Fedora 9. And as part of that, I decided that I would, for once, run in enforcing mode by default. Rather than just be able to get on with whatever I wanted to do, I decided to protect myself from myself and my own actions. And this has already paid off. For example, tonight, I did the following:
*). Create a new filesystem.
*). Mount on /virt.
*). Just add KVM.
I ran virt-manager to create a new VM in /virt/Rawhide.img, which went ok until virt-manager repeatedly generated unpleasant backtraces. Why was it complaining that it couldn’t open the file it had just created? Then I noticed the AVC denials. My shiny new filesystem had no labels on it, which meant that files were being labelled with the default file_t, etc. A quick diversion into reading SELinux policy, brushing up on a half dozen tools, and it was obvious that all I was missing was the following:
sudo chcon -t virt_image_t /virt/Rawhide.img
All I had needed was a simple change of context to virt_image_t (because all virt images always obviously live in the same place, nobody could ever possibly want to do what I just did) and then a quick restart of virt-manager. I could also have helpfully followed the advice of the AVC tool, rebooted my system and instructed it to relabel. That’s not inconvenient advice at all, that’s just ease of use. Or so friends who’ve spent any time in Redmond, Washington might tell me.
Ok. Even I can’t take my own sarcasm any more in this post. So, let me just cut to the chase and say it. SELinux annoys me every bit as much as it did when I first tried it about a decade ago, and I refute the notion that Linux distributions should be inflicting complex policy upon unsuspecting users. SELinux should instead be used to protect specific system services that are likely to be used by remote attackers – web services, file servers, and the like.
To me, distributions should save complex policy for optional spins and products targeted at the “security paranoid types”. But I shall leave it turned on for now, because I want to understand just how “misguided” I’ve been all these years turning it off the very first chance I get.
Jon.
Jon,
To some point I agree with you, but on others I don’t. Perhaps SELinux is too complex to understand, but the example you use is exactly the same example I could use about Descretionary Access Control being too complex. I set up my apache server and installed to html files, apache blue up with permission denied I had to
sudo chown apache /var/www/myfile
sudo chmod r /var/www/myfile
It would be nice if virtmanager had labeled the files correctly when they were created but it did not, probably a bug. SELinux can be a pain in the but, but we are now seeing it block vulnerabilities like the latest Flash Plugin and executable Memory/buffer overflow attacks. These are both user space vulnerabilities.
Whether we can ever cover the breath of complexity of Linux with a comprehensive policy is still up for question. But if we could just get the people to realize it is just about the labels.
Yes, let’s not require people to set permissions or ownerships on files either. They just get in the way of unsuspecting users who want to share things with other users on their system.
Think of ‘chcon virtcon_t’ as exactly the same sort of operation as ‘chmod foo’ and allowing an _application_ as opposed to a user the access to the file. And it is very important to be confining some of these user sorts of applications — or would you like for a compromise in kvm to allow your guest to access any file (or device) on your system?
I’ve created two bugzillas related to this issue.
https://bugzilla.redhat.com/show_bug.cgi?id=452671
https://bugzilla.redhat.com/show_bug.cgi?id=452669
If you wish to participate in discussion relating to SELinux and Fedora, I suggest posting to the fedora-selinux mailing list:
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thanks.
When you need to modify applications like virt-manager to handle simple cases like having files in a different location, you lose. This is an example of overly complex policy getting in the way.
As to Jeremy’s comments, this is not like chmod or chown, because those are well understood, well documented commands using a couple of standard users and modes. It’s pretty easy to deal with users like “root” and “jcm” on my laptop, but I had to manually trawl through many hundreds of possible SE Linux contexts before I discovered which one I should be using. Even after that, I picked the wrong one, had to create a dummy VM and poke at the image to find what context labeling I should have used, before I could just go and do what I had been trying to do an hour earlier. In other words, I lost an hour figuring out just how to create one VM image…this is not ease of use.
Note, I’m not saying “SELinux is pointless”, I’m saying we’re going nuts with policy here. We should be protecting the 80% win case, rather than going for the 20% pain. Let’s protect our servers from compromises in apache, etc. rather than protecting users from themselves. Having said that, I’m not insensitive to the desire to protect ourselves from VM compromise…but the line has to be drawn somewhere.
I would argue the commands ‘chmod/chown’ aren’t that well known for people outside of Linux. Instructing new and old users on how to do that have always been a high number of support questions on IRC and various lists. It was quite common 10 years ago (and sadly I ran into this last year) to find some academic server where the owner had done a
chmod -r 7777 ./*
or find that every account in /etc/passwd had UID 0, because people didn’t want to fuss with permissions… in fact your original story covers a meme from Usenet back in the late 1980’s early 1990’s about why DOS was better than Unix or VMS.
The big issue is that commands and usage have changed, and it makes us grayhairs feel like we have to relearn everything which can make us grumpy… but in the end we just have to get over it.