BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] apache problem

Subject: [Discuss] apache problem
From: cra at wpi.edu (Anderson, Charles R)
Date: Wed, 9 Jan 2019 20:58:38 +0000
In-reply-to: <20190109195525.GF9285@bladeshadow.org>
References: <20190108230616.GA17844@aldeberon-localdomain> <1546991099.782616.1629322016.75BE6566@webmail.messagingengine.com> <20190109164950.GD9285@bladeshadow.org> <20190109174553.h3d5b4aop2odflvf@angus.ind.wpi.edu> <5c364081.1c69fb81.1dbd8.4c68@mx.google.com> <20190109192026.nk4avvppxfnrdqxr@angus.ind.wpi.edu> <20190109195525.GF9285@bladeshadow.org>

On Wed, Jan 09, 2019 at 01:55:25PM -0600, Derek Martin wrote:
> On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote:
> > It can harden a system against attack from without for example by
> > preventing sockets from being bound, similar to iptables.
> 
> It can not do this on a system that is running public services--the
> sockets for such are necessarily bound.  If a machine is not running
> services, then, barring kernel bugs in the network stack itself, it
> will not have vectors of attack that are vulnerable to attack from
> without to begin with.

It can prevent specific applications (process security contexts) from
binding to specific sockets/ports, either for inbound or outbound
connections.  External firewalls cannot do that to my knowledge.

> In most cases, careful privilege separation and file permissions get
> you the bulk of what you need; staying patched gets you the rest.  If
> you can't manage that much, how will you ever figure out what SELinux
> policies you need?

Well, SELinux can be part of a privilege separation strategy.  If for
example, someone managed to break in through Apache and then get a
root shell somehow, their root shell won't have privileges to do
anything beyond what the Apache policy allows.  They won't be able to
add users, make SSH connections, start a new sshd on a different port,
modify binaries, install software packages, run the compiler, turn off
SELinux, erase logs, etc.

> I'm not saying SELinux has no value. I AM saying that I believe for
> the average home user trying to provide some basic services for their
> home network, or even to run a small Internet site, what it provides
> is much more trouble than it's actually worth, and the needed levels
> of security are more easily provided other ways, most of which you
> were probably already doing anyway.

Okay, I guess.  I just think people overstate the "SELinux trouble"
part, especially with the current distro SELinux configuration.  I
wasn't meaning to use "fear" or "FUD" as an argument tactic--I was
just trying to point out the parallels between newbies' or home users'
acceptance of DAC and past arguments that DAC is "too much trouble to
deal with" vs. current arguments that SELinux MAC is too much trouble.

Follow-Ups:
- [Discuss] apache problem
  - From: richard.pieri at gmail.com (Rich Pieri)

References:
- [Discuss] apache problem
  - From: jdm at moylan.us (dan moylan)
- [Discuss] apache problem
  - From: blu at cyberpear.com (James Cassell)
- [Discuss] apache problem
  - From: invalid at pizzashack.org (Derek Martin)
- [Discuss] apache problem
  - From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
  - From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] apache problem
  - From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
  - From: invalid at pizzashack.org (Derek Martin)

Prev by Date: [Discuss] apache problem
Next by Date: [Discuss] apache problem
Previous by thread: [Discuss] apache problem
Next by thread: [Discuss] apache problem
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.