BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] apache problem
- Subject: [Discuss] apache problem
- From: cra at wpi.edu (Anderson, Charles R)
- Date: Wed, 9 Jan 2019 20:58:38 +0000
- In-reply-to: <20190109195525.GF9285@bladeshadow.org>
- References: <20190108230616.GA17844@aldeberon-localdomain> <1546991099.782616.1629322016.75BE6566@webmail.messagingengine.com> <20190109164950.GD9285@bladeshadow.org> <20190109174553.h3d5b4aop2odflvf@angus.ind.wpi.edu> <5c364081.1c69fb81.1dbd8.4c68@mx.google.com> <20190109192026.nk4avvppxfnrdqxr@angus.ind.wpi.edu> <20190109195525.GF9285@bladeshadow.org>
On Wed, Jan 09, 2019 at 01:55:25PM -0600, Derek Martin wrote: > On Wed, Jan 09, 2019 at 07:20:29PM +0000, Anderson, Charles R wrote: > > It can harden a system against attack from without for example by > > preventing sockets from being bound, similar to iptables. > > It can not do this on a system that is running public services--the > sockets for such are necessarily bound. If a machine is not running > services, then, barring kernel bugs in the network stack itself, it > will not have vectors of attack that are vulnerable to attack from > without to begin with. It can prevent specific applications (process security contexts) from binding to specific sockets/ports, either for inbound or outbound connections. External firewalls cannot do that to my knowledge. > In most cases, careful privilege separation and file permissions get > you the bulk of what you need; staying patched gets you the rest. If > you can't manage that much, how will you ever figure out what SELinux > policies you need? Well, SELinux can be part of a privilege separation strategy. If for example, someone managed to break in through Apache and then get a root shell somehow, their root shell won't have privileges to do anything beyond what the Apache policy allows. They won't be able to add users, make SSH connections, start a new sshd on a different port, modify binaries, install software packages, run the compiler, turn off SELinux, erase logs, etc. > I'm not saying SELinux has no value. I AM saying that I believe for > the average home user trying to provide some basic services for their > home network, or even to run a small Internet site, what it provides > is much more trouble than it's actually worth, and the needed levels > of security are more easily provided other ways, most of which you > were probably already doing anyway. Okay, I guess. I just think people overstate the "SELinux trouble" part, especially with the current distro SELinux configuration. I wasn't meaning to use "fear" or "FUD" as an argument tactic--I was just trying to point out the parallels between newbies' or home users' acceptance of DAC and past arguments that DAC is "too much trouble to deal with" vs. current arguments that SELinux MAC is too much trouble.
- Follow-Ups:
- [Discuss] apache problem
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] apache problem
- References:
- [Discuss] apache problem
- From: jdm at moylan.us (dan moylan)
- [Discuss] apache problem
- From: blu at cyberpear.com (James Cassell)
- [Discuss] apache problem
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] apache problem
- From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
- From: richard.pieri at gmail.com (Rich Pieri)
- [Discuss] apache problem
- From: cra at wpi.edu (Anderson, Charles R)
- [Discuss] apache problem
- From: invalid at pizzashack.org (Derek Martin)
- [Discuss] apache problem
- Prev by Date: [Discuss] apache problem
- Next by Date: [Discuss] apache problem
- Previous by thread: [Discuss] apache problem
- Next by thread: [Discuss] apache problem
- Index(es):