selinux & external threats

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have heard that the main use of selinux is to
protect from threads internal to the box, usually
from users, and that with regard to external
threats to such things as an e-mail server or
a web server, it is of little or no use.

Is this true?

Thanks for your help.

Re: selinux & external threats

Mike - EMAIL IGNORED wrote:

Quoted text here. Click to load it

There are only so many bad things you can do to a box without gaining access
to it as a user. Even before that, since daemons run with the privileges of
a user MAC can provide better segmentation and limit exposure to certain
types of attack.

In this case I'd say if you didn't already know the answer to that question,
then there's a lot of other answers you should be learning before setting
up selinux on your box.


Re: selinux & external threats

(06-03-23 00:09:39):

Quoted text here. Click to load it

And to answer the question:  it's not entirely useless, but other
projects have been created specifically for the protection from the
outside.  In particular, grsecurity < is one good
starting point.

However, in most cases a proper set of packet filtering rules does
suffice.  Those packages are only for cases where you need extreme
configurability, or where a service running on the host is vulnerable.
PaX for example protects from almost any stack- oder heap-based attack
against vulnerable services.  They are still going to crash, but the
attacker doesn't gain access to the system.

SELinux on the other hand is for purposes, where you need access
control.  As Colin said, it's mainly for protection against local
attackers, which already have some access privileges on that host.


Site Timeline