SELinux: A belt to go with my suspenders

The old adage is that if you really want to keep your pants up, you’ll have a belt and suspenders.

Of course, who even wears suspenders anymore?  It was a retro throwback even when I was doing it, in the ’80’s and ’90’s.  (Of course, I still wear bow ties, so I’m suspect anyway.)

This project was to understand what is involved in using SELinux – a Linux implementation of Mandatory Access Control, or to put it bluntly, “Permissions imposed on files, ports and processes by policy – not by the end-user“.

I’ve been partial to CentOS for several years now, since being introduced to it by a colleague.  CentOS is the “free spin” of Red Hat Enterprise Linux, using their publicly-released packages.  The first question you might ask is “why would you want to implement SELinux, since all that security is going to make it much harder to do stuff.”  That’s certainly true: it does make it harder to administer a server, especially one that’s a hybrid test/home production host like mine.

But actually, anyone who knows me will already have a hint: I wanted to answer a couple of questions, among them whether it was in fact practical to turn SELinux on in this kind of environment.  The other driving issue was to understand the costs: what’s the overhead of SELinux (in terms of my time); how much harder it it to manage compared with the problems it solves?

I had the pleasure of hearing Red Hat’s SELinux guy, Dan Walsh speak earlier this year, providing just enough of a conceptual overview to give me a handle on how to think about the service.  In the end, here’s what I have learned from this process:

  1. It’s not too difficult, but it takes some patience and does have to be learned.  While there are some good references out there, searches for information on a number of packages lead to instructions like, “this doesn’t work well with SELinux, just turn SELinux off” which is not… helpful.  I have all of my networked applications running in the SELinux “Enforced” environment, though, and haven’t had to jump through significant hoops.  Partly this was because I had already architected the operating environment and had a stable platform; the point was not to install package x but to install SELinux onto a working system with package x.
  2. Like a lot of things in SysAdmin, fixing the issues at startup is easy; figuring how to fix them permanently isn’t.  For example, it’s pretty easy to change a file context but it’s more involved to change the default to survive across filesystem relabeling.  And understanding when and why there is this difference.

This brings up the challenges of understanding a new technology.  To me, it’s like trying to map a landscape from from the air: elements of it can be understood (from familiarity) from a very high altitude, other areas require close examination.  The landscape itself varies greatly in elevation, and as humans our natural inclination is to fly at a constant level.  We’re never sure how much we see, or at what level of detail, meaning that we’re never sure of which questions to ask.

There are entire towns that we thought we knew, but trying to piece things together from a few miles above we find baffling behaviors; unable to figure out which streets connect to which neighborhoods we must fly lower – slow down – and trace things through, with care.  The blind corners puzzle us more than if we’d been walking though those places from the beginning.

In particular, with SELinux part of the challenge is that it’s effectively an overlay of a technology, rather than a discrete component or application.  It’s like visiting another English-speaking country; the accents are different, some words are used differently, and some are new.  I have the feeling that I’m missing a few concepts or answers to a few questions… and if I had those answers I’d be dramatically closer to understanding.  What’s frustrating is that I don’t know the right questions to ask.

I’ve taken to writing questions down in a notebook, and considering how to experiment to tease out answers in a more deliberate process.  In the meantime, the feeling of “almost having it” is gratifying and disheartening all at once.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s