Is there any attack that would be possible just by disabling SELinux? Particularly on a server running http and ssh services?
Asked
Active
Viewed 3,512 times
10
-
This is very broad - is there something specific you are concerned about? – schroeder Oct 29 '15 at 21:02
-
@schroeder no. just some examples of how this could be exploited – Azad Oct 29 '15 at 21:39
-
You left a weak PHP contact form on your site. An attacker wants to use it to send spam. SELinux is stopping it with the [httpd_can_sendmail = false](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Booleans.html) boolean. You disable SELinux. Your server becomes a spam source. (That's assuming your question isn't the slightly tautological *"Assuming my server starts by being secure without SELinux, would it be secure without SELinux?"*) – TessellatingHeckler Oct 30 '15 at 03:01
2 Answers
5
SELinux is largely about confining processes to specified resources and not allowing them to access other resources.
SELinux knows what Apache is, what files it should be able to access, what ports it should be able to bind to, etc. If someone exploits a vulnerability in your website and trys to read or write to files that aren't part of the webroot, SELinux will actually stop it from happening even if you've screwed up on your permissions and left it vulnerable (and it will send up a nice loud error too).
This is especially useful when running websites or other applications that may or may not be safe, due to dumb customers or old software that people are scared to update (or often exploited platforms like Java). It doesn't generally stop an exploit, but it does mitigate the damage afterwards and is supposed to keep the security problem contained to the exploited process.
Another example for desktops: Web browsers. Should they be able to read ~/.ssh? No! There's never a reason for a web browser to go in there, unless that web browser has been taken over by an attacker. SELinux will stop web browsers from accessing ~/.ssh, even though the browser is running with your user privs (as it probably should be).
EDIT: Many people turn off SELinux because things don't work when they turn it on. This is because SELinux expects things to be configured "like we told you to configure it in the Red Hat docs" (in the case of SELinux on EL systems), which means you run things on standard ports with standard file paths and don't do weird stuff. If you want to do weird stuff, audit2allow is your friend and you can build SELinux policies for whatever you need to do.
Josh
- 51
- 3
-
"SELinux knows what Apache is" - no, that's the job of the policy implemented by SELinux, and its my experience that the targeted policy which ships with Redhat doesn't cater for many of the things which Apache is expected to do in different applications. – symcbean Sep 14 '17 at 13:07
1
As long as your server is patched and up to date, then there is no known vulnerability which SELinux protects against. There may be windows when this is not the case - but these are infrequent and short. This is the banner slogan for SELinux: it (might) protect you against zero-day attacks.
IMHO, SELinux is counter-productive for Security (except possibly if you are in the business of producing appliances running Linux) it consumes lots of time and effort without giving significantly better results than other approaches.
However I can't tell whether this applies in your context. An out-of-the-box configuration with SELinux and the distributor's policy enabled is more secure than one without.
symcbean
- 18,278
- 39
- 73