5

I came across SELinux this week and the concepts seem interesting. However I don't see the use of SELinux being promoted as much as I expected. Why is this the case and would anyone recommend installing a SELinux kernel onto a personal Linux machine?

Us3rname
  • 131
  • 6

1 Answers1

7

However I don't see the use of SELinux being promoted as much as I expected. Why is this the case...?

SELinux is a security mechanism which, unless properly configured and tuned, is going to be either ineffective or inappropriately block functionality. Think of it like a sharp kitchen knife; indispensable in the hands of a skilled chef, but either dangerous or prone to dulling in the hands of a novice.

As a result SELinux is most commonly* only used in canned, OS-distribution configurations which have been carefully designed and tested. These uses are usually invisible to the user (the hallmark of a well-designed policy!)

SELinux is also most useful with programs that provide an attack surface, which is to say, network-accessible daemons. As such, it's more appropriate for a server than it is for a "Personal Machine"

would anyone recommend installing a SELinux kernel onto a personal Linux machine?

I would rephrase your question as "when would it be recommended to install...", as the recommendation is dependent upon the circumstances.

  • If you are interested in learning about security, and have never played around with Mandatory Access Control before, and you have a machine where you don't mind horribly if it gets wedged up and needs fixing, then I would recommend playing with SELinux. MAC can be fascinating if you've never played with it before.
  • If you have less trusted processes (say, you're running a Minecraft or similar server for your friends but don't fully trust it) that make you nervous, and you're willing to spend some time and effort building a configuration that works without breaking things (and breaking, and fixing, things along the way) then you might want to consider SELinux... but recognize it's a bit of work if you're not just taking a working profile from somewhere.
  • If your personal machine is a tool for getting stuff done and you're going to feel inconvenienced if things need adjusting, and you don't have a particular threat level that makes you feel more nervous than normal, then I don't recommend SELinux.

*In my personal experience; YMMV. For example, SELinux is enabled by default on Red Hat Enterprise Linux. But on something like Ubuntu you have to go out of your way to add it.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Thanks for your detailed response! After reading your answer I will spin up a VM to experiment SELinux further before I implement it into my host system. Thanks again for your awesome answer! – Us3rname Feb 12 '17 at 04:31
  • For your Minecraft server example, it's also worth considering running an untrusted process under a different, unprivileged account. It is perhaps not as secure as a well-tuned MAC setup, but it's also a lot easier to set up and far less likely to break anything else if you get it wrong. Start the software thoroughly under an account other than your regular one, make sure that the only files owned by that account are those absolutely needed by the software you run under that account, and make ample use of the iptables `owner` module. Compare https://security.stackexchange.com/q/141413/2138. – user Feb 12 '17 at 13:07