Rant: SELinux disabled?

Shockingly enough, whenever users ask for help with their Linux setup (RHEL, CentOS, Scientific etc), one of the most common suggestions you hear is: "Set SELinux to permissive or disable it."

Honestly, if somebody can't trouble-shoot SELinux issues by looking at the audit.log or using tools that do it for them (audit2allow etc), they haven't got much experience. That's fine. But should they really be advised to sacrifice security? I don't think so. Actually SELinux can be very helpful in reminding the user of his mistakes as well… "Should this executable be run here? Do we want to store this in a non-standard place?"

You know, the times where SELinux needed a lot of tweaking are long gone. It's been out there for many years. If it triggers alerts and blocks things these days, the first question should be: "How can I make my stuff work WITH those restrictions and keep it secure?" rather than "How do I get rid of this pain-in-the-butt constantly nagging tool, which I don't understand anyway?" It nags for a reason. And if you really have to run something in conflict with the default policies, check the tunables and consider creating exceptions for your particular case, but don't just switch it off.

Now to top it all off, I'm truly shocked to see how many commercial companies out there provide pre-built CentOS images for various clouds and virtualisation platforms with SELinux disabled. I don't understand this. I regularly end up building new images myself with SELinux in enforcing mode, which is much harder to do for a customer than for the provider. (You can't simply switch it back on when the image has been built with SELinux disabled. Your directories and files won't have the right labels.)

But worse than that, it sends the wrong message. SELinux is a major security enhancement on RHEL descendants. You are not conveying the right message if you offer SELinux-capable distributions and disable it per default (and more often than not, the same applies to basic firewall support).

You could as well say: "Your security is none of our bloody business. We don't care." Do you want your customers to take away this messsage?

I'm not an InfoSec guru. But you don't need to be one to understand that disabling built-in security features per default just doesn't make any sense.

Comments !