[djsumdog]

I've had to make AppArmor profiles in the past and they can get a bit painful. I've never had to configure SELinux so I don't know how much better/worse it is.

That being said, I think Docker and other container systems are going to remove the need for these security profile systems.

Yes, if there is exploitable code in the container, it can read/write to other things in the container. But so long as you keep the docker daemon up to date on its security patches, application exploits shouldn't be able to leak beyond the container, with the exception of volumes and linked containers/ports.

[pmoriarty]

"But so long as you keep the docker daemon up to date on its security patches, application exploits shouldn't be able to leak beyond the container, with the exception of volumes and linked containers/ports."

A kernel exploit executed in a Docker container would compromise all the other Docker containers on the same machine (and the machine as a whole).

[ams6110]

The typical configuration I see in /etc/selinux/config is:

   SELINUX=disabled

[protomyth]

Its definitely one of the things that shows up when you call about a lot of vendor's software support. I find it rather annoying that a company tells you to buy a specific Linux distribution then pulls exactly what you say.

Thinking about it (maybe because I am watching a update go as I type), what the heck does this say about how we program? I guess in some ways its why I like the idea of pledge. It makes me think better of the programmer because they have put some thought into their program. I'm not sure what I should think when I see SELINUX=disabled as a possible solution.

[dispose13432]

>Thinking about it (maybe because I am watching a update go as I type), what the heck does this say about how we program?

SELinux is not complex because we program in complex ways, but because we don't know the target program.

For example, (again, nothing against Apache but...) if I want to secure Apache, there's no way for me (as a sysadmin) to tell exactly which files, exactly which syscalls, and exactly which libs does it need to function, and there's no way for me to stay on top of it.

And the same applies to any other complicated software. How to I lock down X? Firefox?

Really, the beauty of a "pledge" like system is that the programmer/PM of the code (which he should understand) should know how to lock it down

[nickpsecurity]

You can do that in a SELinux-like system. There's been tools and policy languages for it. Even better, if the language is high-level & declarative, then it can be used to generate security policies on many different OS's and mechanisms instead of just SELinux or pledge.

[protomyth]

Which projects are doing this with SELinux?

[nickpsecurity]

I haven't followed SELinux in a while. I recall Tresys made tools with dialog boxes to make it about as easy as Windows firewalls. A quick Google leads me to Lobster being an example of what I was thinking of:

https://selinuxproject.org/files/2008_selinux_developer_summ...

[yarrel]

It's quicker to recover from a hack than it is to deal with SELinux every day.

[dispose13432]

>It's quicker to recover from a hack than it is to deal with SELinux every day.

Quicker, but not cheaper

[rwj]

I'm not sure that containers will help with security profiles. They should help with (for example) privilege escalation, but you will still be left with managing what systems/programs need access to what resources.

[dispose13432]

While containers can't help against privilege escalation, they help against information leakage.

For example, even assuming privilege escalation isn't a possibility, www-user can read /etc/passwd, getting all usernames. Containers help mitigate this.

[module0000]

If your www-user can read /etc/passwd without 'avc: denied' appearing in your selinux log, you are doing it wrong.

The whole idea behind selinux is to prevent this scenario from ever happening. Apache has a policy written for it, that specifies precisely which paths and contexts apache needs <X> type of access to. If it tries to access anything outside those paths and context, the selinux module denies the attempt. It's foolproof if you use it. It's also incredibly annoying if you are on a system with selinux enabled, but aren't familiar with selinux.

[dispose13432]

It's true, but containers are much easier to play with if your distro doesn't come with sane presets (Debian, for one)

[geggam]

... because you are auditing all of the upstream image sources ?

seriously ?

[xorcist]

There has been no shortage of ways to escape Docker containers. If you want to lock down applications, SELinux will be much more useful, even if far from perfect.