# SElinux vs hardened

## nielchiano

Hi,

I'm admin of a web-server and like to keep things ASAP (= as secure as possible). I'm currently trying (on a staging machine) the hardened sources (PaX and GRsecurity) + the hardened toolchain.

I just noticed that gentoo also has some SELinux docs.

Can anyone explain me what SELinux is more/less/different from my current hardened-sources+toolchain?

What are the pro's con's of both?

----------

## tuxmin

Hi,

I can't tell you the pros or cons of SELinux -- never used it. But I'm running several apache webservers and firewalls under hardended Gentoo (I don't use grsec's RSBAC system. That's far too complicated for what you gain in my opinion).

I did a hardened-stage1 install with -fstack-protector and the hardened profile and use the 2.4. hardened sources.

What I can tell you after a few months: The sytem is rock stable.

I'd be careful with saying that you'd like to keep it as secure as possible -- I think you have to find a compromise between security and usability. About 1,5a back I experimented with LIDS (works like grsec's RSBAC) and ended up with a nearly unusable machine. It did it's job as a firewal great. But if anyone had to do updates or whatsoever on this machine it was always a big running for password and documentation and work took at least double the time as on a normal system.

Hth, Alex!!!

----------

## nielchiano

 *tuxmin wrote:*   

> with -fstack-protector

 

And that does what extra? add some protection to the stack, but how?

 *tuxmin wrote:*   

> I'd be careful with saying that you'd like to keep it as secure as possible

 

Yeah ,I guess you're right. I like to keep my systems as secure as possible, but they have to be usable, exactly as you say.

I understand that security is all about compromises: best security ever: install your system, take out the hard-drive and lock it away in a vault. But it isn't realy usable...

I'd just like to know what I can do to make is secure, without loosing to much usability. Hardened kernel seems like a win-scenario. added security with (almost?) no loss of usability. I don't know about SELinux (that's why I ask)

----------

## rbr28

My opinion is that if you run a server connected to the internet, grsecurity is essential.  Selinux is optional.  The reason I say that is because grsecurity is very simple to configure, yet it can greatly enhance security.  You can for example choose just one option, using randomized PID's, and do nothing else if you like.  You can add 1 option at a time and see if it affects the services you are providing, without much risk.  There are numerous options you can choose that will help secure your machine.

In my limited experience with Selinux, it seems much more difficult to work with.  It takes a lot more time to setup correctly, and it is more likely to cause you all kinds of headaches if you don't have it setup correctly.  Don't get me wrong, I think it' s a great project, and I do use it on a few machines, but it's a lot of work. 

With both of these, just remember that they are just another piece of the puzzle.  Neither, by themselves, is going to make your machine secure.  Obviously if you have a simple root password and someone gets it, you are in trouble.  On the other hand, both of these, especially grsecurity, are tools that help me sleep better at night, knowing that I've gone one step further in making my machines less vulnerable.

----------

## nielchiano

hmm, thx for the responses; I guess I'll leave SELinux for the NSA and just go for the "regular" hardenen kernel+toolchain.

thx!

----------

## tuxmin

The -fstack-protector flag triggers a special buffer overflow handling that is "injected" through a gcc patch. Read herefor details.

So if you choose the hardend chain and enable ASLR and PaX support through grsec the stack-protector is the second line of defense in case someone even gets through your grsec protection. grsec tries to avoid buffer exploits by not allowing code on the stack being executable (kernel level). If someone could get aroung this there would still be the userland stack protection. But you have to compile any application with this very flag or it's useless (hence the stage1 install). As far as I know it's not possible to compile the kernel with -fstack-protection, I think the ebuild takes care of this, but you should read on the PaX and grsec sites for more details on these issues.

Gentoo gcc is patched by default. This is not only hardened related.

Hth, Alex!!

----------

## nielchiano

 *tuxmin wrote:*   

> The -fstack-protector flag triggers a special buffer overflow handling that is "injected" through a gcc patch. 
> 
> [...]
> 
> the stack-protector is the second line of defense in case someone even gets through your grsec protection.
> ...

 

Hmm; I think these 2 are unrelated: -fstack-protector detects if the stack has been overflow-ed. So it will detect data-corruption.

grsec will avoid that anything on the stack ever gets executed.

I think the 2 are complementary; or am I getting it wrong?

----------

## tuxmin

Sorry, I'm not much of a programmer so maybe I'm mixing things up. The one or other way it seems to be a good choice, doesn't it  :Smile: 

But your argument sounds reasonable!

Alex!!!

----------

## nielchiano

 *tuxmin wrote:*   

> The one or other way it seems to be a good choice, doesn't it !

 

exactly!

----------

## Imago

did i also have to set -fstack-protector in my cflags if im using a hardened profile?

----------

## didl

 *[Imago] wrote:*   

> did i also have to set -fstack-protector in my cflags if im using a hardened profile?

 

No, if you use the hardened toolchain (i.e. glibc, gcc compiled with

hardened flag) you do not need to enable this flag since it is part

of the hardened-gcc specs 

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml

For all future hardened users please check out the extensive

documentation which should answer at least some of your questions

http://www.gentoo.org/doc/en/list.xml

----------

## petlab

I have set up SELinux on dual AMD64 1u.  However, I chose to go instead with grsec.  I learned a bunch about SELinux, but I can't say if it is "better" or not.

I found that the base policies are just that - base.  I was going to go in and write policies for the remaining programs on my system.  However, I changed my mind.  I think it would take too long, and I would probably make some small mistakes.  I am impressed with SELinux tho.  Very detailed / fine grained.  You could have exact control over what any process/user can do.

I just thought it was too much of a learning curve for a newb like me.  I am able to write and troubleshoot SELinux policies, but just barely.  I can't see having a truly secure system with me being the author of several policies.  I think that SE would be better for systems that don't get upgraded often.  That isn't my system.

I made a kern and got SE installed, then tried to install my whole userland.  I then went thru and added / edited policies.

If I had fixed all the policies, and then went to enforcing mode, it would be fine.  However, I think it would be troublesome at best to do upgrades.

I'm going to try grsec and PaX.  Sounds great.

THanks

----------

## nielchiano

 *petlab wrote:*   

> However, I think it would be troublesome at best to do upgrades.

 

Hmm, and since you need to upgrade frequently to keep security bugs out....

I'll stick to GR and PaX too. Thx for the story!

----------

## petlab

So, I made a new install using grsec and PaX.  No problems at all!  So, I followed the gentoo docs for it.  By now, I am using 2.6.10-hardened-something. Oh, and gcc 3.4.3.  The upgrade there wasn't easy, but it was unrelated to grsec & PaX.

Right now, I have grsec disabled.  PaX is in place, tho and seems to work fine.  I am not finished with the application setup yet.  When I am, I will put grsec into learning mode, and then turn the output into a policy.

I have played with turning on grsec with a sample policy I 'learned' it, and looked at the output.  Seems easier than what I went through with SELinux.  Hey, and I haven't even locked myself out yet!  :Twisted Evil: 

----------

