undefined | Better HN

0 pointsdjsumdog9y ago0 comments

I've had to make AppArmor profiles in the past and they can get a bit painful. I've never had to configure SELinux so I don't know how much better/worse it is.

That being said, I think Docker and other container systems are going to remove the need for these security profile systems.

Yes, if there is exploitable code in the container, it can read/write to other things in the container. But so long as you keep the docker daemon up to date on its security patches, application exploits shouldn't be able to leak beyond the container, with the exception of volumes and linked containers/ports.

0 comments

pmoriarty9y ago

"But so long as you keep the docker daemon up to date on its security patches, application exploits shouldn't be able to leak beyond the container, with the exception of volumes and linked containers/ports."

A kernel exploit executed in a Docker container would compromise all the other Docker containers on the same machine (and the machine as a whole).

ams61109y ago

The typical configuration I see in /etc/selinux/config is:

   SELINUX=disabled

protomyth9y ago

Its definitely one of the things that shows up when you call about a lot of vendor's software support. I find it rather annoying that a company tells you to buy a specific Linux distribution then pulls exactly what you say.

Thinking about it (maybe because I am watching a update go as I type), what the heck does this say about how we program? I guess in some ways its why I like the idea of pledge. It makes me think better of the programmer because they have put some thought into their program. I'm not sure what I should think when I see SELINUX=disabled as a possible solution.

dispose134329y ago

>Thinking about it (maybe because I am watching a update go as I type), what the heck does this say about how we program?

SELinux is not complex because we program in complex ways, but because we don't know the target program.

For example, (again, nothing against Apache but...) if I want to secure Apache, there's no way for me (as a sysadmin) to tell exactly which files, exactly which syscalls, and exactly which libs does it need to function, and there's no way for me to stay on top of it.

And the same applies to any other complicated software. How to I lock down X? Firefox?

Really, the beauty of a "pledge" like system is that the programmer/PM of the code (which he should understand) should know how to lock it down

1 more reply

yarrel9y ago

It's quicker to recover from a hack than it is to deal with SELinux every day.

dispose134329y ago

>It's quicker to recover from a hack than it is to deal with SELinux every day.

Quicker, but not cheaper

rwj9y ago

I'm not sure that containers will help with security profiles. They should help with (for example) privilege escalation, but you will still be left with managing what systems/programs need access to what resources.

dispose134329y ago

While containers can't help against privilege escalation, they help against information leakage.

For example, even assuming privilege escalation isn't a possibility, www-user can read /etc/passwd, getting all usernames. Containers help mitigate this.

module00009y ago

If your www-user can read /etc/passwd without 'avc: denied' appearing in your selinux log, you are doing it wrong.

The whole idea behind selinux is to prevent this scenario from ever happening. Apache has a policy written for it, that specifies precisely which paths and contexts apache needs <X> type of access to. If it tries to access anything outside those paths and context, the selinux module denies the attempt. It's foolproof if you use it. It's also incredibly annoying if you are on a system with selinux enabled, but aren't familiar with selinux.

1 more reply

geggam9y ago

... because you are auditing all of the upstream image sources ?

seriously ?

xorcist9y ago

There has been no shortage of ways to escape Docker containers. If you want to lock down applications, SELinux will be much more useful, even if far from perfect.

j / k navigate · click thread line to collapse

0 comments

pmoriarty9y ago

A kernel exploit executed in a Docker container would compromise all the other Docker containers on the same machine (and the machine as a whole).

ams61109y ago

The typical configuration I see in /etc/selinux/config is:

   SELINUX=disabled

protomyth9y ago

dispose134329y ago

>Thinking about it (maybe because I am watching a update go as I type), what the heck does this say about how we program?

SELinux is not complex because we program in complex ways, but because we don't know the target program.

And the same applies to any other complicated software. How to I lock down X? Firefox?

Really, the beauty of a "pledge" like system is that the programmer/PM of the code (which he should understand) should know how to lock it down

1 more reply

yarrel9y ago

It's quicker to recover from a hack than it is to deal with SELinux every day.

dispose134329y ago

>It's quicker to recover from a hack than it is to deal with SELinux every day.

Quicker, but not cheaper

rwj9y ago

dispose134329y ago

While containers can't help against privilege escalation, they help against information leakage.

For example, even assuming privilege escalation isn't a possibility, www-user can read /etc/passwd, getting all usernames. Containers help mitigate this.

module00009y ago

If your www-user can read /etc/passwd without 'avc: denied' appearing in your selinux log, you are doing it wrong.

1 more reply

geggam9y ago

... because you are auditing all of the upstream image sources ?

seriously ?

xorcist9y ago

There has been no shortage of ways to escape Docker containers. If you want to lock down applications, SELinux will be much more useful, even if far from perfect.

j / k navigate · click thread line to collapse