danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Happy Conficker Day...
danwalsh
Remember when this used to be April fools???

Two things happened to me this week that make you go Huh?  Watched 60 Minutes this weekend and they had a segment on Confickr and worms attacking Windows.  Seemed to be a huge advertisement  for buying Symantec software.  But I did not notice the Microsoft name being mentioned much.  Microsoft Windows is the cause of the problem, poorly designed software has led too a multi-billion dollar industry of virus detection/prevention.  I believe Symantec said on 60 Minutes that they update the virus database every 4 Minutes! But 60 Minutes does not place the blame, on Microsoft???

Yesterday my mother calls me up and says she talked to Verizon/Fios yesterday and had them remove a $9.00/month charge from her bill for virus protection.  She was concerned that her computer had proper virus protection software on it.  Since she is running Fedora 10 with SELinux limited privileged user I told her she was safe.  Imagine Verizon is able to generate almost 100 dollars a year per customer in virus protection.  It is like the Mafia Protection racket.

If you are using your computer as an Internet device there is little reason at this point not to use Linux, preferably Red Hat :^).

Now we all know that Linux can be attacked by Viruses.  But I trust open source developers would fix the vulnerabilities quicker and linux is engineered better in the first place to prevent these attacks.  

Finally tools like SELinux can step in to mitigate users accidentally installing Malware. 

execmod, execstack, execmem, confined users, nsplugin confinement excetera.

If desktop Linux was ever to take off, it would be Symantec's worst nightmare.  :^)


The problem is scale and antitrust. MSFT can't bundle even basic virus checking because of all the antitrust grief it would get from the existing add-on industry.

How does Fedora's SELinux setup handle those pesky little ".desktop" files? Does a command in a .desktop file run at the same privilege level as if the user had done an alt-f2 and typed it?

Well depends on the pain you want to handle. If you use a confined user you can turn off the execution of anything in the Home Directory. If you are running nsplugin, then plugins will only be able to write to certain directories. Of course the pain point for truly confining the web browser is where users start to complain. Currently with policy we can not differentiate from when a user downloads a file to his home directory through the web browser versus the browser doing it on its own.

I can add to this, what for security reason I create different user, from which I run firefox and opera. He has no write/read rights to my own files. We share with him directory 'downloads' and I use it to transmit files in both sides. So no one, who can probably hack my browser can do realy bad things.

I have an F10 box with SElinux in permissive mode. The endless deluge of exceptions and crashes in setroubleshootd do not inspire confidence. You may be able to hide this disaster from your mother somehow, but it's still there.

Have you submitted bugzillas.

danwalsh

2009-04-01 06:25 pm (UTC)

Contact my email directly and I will look at what is going on.

dwalsh@redhat.com

Re: Have you submitted bugzillas.

zaitcev

2009-04-01 07:20 pm (UTC)

Thanks, Dan. I did file one or two in the past but it always was an outdated policy (and even a missing relabel one), a PEBKAC. This is box is updated though.

Re: Have you submitted bugzillas.

danwalsh

2009-04-01 07:39 pm (UTC)

Well send me your audit.log and I can look at it quick.

Re: Have you submitted bugzillas.

zaitcev

2009-04-03 07:29 pm (UTC)

I think we should mention here that the box in question is a result of an upgrade (presumably a fresh install of F10 would work fine).

Re: Have you submitted bugzillas.

danwalsh

2009-04-03 08:20 pm (UTC)

Yes your problems stem from an upgrade from F8 to F9 or F10. Which caused the selinux login database to be fubar

You are viewing danwalsh