The feature required to run a custom
kernel via pv-grub are not included
into the latest Centos5 kernel (2.6.18) and it won't
be as you can read here:

http://bugs.centos.org/view.php?id=3372

Plus what about kernel updates using a custom
kernel? I mean yum is useful and I would like to
use it whenever I want to update my kernel. I think
linode technicians should manage to include SELINUX
support on their kernels as soon as possible.

Is there anybody in agreeing with me?

No, I do not agree with you. I always uninstall SELinux from any
desktop installation if it is there. Why do you need to have it anyway under Xen? What's the application?

About SELINUX

"Let me assure you that this action by the NSA was the crypto-equivalent of the Pope coming down off the balcony in Rome, working the crowd with a few loaves of bread and some fish, and then inviting everyone to come over to his place to watch the soccer game and have a few beers. There are some things that one just never expects to see, and the NSA handing out source code along with details of the security mechanism behind it was right up there on that list.” — Larry Loeb

If you use Linode-supplied kernels, updating with yum has no effect on them - they are loaded from the host machine.

_________________
/ Peter

I knew...but I was talking about pv-grub and custom kernel.....it's different



My application is a Server, higher security level is required compared to a desktop. SELINUX: Attacks coming from Internet could exploit a bug of sshd or whatever ..so if you have SELINUX enabled you afford another level of security which make cracker's life harder to get root privileges ...SELINUX blocks any script trying to do something "nasty" ....as a result many web browsers vulnerability will affect less or none your desktop. You can find an example of where SELINUX would have been useful even in this forum:

https://www.linode.com/forums/viewtopic ... ht=selinux

By the way: Xen is not meant to filter inbound connections to its guests firewall. Xen has nothing to do with the security of its guests

Furthermore ....you can choose of course to use SELINUX or not, it's up to you, if you feel quite confident without it's ok but linode should take into account that some people may like to use it therefore enabling the kernel support is a good choice. You can disable SELINUX afterward simply changing a boolean (for Centos,fedora,RH...but I guess it shouldn't be harder on other distros)

I agree. SELinux should be enabled in the kernel by default for security reasons. This is one of the main problems I have with Linode right now since I run a computer security company and can't use a common security tool.

Okay, stop.


That's not a valid reason to use SELinux, and that's not SELinux's job. Period. Why not take responsibility for your server's security (instead of relying on code that is difficult to audit), like this:

Chain TCP_IN (1 references)
 pkts bytes target     prot opt in     out     source               destination
   21  1016 SSH        tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh

Chain SSH (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   104 ACCEPT     all  --  any    any     home-connection      anywhere
    0     0 ACCEPT     all  --  any    any     work-connection      anywhere
   19   912 DROP       all  --  any    any     anywhere             anywhere

Restricting SSH access to hosts you've designated (whitelisting) completely eradicates a 0-day attack, because the packets will not even make it to sshd to exploit it. This is planning ahead. More steps to secure sshd (just in case):

# cat /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no

If you want to get really secure, take the approach some other customers have and VPN to your Linode using something like OpenVPN. Then, only allow SSH and other security-critical processes to talk to clients that are connected to your VPN. This is all stuff you can do without SELinux, all tried and tested, and doesn't rely upon code the U.S. NSA has written.

You seem to paint SELinux as a flip-the-switch solution that will automatically make all the security ills of server administration magically disappear, and that is most certainly not the case. The thread you referenced, awstats.pl exploitation, is another case of this; had awstats.pl been password-protected or given a whitelisting setup (like SSH above), this attack would have never happened. Other comments in the thread even pointed that out. SELinux is not the only solution to this specific problem, and in fact would be the most difficult of the administrator's choices.

I don't mean to be harsh, but SELinux is designed for a specific application domain and many leaders of the Linux community, including Ted T'so, have spoken out against it. What it most certainly is not is a substitute for proper systems administration and security auditing. You need to educate yourself and not rely upon someone else's code to keep you safe on the Internet. Proper security work just requires some brainpower and thinking ahead, that's all, and Google is right there for you.

If you can show me one case where SELinux would have been the only way to prevent an exploit I'll rethink this argument, but good luck.


You can't compile? Other people have, see here.

Linode does not prevent you from running with SELinux enabled. You are preventing yourself by not compiling a kernel and using pv_grub. Please do not confuse is not the default with cannot use.

Fedora has a newer kernel than Centos which allows you to set the features required by pv-grub.



You are right , you can secure your server enough even without it but I said SELINUX is another level of security, it is not a substitute...You'll never know what will happen... e.g: debian ssh key generation function bug....do you remember? furthermore you should be considering social engineering etc ..




I will repeat myself: SELINUX is not the only way for anything it's just another level of security. If you want some example where it has been useful ask Daniel Walsh at RedHat.

Why should I run SELINUX?
Article
Ops..I found some examples



With Centos kernel version you actually cannot use pv-grub and as consequence of this cannot enable SELINUX support in your kernel.

Anyway I would like to know why linode doesn't include the support into the kernel...performance?

Yes you can. Compile the kernel to have Xen and SELinux enabled. I don't see what the fuss is.

You need to enable these kernel features:

CONFIG_PARAVIRT_GUEST=y
CONFIG_XEN=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_CLOCK=y
CONFIG_XEN_BLKDEV_FRONTEND=y
CONFIG_XEN_NETDEV_FRONTEND=y
CONFIG_HVC_XEN=y
CONFIG_XEN_BALLOON=y
CONFIG_XEN_SCRUB_PAGES=y

These features can be enable ticking on :

Processor type and features ---> Paravirtualized guest support

The current kernel of Centos is 2.6.18-x doesn't include it.

Yes. That meanst that you either:

+ Patch the old kernel + compile
+ Or use a newer version, such as 2.6.29

Both of which are perfectly doable in CentOS.

I don't like to use a newer kernel...prefer to follow Centos staff



I don't think there is a patch..

did you read this? http://bugs.centos.org/view.php?id=3372

Even tough I'll compile a newer kernel It will be pretty annoying to maintain it updated...that's why I think linode should enable SELINUX support by default

Indeed, I have to say that having to re-compile the kernel is annoying - but it is possible.

May be linode staff could say what pacth they used to create their 2.6.26 kernel.

Although if you are going to patch the kernel, you may just as well use the latest version - since you will be responsible for updates, etc anayway. Security pacthes/problems in the kernel are very rare, so I wouldn't really worry about updates, etc.

I am sorry, but I still do not understand why you are so keen on using SELinux. I have a number of VPS's under my administration and often what I do is setting up SSH properly rather than relaying on the default setup. I did my home work concerning SELinux and all I can say - its not for me. I do not want to rely on code I do not fully understand.

I am completely agreed with jed



Though its up to you what to use on your server. I prefer to use the industry standard software rather than something the USA government has got a back door to.

All debates about the pros/cons of SELinux aside, you are not the first person to ask for it, so I wouldn't hold my breath waiting for linode to push out an SELinux kernel.

I think you have two choices:
1) Stick with the default linode kernels and live without SELinux.
2) Use pv_grub and run your own kernel. Apparently Centos is still using 2.6.18 which does not support pv_ops, so you would need to move to a more modern kernel.