After this flurry of conferences, I've been really motivated to add this extra layer of security to the servers I have at home.

SELinux offers some incredible advantages in security for a server or desktop. Red Hat's Daniel Walsh explained it well by saying a server was like a house. You still lock all the doors and windows. But if someone manages to break into your house, SELinux confines them to that very room.

SELinux has a policy defined for the daemons that might run on your system. Only what that policy explicitely allows, can that daemon perform. A daemon not allowed to look at /etc/shadow by SELinux can't be persuaded to do so even if it's got the SUID bit and a gaping security hole.

Someone breaking in through Apache will never have rights to anything Apache can't do. They can't change the website content, for instance, because Apache shouldn't be allowed to modify website content. And it certainly wouldn't have permissions to mess with DNS settings. Even if an intruder finds something Apache has access to, that allows them to become root. It doesn't matter what UID they have, SELinux is deeper than that.

I made the final leap, and enabled SELinux on all the servers I had at home. They had been running Hardened Gentoo with SELinux in permissive mode. To run in enforcing mode, I had to create a few policies for non-standard daemons I was running. I had been holding out on that for awhile, but when I finally got down to it, it wasn't hard at all. I sent them off to Russell to see if it's worth including them in the main SELinux policy sources.

I haven't put that on my desktop yet, though I'd like to in the future. The desktop is an often overlooked component in security, even with all the vulnerability announcements going out. Image rendering libraries, IM clients, holes in Mozilla, and problems in OpenOffice all could easily allow a remote attacker to see personal data in your home directly. And that's if they aren't trying hard, and of those could be used to gain full access to your machine.

SELinux steps in and, with the proper policies, seperates programs from each other. Mozilla could be restricted to system libraries, ~/.mozilla, and ~/dowloads. It doesn't need access to your email or documents. Or, if you want to make it more permissive, that's fine. Allow it access to anything in your homedir if you want GAIM to be able to do such things. But there's no reason for GAIM to have access to your mysql data. So, we can restrict it to /home/. That's still a big deal.

Red Hat and Fedora have targeted policies. They attempt to restrict common daemons as opposed to everything. That would handle the case where you don't want to be bothered by the SELinux restrictions, but you still want some of it's benefits. There's a lot to be said for using the restrictive policies -- but if that's just not for you, having a targeted policy can still protect you from 0 day vulnerabilities or failures to upgrade applications in a timely manner.

In two weeks, on Saturday April 2nd, we're going to have a Hardened Server InstallFest of sorts. I'd encourage you to come out and give SELinux a try. If you're interested, let me know. You can do SELinux with Gentoo, Debian, Fedora, RHEL, and many others. Gentoo is my personal favorite, but we can probably help out with some of the others as well :-)