My opinion on EnGarde and SELinux

Discuss Engarde latest news and updates

Moderators: scrumpy, Dave, leihog

My opinion on EnGarde and SELinux

Postby usalabs on Mon Oct 15, 2007 2:46 pm

EnGarde itself as a server is great, but more attention needs to be focused on the SE side, especially the SE policies, the policies need to be adjusted/creaded for a true server environment where the system admin can login using ssh, ftp files and do other stuff without having to create a user, in other words, the system admin would have total control over the entire system without having to disable this, create that, login with this name, then su to the root, then transition to a sysadm_r role, which, doesn't work when logged in as a created admin user, the only role that can be used is staff_r.

All this points to SE, so in my opinion, SE is more of a hinderance than an advantage, so for my purpose, I have disabled SE permanently, now I can login using ssh, then su to root, and have full system control, and chmod folders and files that I need to, plus, I use good old fashioned htaccess to restrict certain folders and files.

Another downfall with SE, some php scripts have the ability to upload local files (set by the admin script) to the server, but to do that I have to disable SE, then I can run the script. The idea of th script is so that I can log into the admin area, upload the files, then logout, but SE stops that when enforcing.

EG
I am runnig a download manager, with file extension limits. A group of people that are developing software would like to share their work with each other, and the only way I can do that is to install a download manager, that allows them to (once registered) upload and download their scripts, but with SE enabled, that isn't possible.

FINAL COMMENTS:

EnGarde is great, but SE needs to be looked into more, if it's going to be used in a real server environment.
usalabs
 
Posts: 30
Joined: Fri Oct 12, 2007 3:12 am

RE: My opinion on EnGarde and SELinux

Postby duplicateryan on Mon Oct 15, 2007 4:25 pm

usalabs,

First, thank you for your feedback. We are glad that you've been able to find help here on the forums and will continue to help improve your experience with EnGarde.

To your points, we wanted to take this opportunity to talk about the issue of security. A lot of these issues are directed at the core of what SELinux provides in an EnGarde server: mandatory access control or MAC. This control explicitly allows ONLY those processes which are expressly designed to be allowed. This is specifically one of the things that makes EnGarde so secure. A task cannot be done, unless you allow it to be so. This may be unfamiliar to many users, in which case, we have our community to help you and are always willing to lend a hand.

for a true server environment where the system admin can login using ssh, ftp files and do other stuff without having to create a user, in other words, the system admin would have total control over the entire system without having to disable this...


This is exactly what SELinux and EnGarde are trying to avoid, actually. This scenario (complete root user control) is incredibly insecure. The processes, applications and tasks are open to anyone with root access, or any program under the guise of a root user. This is the reason SELinux exists - to ensure tasks remain out of reach of one 'all-mighty' root-user that can be exploited and corrupt your system integrity. It is the control over this kind of free, unrestricted access that makes EnGarde so secure, along with its integrated secure engineering.

EnGarde still provides all these capabilities and more in a real server environment. It's just in order to ensure the kind of security that users want with SELinux, policies must be in place to define what is allowed for them to operate.

Although, there's nothing wrong with having the kind of root access that you want, as that's your choice. But you must be willing to accept that such open access could compromise your system or information. Security is all about trade-offs, and for those who want the strongest security possible, EnGarde with SELinux, is one of the best solutions you can find.

We encourage you to learn more about SELinux policies and how they can be created do what you want your server to do, but with the security you need.

You can get your start here:

http://www.engardelinux.org/modules/ind ... tation.cgi

The bottom line:

If you want to have a secure system, you must restrict access, both by the structure of users and their responsibilities (the people) as well as the processes/applications (the architecture). Your critique, while fair, is almost akin to saying:

"Why is there a lock on my safe? I want to be able to get in there easily and the lock makes that difficult."

Security isn't always easy but EnGarde makes it as easy as possible. This has always been our goal, and we will continue to stress security as our primary focus. We do appreciate your input on restricting access, but this will always be why we develop EnGarde.

Thank you and please don't hesitate to continue to ask questions on this site. We look forward to any other suggestions you may have and welcome them.

- The Guardian Digital Team
duplicateryan
 
Posts: 10
Joined: Fri Mar 09, 2007 5:04 am
Location: Ramsey, NJ

Re: RE: My opinion on EnGarde and SELinux

Postby usalabs on Mon Oct 15, 2007 6:51 pm

duplicateryan wrote:Your critique, while fair, is almost akin to saying:

"Why is there a lock on my safe? I want to be able to get in there easily and the lock makes that difficult."


The person that has the key to the "lock" can open it, without having to open 30 more locks just to get inside.

SELinux is like having a safe, and inside that safe are 10 other safes, each with it's own lock, giving 10 people a key, and keeping one yourself, if you want to get into the safe, you would need those 10 people to open it, when one secure lock is only needed to stop someone opening the safe.

One system administrator with total access and user levels, that can only have restriced access.

You woudn't have 5 ID cards 1 for yourself and the other 4 given out to 4 employees and without those 4 people you coudn't open a door using just your ID card.

Even with SE disabled, the access control in the webtool can still block access to certain services.

The idea of a system admin having full total control, would be only from a local LAN, not from the WAN, thus stopping external access to system files.

ADDENDUM
There's another really pointless option in the webtool, and that's the ability to backup and restore, sure,,,backup those files, but it backs up those files in /var/BACKUP which is completly unwritable to even the root login, so what is the point of storing them in /var/BACKUP then downloading them, only to find that if a critical system error happens and one needs to upload and restore that backup, it's not possible to, there's no option in the webtool to browse the local computer to upload and restore a backup.

Another hinderance is webtools inability to configure installed extra packages, ie, samba and amanda, webtool should be able to configure them just like the web services.
usalabs
 
Posts: 30
Joined: Fri Oct 12, 2007 3:12 am

RE: My opinion on EnGarde and SELinux

Postby scrumpy on Wed Oct 17, 2007 10:20 am

hi usalabs,

If you want to allow multiple people root access over ssh and / or have the system admin with rights in any way which is not in agreement with the SELinux model, or have full unsecured control from your lan in the way which you propose... Then you are going to have to ultimately rely on a mechanism external to your system to provide you the level of security that SELinux is designed to give, with the possibility of that reliance also being distributed amongst your users machinery. I am not a security wiz but I would hazard a guess that introducing external unquantifiable entities contradicts some key philosophies which the SELinux model relies upon, primarly in the logic area.

However, the tools are available for you to alter the system at various levels to suit your own needs.

As you know this is a community effort which is aimed towards bettering the security using some of the most advanced systems available in the open source sphere, to lessen any part of this is counter-productive to the overall drive to deliver a highly secure system.

Perhaps you should check out the booleans, and how to create your own custom policies. There is a mass of information available about customising the system, it is at your fingertips. There is also a bug submission system where you can request a new feature to be analysed by the engineers.

I would also urge you to buy a copy of this book:
http://www.waterstones.com/waterstonesw ... ku=4251227

-S
scrumpy
 
Posts: 108
Joined: Tue Nov 07, 2006 7:21 pm
Location: Scotland.

RE: My opinion on EnGarde and SELinux

Postby usalabs on Thu Oct 18, 2007 2:50 pm

ok, here's what I found out so far.

After trying multiple server systems, this is the only system that I have been "trying" to get working, for 6 days, before I registered on this forum.

Abyss web server for windows is still the simplest server to use, these are the procedures to get a website up and running within 30 minutes of first installing windows 2003 server

Install windows 2003 server without IIS, and install and setup the DNS service.

Install MySQL server
Install Abyss Web Server
Install pre-configured PHP5
drag and drop created web files to the htdocs folder of Abysss

And hey presto! a fully working website.

Aliasing is as simple as running the Abyss web interface, entering /alias for the alias name, and manually entering or browsing to the folder that contains the files to be hosted.

Can all that be said about EnGarde?

I've setup a complete windows web server in under 30 minutes from a fresh install of win2003.

Of all the Linux distros that have server functionality, that I've tried, including Xandros Server, not one of them can boast an out-of-the-box running system within 30 minutes.

At first EnGarde looked like something I would use, but as time goes on, I'm getting more and more disappointed, it doesn't have the ability to create mailboxes for each user, and be able to set individual sizes, that is essential for email clients to pick up the emails using email clients, Merak, and most other email servers have that capability, the smtp side of the mail server is widely open, not as a relay, but to permit spamming, Merak can limit the size of emails sent on a per user basis.

EnGarde doesn't have webmail, Merak does.

EnGarde is very unstable, one minute it works, then without doing anything, it can change over night, EG. Yesterday it worked 100%, I went to bed, and today I wanted to do some work, and the DNS side decided to *beep* up, and refuse to allow requests, then the SSH login wouldn't accept my password, then by directly using the IP addresS, the webtool wouldn't load.

Plus, the webtool does not have the ability to configure any other extra packages that are installed, such as samba, or amanda, it only allows the stopping and restarting of those services.

I'm not going to take weeks, or even months, posting this and that, editing this and that, reformatting and re-installing, changing this setting, and removing that setting, just to get a server running the way it should work, when I can just install Windows 2003 server, set disks as raid, set up the DNS, install Abyss web server, Mysql, php5, Merak email server (set to send and recieve emails on none standard, secure ports), then set the hardware firewall to drop incoming ICMP requests, and to reject all incoming on all ports except the ports I select to allow in and out, and have a fully functional website up and running within 30 minutes. and that's including the time to setup an external DNS service.

It seems one has be an einstein to use Linux. Linux has yet to enter the 20th century.

EnGarde is ok for learners, but for a real environment, it's to unstable, therefore I'll be going back to Windows, until such times as Linux is stable, and easier to use, which is about another 10 years.

I won't be posting here anymore, so when the site admin read this, please remove my account from the site, and any accounts referring to EnGarde.

Thank you.
usalabs
 
Posts: 30
Joined: Fri Oct 12, 2007 3:12 am

Re: RE: My opinion on EnGarde and SELinux

Postby Dave on Sat Oct 20, 2007 11:07 am

Hi,

usalabs wrote:And hey presto! a fully working website.


Not sure why you haven't been able to find what millions of people before you that use Linux have, but a fully working website is included with virtually every Linux base installation.

Can all that be said about EnGarde?


Sounds like you've been so accustomed to software working a specific way that it's must be the only way, and therefore the correct way.

It's unfortunate that you've rushed to such a conclusion because Linux is a wonderful platform with lots of potential.

EnGarde is very unstable, one minute it works, then without doing anything, it can change over night, EG. Yesterday it worked 100%, I went to bed, and today I wanted to do some work, and the DNS side decided to *beep*


Again you've given no possibility for an alternate solution, such as a hardware problem. Nowhere does EnGarde beep, so maybe your hardware is on the fritz and beeping?

Try again with different hardware, or spend a few minutes and try and better isolate what the problem is, and we'd be more than happy to help.

Thank you.


Thank you as well, and we hope to hear from you again.

Best,
Dave
Dave
Site Admin
 
Posts: 107
Joined: Tue Jun 13, 2006 6:06 pm

RE: My opinion on EnGarde and SELinux

Postby usalabs on Sat Oct 20, 2007 1:41 pm

I did say I wasn't doing to post anymore, but I'll make a exception this time.
Dave wrote:Not sure why you haven't been able to find what millions of people before you that use Linux have, but a fully working website is included with virtually every Linux base installation.

So you're saying, I can build a Linux box, connect it to the internal network, then open a windows network connection to that box, then drag and drop web files over to the linux box, and it'll serve up the pages with out editing this file, or setting up that file, or even using any consoles, I don't think so, as I mentioned earlier, (oh, and yes I have got EnGarde fully functional, by paying a Linux professional to set it up, and guess what, it took 3 days and $625, when a windows setup only takes under 30 minutes and free), Abyss web server's web interface, is as easy as 123, create the folder, drag and drop the files into it, open the web interface, navigate to the alias configuration, and there's only 2 text boxes to enter stuff, and that's the alias name 'starting with a /' and the full path to where the files are, restart the server and that's it, assuming a domain name has been purchased and an external DNS has been setup, 5 minutes is all it takes to serve up an html based web site, using Abyss.

Again, can that be said about EnGarde, or any other distro for that matter.?
Again you've given no possibility for an alternate solution, such as a hardware problem. Nowhere does EnGarde beep, so maybe your hardware is on the fritz and beeping?

Does that mean that Linux is *very* hardware specific?, just because the developers of a distro builds it around the hardware he/she has, means the person using that distro would have to have the same hardware?, but, as my box, only uses 1 expansion card (Realtek 10/100 ethernet card), there's no actual hardware incompatability. everything else is on-board.

Try again with different hardware, or spend a few minutes and try and better isolate what the problem is, and we'd be more than happy to help.

In other words, to use linux one has to keep spending and spending until the hardware is properly matched to the distro, which leads us back to Linux being hardware specific.
usalabs
 
Posts: 30
Joined: Fri Oct 12, 2007 3:12 am

RE: My opinion on EnGarde and SELinux

Postby scrumpy on Tue Oct 30, 2007 7:39 pm

The Abyss web server also runs on Linux and is quite easy to set up, but I do not believe for one second it will delivery the level of security anything like the security of EnGarde Linux.

-S
scrumpy
 
Posts: 108
Joined: Tue Nov 07, 2006 7:21 pm
Location: Scotland.

Re: My opinion on EnGarde and SELinux

Postby RobertK on Tue Mar 11, 2008 12:18 pm

SELinux isn't designed to be simple to use, it is designed to be secure. The fact that it takes 10 separate steps to do something with selinux that you can do with one click on a microsoft product isn't applicable. The EnGarde cup holds water without *beep* it, the other has more holes than a strainer.
RobertK
 
Posts: 5
Joined: Wed Mar 05, 2008 12:52 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 2 guests

cron