Is SELinux justified, for single purpose server?
by Gremlin2 from LinuxQuestions.org on (#57YMV)
Hello all,
I have a Debian Linux host, used solely for one purpose only - as a gateway for small office LAN, for VPN to the headquarters. I have everything removed from this box, no other servers / daemons present, except for libreswan VPN. All is statically configured and the whole purpose for this box, is route everything through libreswan VTI (a type of network interface, created by VPN) to the HQ.
What I really trying to grasp here, it's is SElinux might be necessary for hardening such setup?
Please, let me explain: To my understanding, the main idea underlying SELinux deployment, is much more granular policy restricting access, than regular Linux DAC - between processes. Say for example, we have a WEB server and FTP sever installed on a box. We can restrict access for those servers, much more than assigning them to different groups/users and to much more than the file tree. But what about a very simple scenario, when a single server installed on a box, running in single instance, with simple static configuration? Sure, I can protect system config files, bash scripts etc. from being invoked, if somehow libreswan process will become rogue (say, due to an RCE bug exploitation of some other malicious activity) - on a complex system, such as modern Linux, we can always find something to protect. But, is it really worth the hassle? Especially, compared to path-based LSMs, such as AppArmor? Or I'm missing something, and securing even such simple scenario with SElinux, is really an advantage, from security point of view?
I have a Debian Linux host, used solely for one purpose only - as a gateway for small office LAN, for VPN to the headquarters. I have everything removed from this box, no other servers / daemons present, except for libreswan VPN. All is statically configured and the whole purpose for this box, is route everything through libreswan VTI (a type of network interface, created by VPN) to the HQ.
What I really trying to grasp here, it's is SElinux might be necessary for hardening such setup?
Please, let me explain: To my understanding, the main idea underlying SELinux deployment, is much more granular policy restricting access, than regular Linux DAC - between processes. Say for example, we have a WEB server and FTP sever installed on a box. We can restrict access for those servers, much more than assigning them to different groups/users and to much more than the file tree. But what about a very simple scenario, when a single server installed on a box, running in single instance, with simple static configuration? Sure, I can protect system config files, bash scripts etc. from being invoked, if somehow libreswan process will become rogue (say, due to an RCE bug exploitation of some other malicious activity) - on a complex system, such as modern Linux, we can always find something to protect. But, is it really worth the hassle? Especially, compared to path-based LSMs, such as AppArmor? Or I'm missing something, and securing even such simple scenario with SElinux, is really an advantage, from security point of view?