Blog Posts tagged ‘selinux’

Yeah, it's kinda like that...

SElinux is something I haven’t seen much discussion on, so I thought it was worth a mention. For a little context, we used to use SElinux on a number of our servers for about three years, but decided last year that it was impractical to continue doing so. Okay, SElinux doesn’t really hate you, and leaving it at “impractical” is a bit disingenuous, so I’ll elaborate on our experiences and decisions.

As environments go, shared hosting is a particularly complex one. Having hundreds of users on a server with no mutual trust is a high stakes environment and is ripe for any mechanism that promises greater security. Our first experiment was to attempt to retrofit an existing server, but we couldn’t get it to play nice. Undeterred, we decided to start on a fresh system and develop things alongside it.

This worked well, by and large, and we could deal with the challenges it posed, but still found that it caused a lot of headaches for customers. SElinux works great when things are setup as it expects, but most shared hosting systems are anything but.

That’s really what this post boils down to, expectations. “Why doesn’t my webapp Just Work?”

It’s a perfectly reasonable question. SElinux works behind the scenes, so it’s not at all obvious to a customer when the mandatory access controls kick in. We can work around these problems, but it breaks expectations badly – not just in terms of function, but our customer experience.

We take pride in looking after our customers, and our frontline support staff can deal with most issues very quickly and effectively. With SElinux in the mix you need to grab the ear of a resident guru and get them to take a look. This all adds up to time that could have been spent helping more customers, for something that needn’t have been a problem in the first place. We don’t mind fixing the problem, that’s part of the tradeoff for security, but why should the customer have to waste their time when the same app would Just Work pretty much anywhere else?

We did, for a time, deploy SElinux on our dedicated servers as well, thinking it’d be manageable. It worked a lot more smoothly once you got used to it, but the conclusion was ultimately the same. Anchor supports a very wide range of customers, and no two server builds are the same. Most customers are migrating an existing setup to us, and this means they’ve got a set of expectations. We cater to this, and unfortunately SElinux doesn’t work well with those expectations.

Ultimately, we found that the tradeoff for deploying SElinux wasn’t justifiable. You have to be objective: it wasn’t helping customers and was wasting their time. Meanwhile, it doesn’t guard against the types of attacks you’re actually likely to see in the wild, which tend to exploit frontend application code. Hands up everyone who uses an open-source CMS? Yeah, I thought so. A well-oiled patching regimen is going to be far more effective. Did you get 0-day’d? Good thing you’ve got those backups, eh?

Anyone successfully deploying SElinux on complex hosting boxes? Step up and claim your cookie