
Ask HN: Selinux – what does it protect against? - ramtatatam
I&#x27;m long term user of Arch Linux and selinux is not something I see used by community very often.<p>In the same time I&#x27;m running a number of personal VPS&#x27;s facing the internet (I host email server, web server, vpn, to name the few) and I have never had problems. To keep myself thinking I&#x27;m running those services in secure way I run all of them in rootless containers (I use podman)<p>I&#x27;m wondering if selinux is something worth looking at. Have you ever seen it preventing &quot;an attack&quot;? (I imagine somebody exploiting some zero-day in the wild and selinux stopping such individual from moving further and in the same time rising alarm to the owner)
======
jas-
SELinux can assist with prevention of various attack scenarios.

When policies and environments are setup correctly it can and will help
protect the system.

Scenario: The target; A DMZ, forward facing system running an application such
as Apache.

A zero day exists in the apache service that allows code execution as the
running user; say apache for example.

If care has been taken with an selinux policy that prevents the apache user
from executing anything but the shared libraries and binaries associated with
the apache web service then an attacker that gained access as the apache user
would not be able to escalate privileges or engage in further local attacks on
the system due to the policy constraints.

Resources: The URI [https://www.serverlab.ca/tutorials/linux/web-servers-
linux/c...](https://www.serverlab.ca/tutorials/linux/web-servers-
linux/configuring-selinux-policies-for-apache-web-servers/) provides some
exmaples for apache however the following URI
[https://access.redhat.com/documentation/en-
us/red_hat_enterp...](https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/7/html-
single/selinux_users_and_administrators_guide/index) (see procedure 3.2 & 3.3)
for details on using selinux to confine processes and users.

~~~
ramtatatam
I get the concept and I totally agree how useful it sounds, but have you ever
seen this in action? This is what I would like to hear :)

~~~
jas-
While I used Apache as an example here I have configured a policy to protect a
php application with known vulnerabilities which was prevented.

If you wish you could go install a docker image for a honeypot and then build
policies with selinux to confirm yourself.

