

Android 4.2 to include SE Linux and other security features - mtgx
http://www.androidpolice.com/2012/10/17/exclusive-android-4-2-alpha-teardown-part-2-selinux-vpn-lockdown-and-premium-sms-confirmation/

======
16s
Russell Coker has had a SELinux enabled box online for many years now where he
allows people to log on as root. <http://www.coker.com.au/selinux/>

~~~
derleth
It is somehow immensely amusing to me to see 'permission denied' errors when
I'm quite clearly logged on as root.

Try to get any information at all about /home/bofh while you're logged in.

~~~
16s
Yes, most people have no idea of the things that are possible with SELinux.
It's really amazing.

------
elehack
I simultaneously welcome and fear this development.

It's a great move for security, as a well-configured SELinux deploy can
provide much finer-grained access control than standard Unix permissions
(although, given that Android uses the Unix user & permission model a bit
abnormally, I don't know if it will bring benefit over that or not).

OTOH, for locked devices, it gives vendors more tools to prevent rooting.

~~~
jbrechtel
What's abnormal about the way Android uses the Unix user and permissions
model?

~~~
jlgreco
Don't they make each application you use run with it's own user?

~~~
manmal
Yes. I guess that's what the grandparent means. I don't find it abnormal, it's
a very good practice - create user accounts for public-facing processes and
give them as minimal rights as possible. Still, the possibility to somehow
break out and gain root exists.

~~~
jlgreco
It is unusual in that usually applications meant to be consumed locally by the
owner of the device are not considered "public-facing". It is something
usually done with servers or daemons, not web browsers and text editors.

------
mhurron
Can I disable it? It seems like in most deployments that is exactly what
happens to SELinux.

~~~
deno
I’m using Fedora in enforcing mode, and so are probably most Fedora users.
SELinux is usually completely transparent on desktop[1]. Of course it can
sometimes cause some issues you might be unprepared for.

The most recent one I can remember was configuring Postfix to perform local
delivery to ~/.local-mail/inbox. I had to manually change security context for
that directory. Or linking /var/www/foo to ~/foo is an example of something
that you might expect to work, but would be blocked by SELinux.

But those are not the kind of things you would do on Android anyway. They use
SELinux to strengthen the security framework they already have in place.
SELinux is just the last line of defence for implementation bugs and things
they might have missed. It would be completely unintrusive.

The NSA presentation is worth watching, they go through various Android
exploits that could have been prevented by the policy they developed, without
actually targeting those specific exploits.

<https://www.nsa.gov/research/selinux/>

[1] It’s also because it unfortunately isn’t actually used by most desktop
applications, with some exceptions, like Chromium.

~~~
jnazario
i am embarrassed to say this but rather than configure SELinux to do those
little things - like local mail delivery or open a new socket for httpd - i
tend to just disable it. i'll chalk it up to a usability problem on their part
and not laziness to learn it on mine.

i'm familiar with it, i've written some policies in it, i remember when it was
introduced. that said ... i don't use it.

~~~
frost_knight
Instead of disabling it, consider putting it into permissive mode. It logs
violations but doesn't enforce any rules. It's a good way to get a feel for
what it's doing. You can tweak the rules, view the logs, tweak some more, and
work up to a tight policy before enabling.

Also, if you disable it, re-enabling requires that you relabel all of your
files and reboot the system; the relabel process can take an impressive amount
of time.

Switching between eforcing and permissive can be done on the fly with the
setenforce command, no reboot required.

I do think that laziness is a virtue in a sysadmin when properly applied, but
using selinux is in your best interest.

