Hi,
has anyone tried - or have any comments on - using SELinux policy controls in real-time to protect IoT devices?
For example, imagine an IoT device has the SELinux mods installed and it comes under attack. Assuming the attack could be detected, does it seem feasible to send restrictive policies to the device in real-time to thwart the attack?
Any issues, comments or observations on this idea?
Any examples where this has already been tried and succeeded or failed?
Many thanks!
Welcome!
SELinux has rules that state which processes may access which files.
It is mostly targeted at classic services.
For example the Web service. The apache process may only access files in /var/www/
Well, it is configured to do so. But if a buggy apache plugin allows access to another path, this is not prevented by the apache process. Then SELinux will prevent the access.
On an IoT device, if running under Linux, and if SELinux rules are correctly in place for the running services(processes), then there is another hurdle for attacks over these services.
But if there is a weak password or an open file share or a buggy unprotected service then SELinux won't help.
Thanks for your response.
I'm interested in increasing restrictive policies in real-time when an attack is identified.
I don't see the point.
Why should the security ever be lowered?
If network access is to be restricted then it can make sense to turn off certain network ports. Then I suggest to reconfigure the firewall (firewalld service), not selinux.
Idea would be highest security which allows device to operate, and shutting down/restricting device in real-time if under attack to prevent further harm - e.g. Dos/mining/etc - rather than shut down FW ports, which may impact other unaffected devices and be tricky in real-time.