On 12/09/2014 09:27 AM, Robert Marcano wrote:
What I see frequently are applications that are installed from
outside
the Fedora repositories, that can be forced to behave like Fedora
packaging rules, with secure defaults before sharing, being installed
and the user that don't know much about firewall settings but understand
that the firewall is active, then think: I feel "secure" because I know
the firewall is blocking external requests.
that should be a "that can't be forced" not "can"
...
This is no open port, but shows that packages can have bugs and
something that is closed by default today, can in the future be pulled
as an update and start sharing things. Those are bugs, true, but the
idea of opening the firewall entirely defeats the measure of defense
already in place. To me it sounds like disabling SELinux on workstation
because people find it difficult and decide to disable it instead.
and before someone say that SELinux is a server thing that should not
bother user, Never had user NetworkManager openvpn plugin that require
certificates to have the corresponding SELinux label inside ~/.cert, and
than when you move you backed up certificates, they will not be read
because move doesn't change labels. I can make the same assumption that
SELinux is difficult and the user always prefer to disable it