Greetings ,
Well i want to ask what problem Selinux has if i want to run for example Acrobat Reader or not . Even the last user of a system is entitled to run a program if he wishes to , not to me mention that fact that am the root of the system ? Why can´t it just back off and let me do what i want to do ?
On 01/17/2011 07:11 PM, Kostas Sfakiotakis wrote:
Well i want to ask what problem Selinux has if i want to run for example Acrobat Reader or not .
I run Adobe Reader without any problems (and I'm running with SELinxu enabled).
Why can´t it just back off and let me do what i want to do ?
Could you please elaborate? What error messages are you getting? How do you know it's a SELinux related problem? What is the SELinux message?
-- Jorge
On 18/01/2011 01:15 πμ, Jorge Fábregas wrote:
< snip >
Could you please elaborate? What error messages are you getting? How do you know it's a SELinux related problem? What is the SELinux message?
Well it´s certainly SELinux Related .
As soon as i try to launch acrobat reader 9 then i get a SELinux Alert Browser message which says
SELinux has detected a problem
The source process : acroread Attempted this access : execstack On this proccess :
Troubleshoot Notify Admin
Since i was running the proccess as root , am curious who is meant by Admin ????????? am i just supposed to notify myself that SELinux denied my access to a program ? For some odd reason i think i already have established that since I AM the Admin .
On 01/17/2011 09:29 PM, Kostas Sfakiotakis wrote:
The source process : acroread Attempted this access : execstack On this proccess :
Ok, there has been a lot of these lately (execstack). I had those with AviDemux and solved it by removing execstack from the particular library causing it.
Check out this recent blog post from Dan Walsh (SELinux team):
http://danwalsh.livejournal.com/38736.html
Let us know if you have any question after reading that.
Jorge Fábregas jorge.fabregas@gmail.com wrote:
Ok, there has been a lot of these lately (execstack). I had those with AviDemux and solved it by removing execstack from the particular library causing it.
I had "execstack" messages with a self-compiled Exim and OpenSSH. Couldn't find any libraries with the execstack flag set (it's been years ago that I had to set execstack... on MPlayer if I remember correctly). Since I couldn't easily find out what's causing this SELinux error (which includes launching setroubleshootd and eating a significant amount of system resources) I helped myself with some googled calls to "chcon" on the binares. Creating a custom policy helped as well (as suggested by sealert), but installing a custom policy with "semodule -i" takes a lot of time, and to be honest, I don't fully understand every policy generated by "audit2allow" (some are small and easy to understand but some could get quite large). I don't like to trust security that I don't understand.
Although I wouldn't say that the number of SELinux errors is high, I still found myself running my systems in "permissive mode" most of the time.
Because SELinux in permissive mode gives no security, I finally disabled it completely. Some applications are a lot faster now, for example SSH which no longer has to check/switch SELinux context.
SELinux gives extremly fine-grained control. Nice thing if there's somebody who keeps the SELinux policies up to date for you like the Fedora team does for their repositories. There's an update every couple of days so they obviously put a lot of work into it.
But SELinux is like hell on earth if you install something that is not covered by the standard policy. If you're not an SELinux expert yourself and don't want to spend most of your time searching the web to fix SELinux issues, you may end up defining aliases for "setenforce 0" and "setenforce 1" because you need it so often. That's not good. ;-)
I always try to make my systems secure in the first place (as if there was no SELinux at all). Hopefully, people don't get too used to SELinux and design their software without security in mind because they fully rely on SELinux to keep bad things from happening.
This is not a rant against SELinux. I'm sure it's very cool if you really understand how everything works and if you can write your own policies without the help of Google. I tried - but failed.
Maybe it's helps to make SELinux more manageable for non-experts. setroubleshootd/sealert is so slow, it's not very useful. Some of its messages are good to understand but most are not (basically just saying you have to run audit2allow/semodule and install exceptions for everything).
I wish I was better in managing SELinux. Well, maybe one day ...
Greetings, Andreas
On 18/01/2011 03:40 πμ, Jorge Fábregas wrote:
On 01/17/2011 09:29 PM, Kostas Sfakiotakis wrote:
The source process : acroread Attempted this access : execstack On this proccess :
Ok, there has been a lot of these lately (execstack). I had those with AviDemux and solved it by removing execstack from the particular library causing it.
Check out this recent blog post from Dan Walsh (SELinux team):
http://danwalsh.livejournal.com/38736.html
Let us know if you have any question after reading that.
Well i read the blog post , but the thing is that i don´t get any libraries as result from the
find /lib64 -exec execstack -q {} ; -print 2> /dev/null | grep ^X
command , so am not sure what i am supposed to do after that .
On 01/17/2011 09:29 PM, Kostas Sfakiotakis wrote:
The source process : acroread Attempted this access : execstack On this proccess :
I found this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=630217
It appears to have been fixed in the latest selinux-policy. Try to update your system. If that doesn't work then try this:
chcon -t execmem_exec_t '/opt/Adobe/Reader9/Reader/intellinux/bin/acroread'
-- Jorge
On 18/01/2011 03:46 πμ, Jorge Fábregas wrote:
On 01/17/2011 09:29 PM, Kostas Sfakiotakis wrote:
The source process : acroread Attempted this access : execstack On this proccess :
I found this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=630217
It appears to have been fixed in the latest selinux-policy.
selinux-policy-3.9.7-19.fc14.noarch
My current version of selinux-policy is the above . And that was the one that was active when the thing with acrobat reader appeared . Shall i proceed to solution 2 ( the chcon ..) or shall i wait for an selinux-policy update ?
Try to update your system. If that doesn't work then try this:
chcon -t execmem_exec_t '/opt/Adobe/Reader9/Reader/intellinux/bin/acroread'
-- Jorge
On 18/01/2011 03:46 πμ, Jorge Fábregas wrote:
On 01/17/2011 09:29 PM, Kostas Sfakiotakis wrote:
The source process : acroread Attempted this access : execstack On this proccess :
I found this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=630217
It appears to have been fixed in the latest selinux-policy. Try to update your system.
Apologies for the double post but there appears to be a newer selinux-policy that i have overlooked ( am running updates for 2nd time right now ) due to the fact that i have had a small accident with my Fedora installation ( accidentally while i was trying to install Windows XP on another hard disk i overwrote the grub code on mbr rendering the Fedora installation unbootable ) .
On Tue, 2011-01-18 at 01:11 +0200, Kostas Sfakiotakis wrote:
not to me mention that fact that am the root of the system ? Why can´t it just back off and let me do what i want to do ?
And where would it stop? (At SELinux backing off instead of blocking.) It's job is to stop bad things from happening, not to stand idly by and let them.
SELinux is another of the protective measures on your system, if you're just going to override it, there's not much point having it there, at all.
Being root doesn't mean that you should just be allowed to do anything, it's not as simple as that. You'd leave yourself open to all sorts of "shooting yourself in the foot" problems.
Made all the more worse when users start running things as root that they don't really need to. Running Acrobat reader as root? Not a good idea.
The whole idea of running as root, in general, is bad. The concept of trying to force something that's currently not working, by switching to the root user to try and run it, isn't much better.
<Insert old proverb of using a hammer to fix everything>
On 1/17/11 9:22 PM, Tim wrote:
On Tue, 2011-01-18 at 01:11 +0200, Kostas Sfakiotakis wrote:
not to me mention that fact that am the root of the system ? Why can´t it just back off and let me do what i want to do ?
And where would it stop? (At SELinux backing off instead of blocking.) It's job is to stop bad things from happening, not to stand idly by and let them.
SELinux is another of the protective measures on your system, if you're just going to override it, there's not much point having it there, at all.
Being root doesn't mean that you should just be allowed to do anything, it's not as simple as that. You'd leave yourself open to all sorts of "shooting yourself in the foot" problems.
Made all the more worse when users start running things as root that they don't really need to. Running Acrobat reader as root? Not a good idea.
Actually, most programs now check if you are root and refuse to run. I know of at least one.
Can the OP retry as a non-privileged user to see if this happens?
James McKenzie
On 18/01/2011 05:30 ÎĽÎĽ, James McKenzie wrote:
On 1/17/11 9:22 PM, Tim wrote:
< snip >
Actually, most programs now check if you are root and refuse to run. I know of at least one.
Can the OP retry as a non-privileged user to see if this happens?
Well since i think am the OP ( as of Original Poster ) the answer is that nope i can´t . The normal user is even unable to launch the X Windows since SELinux blocks xauth from writing to his home directory
/usr/bin/xauth ( as source process ) Attempted this access : write On this directory : kostas ( actually is /home/kostas , the home directory of the user )
James McKenzie
On Thu, 2011-01-20 at 02:00 +0200, Kostas Sfakiotakis wrote:
The normal user is even unable to launch the X Windows since SELinux blocks xauth from writing to his home directory
/usr/bin/xauth ( as source process ) Attempted this access : write On this directory : kostas ( actually is /home/kostas , the home directory of the user )
Which, suggests, some checking of the normal permissions on that directory, and it's parent. Likewise, some checking for SELinux contexts. You can do that with the "ls -Z" command.
ls -Zd /home ought to be: drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home
ls -Zd /home/kostas ought to be: drwx------ kostas kostas system_u:object_r:user_home_dir_t:s0 /home/kostas
And the contents inside your space (ls -Z /home/kostas), ought to be: -rw------- kostas kostas unconfined_u:object_r:user_home_t:s0
NB: You can have additional permissions (it might be executable, as well, or also readable by group or other users), but those would be the minimum.
If you find that you're having a plethora of SELinux problems, it might be a good idea to let the system relabel the whole drive with the default contexts. If you've ever run the system with SELinux disabled, then that's one potential cause for the contexts to be miss-set (any file written during that time, wouldn't have them).
If there's one thing that I really hate about SELinux, it's the hideous names that they gave to the contexts. They're not intuitive, nor convenient for typing by hand.
On 20/01/2011 02:39 πμ, Tim wrote:
Which, suggests, some checking of the normal permissions on that directory, and it's parent. Likewise, some checking for SELinux contexts. You can do that with the "ls -Z" command.
ls -Zd /home ought to be:
drwxr-xr-x root root system_u:object_r:home_root_t:s0 /home drwxr-xr-x. root root system_u:object_r:home_root_t:s0 /home
Ok , with the home directory i don´t think that we have a problem since the 2nd line represent what i got from ls -Zd /home
ls -Zd /home/kostas ought to be:
drwx------ kostas kostas system_u:object_r:user_home_dir_t:s0 /home/kostas
drwx------. kostas kostas unconfined_u:object_r:home_root_t:s0 /home/kostas
Again here the 2nd line represents my results ( from ls -Zd /home/kostas ) ( am running the command as root )
It seems that am getting different results than the ones that u suggest
And the contents inside your space (ls -Z /home/kostas), ought to be:
-rw------- kostas kostas unconfined_u:object_r:user_home_t:s0
NB: You can have additional permissions (it might be executable, as well, or also readable by group or other users), but those would be the minimum.
If you find that you're having a plethora of SELinux problems, it might be a good idea to let the system relabel the whole drive with the default contexts. If you've ever run the system with SELinux disabled, then that's one potential cause for the contexts to be miss-set (any file written during that time, wouldn't have them).
If there's one thing that I really hate about SELinux, it's the hideous names that they gave to the contexts. They're not intuitive, nor convenient for typing by hand.
Well i had to rescue my system and SELinux did some relabeling . In any case since the original problem was about Acrobat Reader , just let me say that the problem was fixed when the selinux-policy package was updated as it was suggested .
On 18/01/2011 06:22 πμ, Tim wrote:
< snip >
SELinux is another of the protective measures on your system,
A small comment here , actually SELinux is an NSA invention which is supposed to provide extra security to your system by controlling everything and everyone .
Being root doesn't mean that you should just be allowed to do anything,
Since i started this thread , let me clarify something . All i was trying to do was to open a pdf file simple as that and i do believe that on my computer am pretty much entitled to do so .
Made all the more worse when users start running things as root that they don't really need to. Running Acrobat reader as root? Not a good idea.
Well i was logged in as root at the momment . What am i supposed to do ?? Logout and login back again just to run Acrobat Reader ????? I do believe that would be an overkill .
The whole idea of running as root, in general, is bad.
No argument to that . It´s certainly more risky than login in as a normal user . Well i have been doing that for quite some time and until now it has been quite safe . Even in the worst case scenario that everything goes bad , all i would have to do is make a clean installation . There is no big deal to that , since my data are stored away from the system partitions .
The concept of trying to force something that's currently not working, by switching to the root user to try and run it, isn't much better.
Well i wasn´t trying to force anything by switching to the root user . I wasn´t trying to force anything at all . I was just trying to open a manual ( a pdf file ) .
On Thu, 2011-01-20 at 01:51 +0200, Kostas Sfakiotakis wrote:
Well i was logged in as root at the momment . What am i supposed to do ?? Logout and login back again just to run Acrobat Reader ????? I do believe that would be an overkill .
It's been years since I've logged in as root, since I haven't had to do that. When I did do it, to fix up some problem that I'd created, it was a simple matter to "su - tim" to get a terminal in my user account, to (more safely) do something while I was in the middle of repairing the problem I caused in the first place.
For what it's worth, I'd somehow upset the permissions of /tmp, and that prevented logging in as a normal user (it'd immediately log out, straight after attempting to log in). Not that I needed to graphically log in as root to fix that, but I did need to get to a web browser to research the cause, first. And I hate using Lynx, seeing as someone will suggest it.
On 20/01/2011 02:27 πμ, Tim wrote:
It's been years since I've logged in as root, since I haven't had to do that.
Well i do usually login as root , i have been doing so for the last few years , ok i know it´s not the best thing to do but let´s say it´s just a bad habbit.
When I did do it, to fix up some problem that I'd created,
it was a simple matter to "su - tim" to get a terminal in my user account, to (more safely) do something while I was in the middle of repairing the problem I caused in the first place.
For what it's worth, I'd somehow upset the permissions of /tmp, and that prevented logging in as a normal user (it'd immediately log out, straight after attempting to log in). Not that I needed to graphically log in as root to fix that, but I did need to get to a web browser to research the cause, first. And I hate using Lynx, seeing as someone will suggest it.
Lynx ??????? . It has been sometime since i have heard about it . Yes i do recall viewing a web page with it in the days that i was using minicom to fire up my dial up connection about 5 years ago . Well i guess i would have to second u on that , since using lynx isn´t the easiest thing to do .
On Thu, 2011-01-20 at 02:49 +0200, Kostas Sfakiotakis wrote:
Well i do usually login as root , i have been doing so for the last few years , ok i know it´s not the best thing to do but let´s say it´s just a bad habbit.
Best advice: Stop it, get out of the habit. I can't really think of any occasion where it's truly needed. Yes, I gave an example where I did it, but it wasn't really needed, just laziness. Seriously, you cause yourself all sorts of problems.
I don't log in as root, and I don't spend all my time fixing up silly problems with Linux. There's a clue in there.
Tim wrote:
Best advice: Stop it, get out of the habit. I can't really think of any occasion where it's truly needed. Yes, I gave an example where I
Not exactly a login, but sometimes necessary. Booting in single user mode. It's effectively logged in as root, and sometimes necessary for some system maintenance.
Mike
On Thu, 2011-01-20 at 04:11 -0600, Mike McCarty wrote:
Not exactly a login, but sometimes necessary. Booting in single user mode. It's effectively logged in as root, and sometimes necessary for some system maintenance.
Well, it is a login... I should have been more explicit and talked about not doing graphical logins as root. But you can still cause the same problems when logged in as root in a command line interface.
Tim wrote:
On Thu, 2011-01-20 at 04:11 -0600, Mike McCarty wrote:
Not exactly a login, but sometimes necessary. Booting in single user mode. It's effectively logged in as root, and sometimes necessary for some system maintenance.
Well, it is a login... I should have been more explicit and talked about not doing graphical logins as root. But you can still cause the same problems when logged in as root in a command line interface.
It doesn't run the "login" program, so it's not a login in that sense. It has the same effect, and one can grandly screw things up as root.
I rarely log in as root, perhaps a few times a year for some maintenance. Normally, I use "su -". Occasionally I use "sudo". Neither of those do I more than a few times a week.
The less priviledge I have, the better I like it.
I don't much use GUI, I use command line in an xterm window.
Mike
On Thu, Jan 20, 2011 at 01:51:03 +0200, Kostas Sfakiotakis kostassf@cha.forthnet.gr wrote:
A small comment here , actually SELinux is an NSA invention which is supposed to provide extra security to your system by controlling everything and everyone .
selinux is a mandatory access control system. This is needed to prevent hostile code from doing things on your behalf that it shouldn't.
If you really don't want that protection run selinux in permissive mode.
Since i started this thread , let me clarify something . All i was trying to do was to open a pdf file simple as that and i do believe that on my computer am pretty much entitled to do so .
selinux access takes precedence over root access. Though as delivered, root can set selinux to permissive mode to get around that. If you really want protection when running as root, you'd at least need to turn that setting off. (Then you'd need to reboot to change the setting.) You also need to have root logins use a more restrictive role when logging in. Otherwise there a lot of ways to subvert the system.
Well i was logged in as root at the momment . What am i supposed to do ?? Logout and login back again just to run Acrobat Reader ????? I do believe that would be an overkill .
Personally, I'd recommend not using acrobat reader. PDFs are more like executable programs than documents. So besides having to worry about bugs in acrobat reader (of which there have been plenty with security implications), you have to worry about valid PDFs doing things to your system or with your pre-existing data that you don't want.
On 20/01/2011 03:58 πμ, Bruno Wolff III wrote:
On Thu, Jan 20, 2011 at 01:51:03 +0200, Kostas Sfakiotakis kostassf@cha.forthnet.gr wrote:
< snip >
Personally, I'd recommend not using acrobat reader. PDFs are more like executable programs than documents. So besides having to worry about bugs in acrobat reader (of which there have been plenty with security implications), you have to worry about valid PDFs doing things to your system or with your pre-existing data that you don't want.
Well the thing is that i wanted to read a manual in pdf format . You see there are a lot of them hanging around . So what do i do ? Convert the pdf to a more safe format ( by the way since u mention it , which is a safer format ? ) or just use another program to open the pdf file ?
Personally, I'd recommend not using acrobat reader. PDFs are more like executable programs than documents. So besides having to worry about bugs in acrobat reader (of which there have been plenty with security implications), you have to worry about valid PDFs doing things to your system or with your pre-existing data that you don't want.
Well the thing is that i wanted to read a manual in pdf format . You see there are a lot of them hanging around . So what do i do ? Convert the pdf to a more safe format ( by the way since u mention it , which is a safer format ? ) or just use another program to open the pdf file?
Use an open source PDF reader, most of which always run with the document untrusted in safe mode and don't implement some of the more fun stuff in a PDF.
But yes its always useful to remember that many kinds of document can do strange things to themselves if nothing else - contracts that change wording according to the date for example yet are the same digitally signed document.
Alan
On 20/01/2011 06:30 ÎĽÎĽ, Alan Cox wrote:
< snip >
Use an open source PDF reader, most of which always run with the document untrusted in safe mode and don't implement some of the more fun stuff in a PDF.
Agreed . Well Adobe Reader was the one i got . If u know another one i would be happy to give it a shot . Am not addicted to Adobe Reader or anything . So i would be gratefull and willing to try another program that would be safer than Acrobat Reader . Am not a security maniac but if there is something simple that i could do then i would certainly give it a try .
But yes its always useful to remember that many kinds of document can do strange things to themselves if nothing else - contracts that change wording according to the date for example yet are the same digitally signed document.
To be honest am not sure what are u talking about ? I was always under the impression that pdf is just another form of document , ok with formating pictures embedded , or whatever else . I didn´t knew that it actually contained code that could be executed and mess things up .
Alan
Kostas Sfakiotakis wrote:
[...]
To be honest am not sure what are u talking about ? I was always under the impression that pdf is just another form of document , ok with formating pictures embedded , or whatever else . I didn´t knew that it actually contained code that could be executed and mess things up .
Initially, that's what it was. However, it can now have embedded Java, automatically perform what might be considered "browsser" activities (like searching the web, opening and pulling in referenced documents, and the like) and other activities I don't want a file viewer performing.
Mike
On Thu, 2011-01-20 at 23:10 +0200, Kostas Sfakiotakis wrote:
Well Adobe Reader was the one i got . If u know another one i would be happy to give it a shot . Am not addicted to Adobe Reader or anything . So i would be gratefull and willing to try another program
I'm surprised you had to install it, or anything to read a PDF file. As far as I was aware, a PDF file reader gets installed by default. So any attempts to read a PDF file would open that, automatically. For most things, it's fine. Sometimes you'll come across some difficult PDF file that needs some other reader to handle it.
It's not hard to find PDF readers. All you have to do is a yum search using pdf as the keyword, either a command line or GUI yum tool, and it lists things related to PDF files. Some of which will be readers. All you have to do is read the descriptions, and use your judgement.
With Gnome, Evince seems to get installed by default. I suspect KDE has another default.
On Sun, Jan 23, 2011 at 4:12 AM, Tim ignored_mailbox@yahoo.com.au wrote:
I'm surprised you had to install it, or anything to read a PDF file. Â As far as I was aware, a PDF file reader gets installed by default. Â So any attempts to read a PDF file would open that, automatically. Â For most
evince, kpdf, xpdf, and even emacs to name a few. :)
things, it's fine. Â Sometimes you'll come across some difficult PDF file that needs some other reader to handle it.
Fillable forms can be very pesky.
On 23/01/2011 05:12 πμ, Tim wrote:
< snip >
I'm surprised you had to install it, or anything to read a PDF file. As far as I was aware, a PDF file reader gets installed by default. So any attempts to read a PDF file would open that, automatically. For most things, it's fine. Sometimes you'll come across some difficult PDF file that needs some other reader to handle it.
It's not hard to find PDF readers. All you have to do is a yum search using pdf as the keyword, either a command line or GUI yum tool, and it lists things related to PDF files. Some of which will be readers. All you have to do is read the descriptions, and use your judgement.
With Gnome, Evince seems to get installed by default. I suspect KDE has another default.
Usually when i make an installation i install everything , and that´s why i miss the everything button that there was once there , so i didn´t have to run through and select individual packages . You are right i didn´t had to install anything , everything was there but i didn´t knew that Evince was there and could open a pdf file so i asked .
It's not hard to find PDF readers. All you have to do is a yum search using pdf as the keyword, either a command line or GUI yum tool, and it lists things related to PDF files.
I'm not sure how new users are supposed to find evince. Yum isn't a command that newbies are likely to be familiar with. Old-timers from the BSD world might try "man -k pdf" but that doesn't find evnice either. Even on fedora-14 I can't seem to find it on the pull-down menus. Looking at the likely bin directories for things with pdf in their name isn't going to be fruitful in evince's case.
The way I found it back when I started using a linux distribution (back in fc4 days) was to let firefox open up a pdf file, spawn the reader and then I opened a shell window and did a PS to see what the viewer was called. I recall having to do that a number of times because the name evince, just doesn't remind me of PDF. I can't expect a newbie to do that either.
The unhelpful program names combined with 3 or more non-overlapping documentation systems (man, info, help), don't make things any easier.
-wolfgang
On 01/26/2011 05:23 AM, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince.
Maybe it is the same method that many folks should use to find things. http://tinyurl.com/6ce2nvo :-) :-)
On 26 January 2011 00:07, Ed Greshko Ed.Greshko@greshko.com wrote:
On 01/26/2011 05:23 AM, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince.
Maybe it is the same method that many folks should use to find things. http://tinyurl.com/6ce2nvo  :-) :-)
I appreciate your point, but I feel it only fair and balanced to point out that none of the top three links on that page actually contain any information on Evince and in the 4th page it is buried somewhere about 1/3rd of the way down.
Basically, Evince need to do a bit of work on their SEO ;o)
On 01/26/2011 08:28 AM, Sam Sharpe wrote:
I appreciate your point, but I feel it only fair and balanced to point out that none of the top three links on that page actually contain any information on Evince and in the 4th page it is buried somewhere about 1/3rd of the way down.
Nothing is perfect. Besides, the search was not to find "evince" but to find a list of pdf readers available under linux. I hope most people don't only look at the first link returned by a search engine.
Basically, Evince need to do a bit of work on their SEO ;o)
Now I have to google SEO. :-)
On Wed, 26 Jan 2011 00:28:48 +0000, Sam Sharpe wrote:
On 26 January 2011 00:07, Ed Greshko Ed.Greshko@greshko.com wrote:
On 01/26/2011 05:23 AM, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince.
Maybe it is the same method that many folks should use to find things. http://tinyurl.com/6ce2nvo  :-) :-)
I appreciate your point, but I feel it only fair and balanced to point out that none of the top three links on that page actually contain any information on Evince and in the 4th page it is buried somewhere about 1/3rd of the way down.
Basically, Evince need to do a bit of work on their SEO ;o)
-- Sam
OK, I have no idea how it works on the Gnome package management side at this point since I'm logged in via KDE.
However, KPackageKit has this nice search feature:
1. Open up KPackageKit (which is what most people do to update software) 2. Under Get and Remove Software, select search by description 3. Type in PDF and wait 4. Click on a program name and read the description 5. Install, uninstall, etc. as is your choice
If you have a green check mark next to the program name, then it's already installed.
From the command line, it's a bit more cumbersome although it feels a bit
faster.
1. As root (or su -c) do a yum search pdf 2. Scroll through the results and find one you like - envice, document viewer seems to be a good choice. 3. yum info evince gives all the information 4. Install, uninstall, etc. as is your choice
Both seem pretty reasonable to me. Since I'm a command line type of person, I prefer the second option coupled with writing to a text file and vim, or piping through grep.
. . . . just my two cents.
/mde/
I'm not sure how new users are supposed to find evince.
The command line is my choice as well. I have a tiny shell script that gets run after each update that creates text files of whats installed and available:
$ cat upd.sh yum list installed 2>&1>yum.installed yum list available 2>&1>yum.available
then its just a matter of grep some_program_or_other yum.*
to check to see what version of something is installed, whether its installed, or if its available via yum
Mike
On Tue, 25 Jan 2011 21:06:14 -0500 Mike Williams wrote:
then its just a matter of grep some_program_or_other yum.*
I tend to do a grep -r in /usr/share/applications where all the .desktop files defining menu items live, then look for the Exec= line in the .desktop file that appears to have the best match for my search.
On 01/25/2011 07:07 PM, Ed Greshko wrote:
On 01/26/2011 05:23 AM, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince.
Maybe it is the same method that many folks should use to find things. http://tinyurl.com/6ce2nvo :-) :-)
;-) Now that was "Expletive deleted" slick!
Mark LaPierre
On Wed, 2011-01-26 at 08:07 +0800, Ed Greshko wrote:
On 01/26/2011 05:23 AM, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince.
Maybe it is the same method that many folks should use to find things. http://tinyurl.com/6ce2nvo :-) :-)
I am not sure what you mwan by the question. Which evincew finds it in one senswe. locate evince finds it in another sense. yum insaatll enince finds it in a third sense. man -k document will find it in a fourth sense.
Clarify your question.
Aaron Konstam akonstam@sbcglobal.net writes:
On Wed, 2011-01-26 at 08:07 +0800, Ed Greshko wrote:
On 01/26/2011 05:23 AM, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince.
Maybe it is the same method that many folks should use to find things. http://tinyurl.com/6ce2nvo :-) :-)
I am not sure what you mwan by the question. Which evincew finds it in one senswe. locate evince finds it in another sense. yum insaatll enince finds it in a third sense. man -k document will find it in a fourth sense.
Clarify your question.
I meant, if new users are looking for a pdf viewer, how are they supposed to know that evnice is the default pdf viewer that is included in the default installs?
The fact is that not only is the evince name non-decriptive, but the man -k short description likewise has no mention of "pdf" so it won't be found as a pdf viewer either.
-wolfgang
On Wednesday, January 26, 2011 03:46:54 pm Wolfgang S. Rupprecht wrote:
The fact is that not only is the evince name non-decriptive, but the man -k short description likewise has no mention of "pdf" so it won't be found as a pdf viewer either.
And that is a fault of upstream GNOME, not Fedora. The man page for evince should include meaningful (to apropos) keywords; fact of the matter is that the string 'PDF' does occur in the DESCRIPTION section of the man page, so why is apropos not seeing that?
Using man -K PDF finds evince (among many others), but that's not just a quick list.
But, as this is upstream GNOME doing this, you really should take it to upstream GNOME for change, which will then help out all GNOME using distributions, including Ubuntu, et al.
Debian and Ubuntu also have the GNOME Document Reader named 'evince'. So this is not Fedora-unique, nor did it originate with Fedora. Do man -k PDF on a Ubuntu box and see what comes up. (I just did this; evince does not come up in a man -k pdf or a man -k PDF).
On Tuesday 25 January 2011 21:23:24 Wolfgang S. Rupprecht wrote:
It's not hard to find PDF readers. All you have to do is a yum search using pdf as the keyword, either a command line or GUI yum tool, and it lists things related to PDF files.
I'm not sure how new users are supposed to find evince. Yum isn't a command that newbies are likely to be familiar with. Old-timers from the BSD world might try "man -k pdf" but that doesn't find evnice either. Even on fedora-14 I can't seem to find it on the pull-down menus. Looking at the likely bin directories for things with pdf in their name isn't going to be fruitful in evince's case.
The way I found it back when I started using a linux distribution (back in fc4 days) was to let firefox open up a pdf file, spawn the reader and then I opened a shell window and did a PS to see what the viewer was called. I recall having to do that a number of times because the name evince, just doesn't remind me of PDF. I can't expect a newbie to do that either.
The typical way a newbie would behave is to open a file manager (I guess nautilus in Gnome, dolphin in KDE), navigate to a pdf file and click on it. If the system is set up by default, in Gnome the file should be associated to (and thus opened by) evince, and in KDE by Okular. AFAIK, that is the default. If the system config was changed from default to something else, then the user who changed it was supposed to be aware what he was doing, and which other app has been configured to take care of the pdf files.
In KDE, once you open the pdf file by clicking on it in the file manager, you can look up on the titlebar and see the word "Okular", or go to help menu and find the "Okular handbook" and "About Okular" menu items. If that still isn't enough of a clue about the app's name, you can click on the "About Okular" item and read off a whole bunch of information including the name, description, version number, list of authors, licencing info, upstream website address, etc.
As for Gnome, I don't use it so I cannot tell exactly, but I guess the equivalent information can be found in an equivalent place. If not, Gnome devs are probably living somewhere in some galaxy far, far away... ;-)
HTH, :-) Marko
On Tue, 2011-01-25 at 13:23 -0800, Wolfgang S. Rupprecht wrote:
I'm not sure how new users are supposed to find evince. Yum isn't a command that newbies are likely to be familiar with. Old-timers from the BSD world might try "man -k pdf" but that doesn't find evnice either.
Various add/remove software helpers allow one to search through them using keywords, with those words being looked for in the package names and descriptions.
Granted that Evince isn't a great example, as it just lists itself as a document reader. Instead of being more explicit, and saying that it can read PDFs and PostScript files. I'd call that a serious enough omission to warrant a bugzilla entry, as it stops people finding it when searching for a PDF application. I think such programs should have pdf viewer and pdf reader set as package search keywords.
Though, that sort of "find me a pdf application" search should have returned several alternatives. On Fedora 9, I find at least these:
epdfview.i386 : Lightweight PDF document viewer gsview.i386 : PostScript and PDF previewer pdfcube.i386 : PDF presentation viewer with a spinning cube
Hmm, pdfcube sound intriguing!
Even on fedora-14 I can't seem to find it on the pull-down menus.
Yes, that's a bugbear with me, too. It's hidden, for some obscure reason. You have to edit the menus to unhide it. It's not the only useful app that's hidden, either.
Then there's applications with weird names. The specs for the files the the menus are made from (.desktop) carry the following information in them:
Program name, e.g. Evince. Generic name, e.g. PDF and PS document reader Descriptive comment, e.g. A program to read documents in the PDF and PS formats
As far as I'm concerned, the default should be set to suit newcomers, and show both program name and generic name, in the menu, with the description as a hover-over pop-up information window. Particularly when it comes to obtusely named applications (e.g. Evince, Seahorse, Nautilus, Konqueror, k3b, et cetera). For my money, I see worse names in the kde desktop than the Gnome one. Let the more savvy users configure the menus to be shorter.
I think that it should, also, be required that they're filled-in properly before the package is accepted into Fedora. I've always managed to find some applications which omit one or more of those attributes from the .desktop files, or the information is under the wrong attribute. There is a specification for how the .desktop files are supposed to be filled in, and they're not adhering to it.
The way I found it back when I started using a linux distribution (back in fc4 days) was to let firefox open up a pdf file, spawn the reader and then I opened a shell window and did a PS to see what the viewer was called.
I think the way most people open a file, now, is either when they try to open it with their filemanager, or read a file through their web browser. In either case, once the application has loaded up, most give their naming details in the "about" entry in their help menu. There's no need to grep through ps to find it. You can make a reasonable assumption that a program called "Evince" is probably going to be started by a binary called evince or Evince, and try the lazy typing all-lower-case first, since that's the long-term habit of Linux.
On Thu, Jan 20, 2011 at 17:52:37 +0200, Kostas Sfakiotakis kostassf@cha.forthnet.gr wrote:
Well the thing is that i wanted to read a manual in pdf format . You see there are a lot of them hanging around . So what do i do ? Convert the pdf to a more safe format ( by the way since u mention it , which is a safer format ? ) or just use another program to open the pdf file ?
Using evince would be an improvement, but I wouldn't trust it to read PDFs that I thought had a significant chance of being trojans.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 11:43 AM, Bruno Wolff III wrote:
On Thu, Jan 20, 2011 at 17:52:37 +0200, Kostas Sfakiotakis kostassf@cha.forthnet.gr wrote:
Well the thing is that i wanted to read a manual in pdf format . You see there are a lot of them hanging around . So what do i do ? Convert the pdf to a more safe format ( by the way since u mention it , which is a safer format ? ) or just use another program to open the pdf file ?
Using evince would be an improvement, but I wouldn't trust it to read PDFs that I thought had a significant chance of being trojans.
sandbox -X evince random.pdf
On Fedora or RHEL6, as a normal user would run the pdf with a locked down sandbox.
On 01/20/2011 02:07 PM, Daniel J Walsh wrote:
Using evince would be an improvement, but I wouldn't trust it to read PDFs that I thought had a significant chance of being trojans.
sandbox -X evince random.pdf
Hi Dan - on F14 I run this I get:
/usr/bin/sandbox: /usr/share/sandbox/sandboxX.sh is required for the action you want to perform.
Do you know what I need to install to make this work ?
yum provides did not help ..
thanks!
gene/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 03:59 PM, Genes MailLists wrote:
On 01/20/2011 02:07 PM, Daniel J Walsh wrote:
Using evince would be an improvement, but I wouldn't trust it to read PDFs that I thought had a significant chance of being trojans.
sandbox -X evince random.pdf
Hi Dan - on F14 I run this I get:
/usr/bin/sandbox: /usr/share/sandbox/sandboxX.sh is required for the action you want to perform.
Do you know what I need to install to make this work ?
yum provides did not help ..
thanks!
gene/
yum install policycoreutils-sandbox
On 01/20/2011 04:23 PM, Daniel J Walsh wrote:
If I want to run google chrome (say)-
I tried this:
mkdir -p sandbox-home/.config rsync -av ~/.config/google-chrome ~/sandbox-home/.config
sandbox -X -t sandbox_web_t -H ~/sandbox-home /opt/google/chrome/chrome
The window pops up and closes ... I see no AVC's
The new sandbox home dir contains:
% ls -a total 48 4 ./ 4 .config/ 4 Download/ 4 seremote* 12 ../ 4 .dbus/ 4 .sandboxrc* 12 .xmodmap
Can you suggest what I am doing wrong ?
Thanks!
On 01/20/2011 05:02 PM, Genes MailLists wrote:
On 01/20/2011 04:23 PM, Daniel J Walsh wrote:
If I want to run google chrome (say)-
I tried this:
mkdir -p sandbox-home/.config rsync -av ~/.config/google-chrome ~/sandbox-home/.config
(1) Probably relevant - my default proxy is via ssh tunnel ... so I guess I need to somehow allow access to those ports on localhost ? Where would I do that ?
(2) To avoid this for now - I tried deleting the .config/google-chrome so it would be a fresh first time run . same problem ... window starts and exits.
Any suggestions ?
thanks!
g
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 05:12 PM, Genes MailLists wrote:
On 01/20/2011 05:02 PM, Genes MailLists wrote:
On 01/20/2011 04:23 PM, Daniel J Walsh wrote:
If I want to run google chrome (say)-
I tried this:
mkdir -p sandbox-home/.config rsync -av ~/.config/google-chrome ~/sandbox-home/.config
(1) Probably relevant - my default proxy is via ssh tunnel ... so I guess I need to somehow allow access to those ports on localhost ? Where would I do that ?
(2) To avoid this for now - I tried deleting the .config/google-chrome so it would be a fresh first time run . same problem ... window starts and exits.
Any suggestions ?
thanks!
g
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work?
On Fri, 2011-01-21 at 07:42 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 05:12 PM, Genes MailLists wrote:
On 01/20/2011 05:02 PM, Genes MailLists wrote:
On 01/20/2011 04:23 PM, Daniel J Walsh wrote:
If I want to run google chrome (say)-
I tried this:
mkdir -p sandbox-home/.config rsync -av ~/.config/google-chrome ~/sandbox-home/.config
(1) Probably relevant - my default proxy is via ssh tunnel ... so I guess I need to somehow allow access to those ports on localhost ? Where would I do that ?
(2) To avoid this for now - I tried deleting the .config/google-chrome so it would be a fresh first time run . same problem ... window starts and exits.
Any suggestions ?
thanks!
g
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk05fykACgkQrlYvE4MpobMDowCgqTtJY8SdLGxBvDwUO2rbJjjC uTYAn3ON0AxBFJivwiuYh3zDQKaPtdeM =WVl4 -----END PGP SIGNATURE-----
Hi
Just picking up on this thread - hope I don't confuse the issue F14 fully updated kdm, XFCE, NFS4 home directories, NIS
SElinux Enforcing
sandbox -X xterm fails for me
troubleshooter shows 3 problems
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process
SELinux is preventing /usr/bin/Xephyr from search access on the directory /
SELinux is preventing /usr/bin/kdm from add_name access on the directory .Xauthority-c
---------------
Setting SElinux Permissive still fails with the two Xephyr problems
In both cases the display flashes very briefly with a rectangular shape
John
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 08:31 AM, John Austin wrote:
On Fri, 2011-01-21 at 07:42 -0500, Daniel J Walsh wrote: On 01/20/2011 05:12 PM, Genes MailLists wrote:
On 01/20/2011 05:02 PM, Genes MailLists wrote:
On 01/20/2011 04:23 PM, Daniel J Walsh wrote:
If I want to run google chrome (say)-
I tried this:
mkdir -p sandbox-home/.config rsync -av ~/.config/google-chrome ~/sandbox-home/.config
(1) Probably relevant - my default proxy is via ssh tunnel ... so I guess I need to somehow allow access to those ports on localhost ? Where would I do that ?
(2) To avoid this for now - I tried deleting the .config/google-chrome so it would be a fresh first time run . same problem ... window starts and exits.
Any suggestions ?
thanks!
g
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work? Hi
Just picking up on this thread - hope I don't confuse the issue F14 fully updated kdm, XFCE, NFS4 home directories, NIS
SElinux Enforcing
sandbox -X xterm fails for me
troubleshooter shows 3 problems
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process
SELinux is preventing /usr/bin/Xephyr from search access on the directory /
SELinux is preventing /usr/bin/kdm from add_name access on the directory .Xauthority-c
Setting SElinux Permissive still fails with the two Xephyr problems
In both cases the display flashes very briefly with a rectangular shape
John
Is your homedir NFS?
On Fri, 2011-01-21 at 08:49 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 08:31 AM, John Austin wrote:
On Fri, 2011-01-21 at 07:42 -0500, Daniel J Walsh wrote: On 01/20/2011 05:12 PM, Genes MailLists wrote:
On 01/20/2011 05:02 PM, Genes MailLists wrote:
On 01/20/2011 04:23 PM, Daniel J Walsh wrote:
If I want to run google chrome (say)-
I tried this:
mkdir -p sandbox-home/.config rsync -av ~/.config/google-chrome ~/sandbox-home/.config
(1) Probably relevant - my default proxy is via ssh tunnel ... so I guess I need to somehow allow access to those ports on localhost ? Where would I do that ?
(2) To avoid this for now - I tried deleting the .config/google-chrome so it would be a fresh first time run . same problem ... window starts and exits.
Any suggestions ?
thanks!
g
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work? Hi
Just picking up on this thread - hope I don't confuse the issue F14 fully updated kdm, XFCE, NFS4 home directories, NIS
SElinux Enforcing
sandbox -X xterm fails for me
troubleshooter shows 3 problems
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process
SELinux is preventing /usr/bin/Xephyr from search access on the directory /
SELinux is preventing /usr/bin/kdm from add_name access on the directory .Xauthority-c
Setting SElinux Permissive still fails with the two Xephyr problems
In both cases the display flashes very briefly with a rectangular shape
John
Is your homedir NFS?
Yes
I have global - Support NFS home dirs set true
F14 fully updated - today
kdm, XFCE, NFS4 home directories, NIS
John
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 09:12 AM, John Austin wrote:
On Fri, 2011-01-21 at 08:49 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 08:31 AM, John Austin wrote:
On Fri, 2011-01-21 at 07:42 -0500, Daniel J Walsh wrote: On 01/20/2011 05:12 PM, Genes MailLists wrote:
On 01/20/2011 05:02 PM, Genes MailLists wrote: > On 01/20/2011 04:23 PM, Daniel J Walsh wrote: > > > If I want to run google chrome (say)- > > I tried this: > > mkdir -p sandbox-home/.config > rsync -av ~/.config/google-chrome ~/sandbox-home/.config >
(1) Probably relevant - my default proxy is via ssh tunnel ... so I guess I need to somehow allow access to those ports on localhost ? Where would I do that ?
(2) To avoid this for now - I tried deleting the .config/google-chrome so it would be a fresh first time run . same problem ... window starts and exits.
Any suggestions ?
thanks!
g
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work? Hi
Just picking up on this thread - hope I don't confuse the issue F14 fully updated kdm, XFCE, NFS4 home directories, NIS
SElinux Enforcing
sandbox -X xterm fails for me
troubleshooter shows 3 problems
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process
SELinux is preventing /usr/bin/Xephyr from search access on the directory /
SELinux is preventing /usr/bin/kdm from add_name access on the directory .Xauthority-c
Setting SElinux Permissive still fails with the two Xephyr problems
In both cases the display flashes very briefly with a rectangular shape
John
Is your homedir NFS?
Yes
I have global - Support NFS home dirs set true
F14 fully updated - today
kdm, XFCE, NFS4 home directories, NIS
John
Ok, we have just started supporting NFS in the Rawhide, version. Sorry. I am not sure if I will back port it to F14, until I see some testing on it. I am concerned about how the kernel will handle bind mounts of nfs on nfs.
One of the key features of sandbox is to create new directories in the homedir and then bind mount them over ~/ and /tmp. I am not quite sure how this will play with NFS and automounter...
On Fri, 2011-01-21 at 09:34 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 09:12 AM, John Austin wrote:
On Fri, 2011-01-21 at 08:49 -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 08:31 AM, John Austin wrote:
On Fri, 2011-01-21 at 07:42 -0500, Daniel J Walsh wrote: On 01/20/2011 05:12 PM, Genes MailLists wrote:
> On 01/20/2011 05:02 PM, Genes MailLists wrote: >> On 01/20/2011 04:23 PM, Daniel J Walsh wrote: >> >> >> If I want to run google chrome (say)- >> >> I tried this: >> >> mkdir -p sandbox-home/.config >> rsync -av ~/.config/google-chrome ~/sandbox-home/.config >> > > (1) Probably relevant - my default proxy is via ssh tunnel ... so I > guess I need to somehow allow access to those ports on localhost ? Where > would I do that ? > > (2) To avoid this for now - I tried deleting the .config/google-chrome > so it would be a fresh first time run . same problem ... window starts > and exits. > > Any suggestions ? > > thanks! > > g
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work? Hi
Just picking up on this thread - hope I don't confuse the issue F14 fully updated kdm, XFCE, NFS4 home directories, NIS
SElinux Enforcing
sandbox -X xterm fails for me
troubleshooter shows 3 problems
SELinux is preventing /usr/bin/Xephyr from using the signal access on a process
SELinux is preventing /usr/bin/Xephyr from search access on the directory /
SELinux is preventing /usr/bin/kdm from add_name access on the directory .Xauthority-c
Setting SElinux Permissive still fails with the two Xephyr problems
In both cases the display flashes very briefly with a rectangular shape
John
Is your homedir NFS?
Yes
I have global - Support NFS home dirs set true
F14 fully updated - today
kdm, XFCE, NFS4 home directories, NIS
John
Ok, we have just started supporting NFS in the Rawhide, version. Sorry. I am not sure if I will back port it to F14, until I see some testing on it. I am concerned about how the kernel will handle bind mounts of nfs on nfs.
One of the key features of sandbox is to create new directories in the homedir and then bind mount them over ~/ and /tmp. I am not quite sure how this will play with NFS and automounter...
Many thanks for the info
Looking forward to F15 !
John
On 01/21/2011 07:42 AM, Daniel J Walsh wrote:
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work?
With regards to just running chrome (never mind ssh tunnel) I get:
Ah ok - today after a reboot - I get this :
% sandbox -X -H /home/gene/sandbox/home /opt/google/chrome/chrome
/opt/google/chrome/chrome: error while loading shared libraries: libnss3.so.1d: cannot open shared object file: No such file or directory Hangup
gene/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 09:28 AM, Genes MailLists wrote:
On 01/21/2011 07:42 AM, Daniel J Walsh wrote:
Lets figure out if this is a chromium problem or something else. Does
sandbox -X xterm
Work?
With regards to just running chrome (never mind ssh tunnel) I get:
Ah ok - today after a reboot - I get this :
% sandbox -X -H /home/gene/sandbox/home /opt/google/chrome/chrome
/opt/google/chrome/chrome: error while loading shared libraries: libnss3.so.1d: cannot open shared object file: No such file or directory Hangup
gene/
Any avc messages?
On 01/21/2011 09:35 AM, Daniel J Walsh wrote: :
% sandbox -X -H /home/gene/sandbox/home /opt/google/chrome/chrome
/opt/google/chrome/chrome: error while loading shared libraries: libnss3.so.1d: cannot open shared object file: No such file or directory Hangup
Any avc messages?
nope - all quiet on the AVC front ..
note the case above is different than this case (with -t)
sandbox -X -t sandbox_web_t -H ~/sandbox/home /opt/google/chrome/chrome
which yields no error messages - a window starts up and closes. Also has no AVC's
Probably not useful but in the above home:
% cat .sandboxrc #! /bin/sh #TITLE: /opt/google/chrome/chrome /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap /usr/bin/matchbox-window-manager -use_titlebar no & WM_PID=$! dbus-launch --exit-with-session /opt/google/chrome/chrome kill -TERM $WM_PID 2> /dev/null
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 10:12 AM, Genes MailLists wrote:
On 01/21/2011 09:35 AM, Daniel J Walsh wrote: :
% sandbox -X -H /home/gene/sandbox/home /opt/google/chrome/chrome
/opt/google/chrome/chrome: error while loading shared libraries: libnss3.so.1d: cannot open shared object file: No such file or directory Hangup
Any avc messages?
nope - all quiet on the AVC front ..
note the case above is different than this case (with -t)
sandbox -X -t sandbox_web_t -H ~/sandbox/home /opt/google/chrome/chrome
which yields no error messages - a window starts up and closes. Also has no AVC's
Probably not useful but in the above home:
% cat .sandboxrc #! /bin/sh #TITLE: /opt/google/chrome/chrome /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap /usr/bin/matchbox-window-manager -use_titlebar no & WM_PID=$! dbus-launch --exit-with-session /opt/google/chrome/chrome kill -TERM $WM_PID 2> /dev/null
You could try a different windowmanager
sandbox -X -W metacity -t sandbox_web_t -H ~/sandbox/home /opt/google/chrome/chrome
I am install chrome now and will play around with it.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 11:20 AM, Genes MailLists wrote:
On 01/21/2011 11:07 AM, Daniel J Walsh wrote:
sandbox -X -W metacity -t sandbox_web_t -H ~/sandbox/home /opt/google/chrome/chrome
Same thing - window starts and closes right away ..
I think it has something about namespaces. If you run
sandbox -X -t sandbox_web_t xterm
Then launch chromium-browser from within the xterm, it complains about
Failed to move to new PID namespace:Operation not permitted.
Even in permissive mode.
I think this indicates that chromium tried to launch the chromium-sandbox from within the SELinux sandbox. and the chromium-sandbox wants to use its own namespace and this is not allowed.
So I guess this means you can not run chromium within a sandbox -X environment.
sandbox -X -t sandbox_web_t firefox
Should work...
On 01/21/2011 11:31 AM, Daniel J Walsh wrote: .
I think it has something about namespaces. If you run
sandbox -X -t sandbox_web_t xterm
Then launch chromium-browser from within the xterm, it complains about
Failed to move to new PID namespace:Operation not permitted.
Even in permissive mode.
I think this indicates that chromium tried to launch the chromium-sandbox from within the SELinux sandbox. and the chromium-sandbox wants to use its own namespace and this is not allowed.
So I guess this means you can not run chromium within a sandbox -X environment.
sandbox -X -t sandbox_web_t firefox
Should work...
I should have thought to try that ... glad you did :-)
Its really unfortunate it doesn't work tho ... this is such a great feature .. anyway around this ? Any chance of tagging up with google chrome developers to find a solution ?
I don't understand because I am ignorant in large part on selinux details - does chrome want to transition to a new selinux type ? Can we make that namespace 'equivalent' to sandbox_web_t or some way to make the transition allowed without really leaving your sandbox? Sorry if its a dumb question ..
Good that firefox works, but chrome is growing really fast ... be good to find a way to make this fly ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/21/2011 11:43 AM, Genes MailLists wrote:
On 01/21/2011 11:31 AM, Daniel J Walsh wrote: .
I think it has something about namespaces. If you run
sandbox -X -t sandbox_web_t xterm
Then launch chromium-browser from within the xterm, it complains about
Failed to move to new PID namespace:Operation not permitted.
Even in permissive mode.
I think this indicates that chromium tried to launch the chromium-sandbox from within the SELinux sandbox. and the chromium-sandbox wants to use its own namespace and this is not allowed.
So I guess this means you can not run chromium within a sandbox -X environment.
sandbox -X -t sandbox_web_t firefox
Should work...
I should have thought to try that ... glad you did :-)Its really unfortunate it doesn't work tho ... this is such a great feature .. anyway around this ? Any chance of tagging up with google chrome developers to find a solution ?
I don't understand because I am ignorant in large part on selinux details - does chrome want to transition to a new selinux type ? Can we make that namespace 'equivalent' to sandbox_web_t or some way to make the transition allowed without really leaving your sandbox? Sorry if its a dumb question ..
No it is not really an SELinux issue.
sandbox is a lot more then SELinux.
sandbox creates a new namespace and then mounts tmp files on ~/ and /tmp, which changes the namespace layout.
I think calling namespace from a namespace might be causing the problem. But I am not sure. We could open a conversation with the chromium developers to see if they know what is going on.
I think we can try to run seunshare chromium-browser and take SELinux out of the equation all together.
seunshare is the tool sandbox -X is calling to create the new namespace and mount the dirs.
Good that firefox works, but chrome is growing really fast ... be good to find a way to make this fly ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 05:12 PM, Jorge Fábregas wrote:
On 01/20/2011 05:23 PM, Daniel J Walsh wrote:
yum install policycoreutils-sandbox
Shouldn't this package be a dependency of the package policycoreutils-python (owner of sandbox)?
-- Jorge
There are two types of sandboxes. You can run the sandbox command without the -X and it runs in "script mode". In this mode it allows the application executed within the sandbox to read/write all file descriptors passed in, but is not allowed to open any content.
cat untrusted.doc | sandbox filter.sh > /tmp/trusted.doc
For example would only allow filter.sh to read untrusted.doc, and write trusted.doc. If filter.sh attempted to write to ~/.ssh/secrets SELinux would block the access. If it attempted to write anywhere or to open any files other then system files it would be blocked.
sandbox -X
on the other hand, attempts to create a desktop sandbox, and requires X and lots of other functionality. So we ship the python script sandbox in policycoreutils-python, so it can be used on server only environments, while if you want to run sandbox -X you need to install policycoreutils-sandbox which will require X.
On 01/21/2011 08:41 AM, Daniel J Walsh wrote:
So we ship the python script sandbox in policycoreutils-python, so it can be used on server only environments, while if you want to run sandbox -X you need to install policycoreutils-sandbox which will require X.
Thanks for the info. That makes perfect sense.
Regards, Jorge
< snip >
Using evince would be an improvement, but I wouldn't trust it to read PDFs that I thought had a significant chance of being trojans.
sandbox -X evince random.pdf
On Fedora or RHEL6, as a normal user would run the pdf with a locked down sandbox.
What exactly is sandbox ? If i understand things correctly then this sandbox thing is some "shell" or something , so whatever the random pdf does it affects only that "shell" and nothing outside it
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/20/2011 04:17 PM, Kostas Sfakiotakis wrote:
< snip >
Using evince would be an improvement, but I wouldn't trust it to read PDFs that I thought had a significant chance of being trojans.
sandbox -X evince random.pdf
On Fedora or RHEL6, as a normal user would run the pdf with a locked down sandbox.
What exactly is sandbox ? If i understand things correctly then this sandbox thing is some "shell" or something , so whatever the random pdf does it affects only that "shell" and nothing outside it
http://danwalsh.livejournal.com/31146.html http://danwalsh.livejournal.com/31247.html
On Thu, 20 Jan 2011 01:51:03 +0200, Kostas Sfakiotakis wrote:
On 18/01/2011 06:22 πμ, Tim wrote:
< snip >
SELinux is another of the protective measures on your system,
A small comment here , actually SELinux is an NSA invention which is supposed to provide extra security to your system by controlling everything and everyone .
Being root doesn't mean that you should just be allowed to do anything,
Since i started this thread , let me clarify something . All i was trying to do was to open a pdf file simple as that and i do believe that on my computer am pretty much entitled to do so .
Made all the more worse when users start running things as root that they don't really need to. Running Acrobat reader as root? Not a good idea.
Well i was logged in as root at the momment . What am i supposed to do ?? Logout and login back again just to run Acrobat Reader ????? I do believe that would be an overkill .
<snip>
Probably would not be overkill. I don't know if the exploits have made it to Linux yet, but there are Windows Acrobat Reader exploits. If someone ported those to Linux (different payload is perhaps all it would take), then running acroread as root could compromise your system.
My thought is that if you need to run some extended commands as root, open a shell and use the command line. You'll have all of your other tools available as a normal user.
Here's an approach to fixing Adobe Acrobat. Your mileage may vary.
Adobe Acrobat Reader comes with at least two libraries marked as stack executable.
Here's how to find them:
1. Find where the files are
rpm -q AdobeReader_enu-9.4.1-1.i486 --filesbypkg
Your package is probably different since I run a 32 bit system, and you are running a 64 bit system.
2. cd to the directory (for me it's /opt/Adobe)
3. Run the following command (or something similar)
find . -name *.so -exec execstack -q {} ;
This basically finds all the .so files (normally links to shared libraries), and queries the execstack state.
The problem:
You're looking for libraries that have execstack turned on. Here are some examples:
X ./Reader9/Reader/intellinux/lib/libsccore.so X ./Reader9/Reader/intellinux/lib/libcrypto.so
The fix:
1. Find the actual file that these (potential) soft links are linked to:
cd /opt/Adobe/Reader9/Reader/intellinux/lib ls -l libsccore.so -rwxr-xr-x. 1 root root 722824 Nov 8 05:48 libsccore.so ls -l libcrypto.so lrwxrwxrwx. 1 root root 14 Nov 30 17:05 libcrypto.so -> libcrypto.so.0
This turns out to be another link:
ls -l libcrypto.so.0 lrwxrwxrwx. 1 root root 18 Nov 30 17:05 libcrypto.so.0 -> libcrypto.so.0.9.8
2. Change to root, and create a diary entry. You do document changes to your system, right?
01/19/2011 20:40 cleared execstack /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so cleared execstack /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
3. clear the execstack with:
execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
4. Exit root
Now test the results. If there's a problem, then you'll have to revert the changes.
To revert the changes, do the following.
1. Change to root and make a diary entry. Don't just delete the previous, since it's good to know what you've tried especially when it didn't work.
01/19/2011 20:45 acroread failed to work after clearing execstack. set execstack on /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so set execstack on /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
2. Set execstack back with:
execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so execstack -s /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
Unfortunately this will create problems with SELinux (again). Hopefully you won't have to reset execstack on these shared libraries.
Report the Bug
In any case, a bug should be filed with Adobe for each execstack-enabled library that is found.
Hope this helps.
. . . . just my two cents.
/mde/
On 20/01/2011 07:25 πμ, Mark Eggers wrote:
< snip >
My thought is that if you need to run some extended commands as root, open a shell and use the command line. You'll have all of your other tools available as a normal user.
Here's an approach to fixing Adobe Acrobat. Your mileage may vary.
Adobe Acrobat Reader comes with at least two libraries marked as stack executable.
Here's how to find them:
- Find where the files are
rpm -q AdobeReader_enu-9.4.1-1.i486 --filesbypkg
Your package is probably different since I run a 32 bit system, and you are running a 64 bit system.
[root@Orion ~]# rpm -qa | grep Reader AdobeReader_enu-9.4.1-1.i486
Well it seems that we are using the same package . For some reason for which am not sure it seems that i keep getting 32 bit and 64 bit packages
- cd to the directory (for me it's /opt/Adobe)
Same here
- Run the following command (or something similar)
find . -name *.so -exec execstack -q {} ;
This basically finds all the .so files (normally links to shared libraries), and queries the execstack state.
The problem:
You're looking for libraries that have execstack turned on. Here are some examples:
X ./Reader9/Reader/intellinux/lib/libsccore.so X ./Reader9/Reader/intellinux/lib/libcrypto.so
Am trying to follow your example , i got two with X and 1 with question mark "?"
The fix:
- Find the actual file that these (potential) soft links are linked
to:
cd /opt/Adobe/Reader9/Reader/intellinux/lib ls -l libsccore.so -rwxr-xr-x. 1 root root 722824 Nov 8 05:48 libsccore.so
ls -l libcrypto.so lrwxrwxrwx. 1 root root 14 Nov 30 17:05 libcrypto.so -> libcrypto.so.0
This turns out to be another link:
ls -l libcrypto.so.0 lrwxrwxrwx. 1 root root 18 Nov 30 17:05 libcrypto.so.0 -> libcrypto.so.0.9.8
- Change to root, and create a diary entry. You do document changes
to your system, right?
01/19/2011 20:40 cleared execstack /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so cleared execstack /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
- clear the execstack with:
execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
- Exit root
Now test the results. If there's a problem, then you'll have to revert the changes.
Cleared the execstack as suggested and Adobe Reader runs fine as it was before so no harm done here . Thanks a lot for the detailed walkthrough .
Report the Bug
Well i was reffered to a bugzilla report earlier on this thread , so there seems to be already a bug about the fact . As fact as i am concerned it seems that all i had to do was to upgrade to the latest selinux-policy . So it would logical to assume that it was the selinux policies messing things around and not the other way around ( Selinux policies changed not Acrobat Reader )
Kostas Sfakiotakis wrote:
[...]
Since i started this thread , let me clarify something . All i was trying to do was to open a pdf file simple as that and i do believe that on my computer am pretty much entitled to do so .
I'd like to help you clarify your thinking, as well.
[...]
Well i wasn´t trying to force anything by switching to the root user . I wasn´t trying to force anything at all . I was just trying to open a manual ( a pdf file ) .
Every two hundred lines of code, statistically, has a defect in it. Every additional line of code which is compiled and loaded into your machine is a 1/2 % chance of a defect. SELinux is big. Very big. By Red Hat's own estimate 40 applications had to be modified to accomodate it, along with the kernel and compiler. By application, I mean non system programs, like mv, ls, cp, tar, cpio, etc.
I see no need for SELinux on what is, while potentially multi user, essentially single user system. I run behind two (count 'em) two hardware firewalls both of them doing NAT. I've never had one, not even one, IP tables violation. I've never had even one attempt to access my machine at all. I don't run Apache, sshd, or any other server which would allow ingress to my machine. I've never have anyone even attempt to get root access but me.
I've had arguments with the Red Hat development team about it, and they insist SELinux _must_ be there. Well, if I had a real server, and not a desktop single user machine, I _might_ agree. I might not.
However, I like to control what is on my own machine. So, as a consequence, I've been building my own Linux, and am gradually leaving all Red Hat products behind.
Perhaps you should investigate LFS (Linux From Scratch). It isn't that hard to build your own custom system which has exactly what you want on it, no more and no less.
Mike
Mike McCarty wrote:
[...]
I'd like to help you clarify your thinking, as well.
[...]
Oops! Sorry. That was not intended to go on the list. My apologies. What I wrote was OT for this list.
Mike
On Thu, 2011-01-20 at 01:37 -0600, Mike McCarty wrote:
I see no need for SELinux on what is, while potentially multi user, essentially single user system. I run behind two (count 'em) two hardware firewalls both of them doing NAT. I've never had one, not even one, IP tables violation.
You're only thinking of problems due to incoming networking connections. That's only a small part of the equation.
Tim wrote:
You're only thinking of problems due to incoming networking connections. That's only a small part of the equation.
For me, the entire equation boils down to whether I'm in control of what gets loaded on my machine, or someone else is. With Red Hat products, I'm not in control. I happen not to want SELinux. My reasons are not up for debate, since they are personal preference.
De gustibus non disputandem est.
You want SELinux, fine. I'm not going to try to convince you otherwise. I happen not to want it, and don't care to debate that any further. I've expended as much energy attempting to explain the reasons one might not want SELinux on his machine as I care to.
As far as I am concerned, gettng SELinux loaded on my machine _is_ a breach, since I don't want it there.
I can't think of anything that SELinux provides that I want enough to load thousands of lines of code concealing defects.
Mike
Mike McCarty wrote:
[...]
I can't think of anything that SELinux provides that I want enough to load thousands of lines of code concealing defects.
Sorry, misworded that. That should say containing undiscovered defects.
Additionally, I note that quite a bit of the bandwidth on the Fedora and CentOS echoes relate to SELinux making ordinary people doing ordinary things difficult. It's a complex subsystem, and I don't need more complexity on my machine, either just in defective code (which it certainly must have) or in additional administration requirements.
Anyway, it's enough simply to say that I don't want it, for whatever reasons, and so I'm on my way not to using any Linux distro which forces it upon me.
Mike
On Thu, 2011-01-20 at 04:23 -0600, Mike McCarty wrote:
Additionally, I note that quite a bit of the bandwidth on the Fedora and CentOS echoes relate to SELinux making ordinary people doing ordinary things difficult.
I really don't know why people have such grand problems with it. I don't. Not even when I run various servers. I strongly suspect it's because they're doing daft things with their computer, in the first place, then following bad advice to resolve it.
Tim wrote:
I really don't know why people have such grand problems with it. I don't. Not even when I run various servers. I strongly suspect it's because they're doing daft things with their computer, in the first place, then following bad advice to resolve it.
That is certainly a possibility. I don't much follow the threads. I have it loaded, since I must if I use Fedora, but it's disabled, and so far no troubles that I've noticed. One would hope not to encounter many defects if its disabled, though that's always a possibility.
Mike
On 20/01/2011 11:36 πμ, Tim wrote:
On Thu, 2011-01-20 at 04:23 -0600, Mike McCarty wrote:
Additionally, I note that quite a bit of the bandwidth on the Fedora and CentOS echoes relate to SELinux making ordinary people doing ordinary things difficult.
I really don't know why people have such grand problems with it.
I could think of a million reasons . For example , let´s just say that they don´t have an idea about what mandatory access control is and how to live with it .
I don't. Not even when I run various servers.
Well that could be your problem Tim . As you say , u run SERVERS . Servers are supposed to do very specific things and not every day stuff.
I strongly suspect it's because they're doing daft things with their
computer, in the
first place, then following bad advice to resolve it.
Well that´s the issue . I can´t really understand why i can´t do any stupid thing with the computer i have payed for . I payed for the computer and not the SELinux development it , an agency , a corporation or whatever else . I just want to open my computer and do my stupid things and if i mess things up , then so i did . It would be my mess and i would be really happy to clean it . After all it is my mess and am paying for it ( well the paying part am doing either way ) .
Tim:
I really don't know why people have such grand problems with it.
Kostas Sfakiotakis:
I could think of a million reasons . For example , let´s just say that they don´t have an idea about what mandatory access control is and how to live with it .
For the average user, it shouldn't be a problem. It shouldn't really be noticeable, unless they're doing something stupid with their computer.
I don't. Not even when I run various servers.
Well that could be your problem Tim . As you say , u run SERVERS . Servers are supposed to do very specific things and not every day stuff.
I have several computers, some are servers, most are clients. I don't really have any SELinux problems (beyond the rare fault that's fixed by a yum update). The clients don't notice it's there, and there's only a few things I have to do to allow a server to do its business.
By default, and quite rightly, many servers are turned off and their activities are disallowed. If you want to run a server, you should learn what you're doing, and part of that process is configuring it as well as understanding the ramifications.
i.e. I don't give a damn for lazy people who want to run a SMTP server, and not secure it. Servers that cause wide spread havoc are best left to those who know what they're doing, and tightened up so much that the clueless can't run them.
Now, installing some random software from outside of a repo may cause a SELinux problem. But then, such software may cause all sorts of non-SELinux problems. From the possibility of it being a malicious program, to it simply having all sorts of dependencies that you're going to have to handle by hand.
It's certainly in the interests of such software to be written so that it doesn't fight with SELinux. Not just because there are computer systems using it. But, because, generally, software that gets hit on the head by SELinux gets hit on the head because it's doing something that it really shouldn't be doing. e.g. Expecting to be able to access any file on the system, or be executable in ways that it shouldn't.
It's been my experience that programmers are far worse than users regarding security and doing dumb things with computers. Their attitude of "I should be able to do anything" is really bad, likewise with their lack of understanding about why. It's why we have so much bad software on some computer systems (generally Windows).
I strongly suspect it's because they're doing daft things with their computer, in the first place, then following bad advice to resolve it.
Well that´s the issue . I can´t really understand why i can´t do any stupid thing with the computer i have payed for .
Therein lay the problem. *You*, or others doing the same thing, not SELinux.
In this internetted world, your use of a computer doesn't just affect you, it affects other people. Whether that be you getting trojanned, spamming people; or not learning about your computer, doing dopey things, then bogging down a list with "I shot myself in the foot" support threads.
Granted the last one is the lesser of concerns, but the point was that what you do is not in isolation to the rest of the world.
I payed for the computer and not the SELinux development it , an agency , a corporation or whatever else . I just want to open my computer and do my stupid things and if i mess things up , then so i did . It would be my mess and i would be really happy to clean it . After all it is my mess and am paying for it ( well the paying part am doing either way ) .
Umm, you're making us pay for your mess...
You seem to be ignoring the point that others, who know much more about it than you, have put a lot of effort into making a system much more robust (against maliciousness, or stupidity). I get the feeling that you're another of those that might go to the doctors, tell him "I hurts when I do this," and completely ignore his, "well, don't do that," advice.
On 21/01/2011 02:51 πμ, Tim wrote:
For the average user, it shouldn't be a problem. It shouldn't really be noticeable, unless they're doing something stupid with their computer.
Agreed . Well to be honest it felt kind of awkward this whole thing with Acrobat Reader , as i had no idea where this execstack stuff came from . But the thing is that the average user ( myself included ) does things that can be considered stupid by a more knowledgeable user , as the average user is unaware that what he is trying to do is stupid ( ok maybe running "rm -f * ", on root directory as root user would be an understandable error by everyone ) .
Umm, you're making us pay for your mess...
Well there is a big IF here . IF i create a mess ( if we consider the very subject with which this thread was started , i wasn´t ).
You seem to be ignoring the point that others, who know much more about it than you, have put a lot of effort into making a system much more robust (against maliciousness, or stupidity). I get the feeling that you're another of those that might go to the doctors, tell him "I hurts when I do this," and completely ignore his, "well, don't do that," advice.
A bit wrong . If i know that something is wrong from the beginning then i just don´t do it . If i don´t know that what am doing is going to cause problems to others it´s quite possible that i will do it . Well basically if i had to rephrase i would just say this . A desktop computer which runs at home doesn´t necessarily need all the security restrictions that a computer in a company needs . It should allow the "end user" to do things that other computers don´t have to do . For example an SMTP server doesn´t need to have a pdf viewer at all , or mplayer , or any multimedia software open source or otherwise since there is no use for it . A desktop computer though may have multimedia software and other stuff that a server doesn´t need . To that effect also an SMTP server works with different ports than a Web Server and has different needs .
On Fri, 2011-01-21 at 17:46 +0200, Kostas Sfakiotakis wrote:
A desktop computer which runs at home doesn´t necessarily need all the security restrictions that a computer in a company needs .
It may need an awful lot more. A work computer might only be used to type letters to clients, and run the jobs database. A home computer is rarely so specialised. It might be used for banking, browsing random websites (where users just go around clicking on anything), regularly visiting outright hostile or just badly written websites, running all sorts of software, having random discs inserted into it. All of which adds up to a more risky situation.
On 22/01/2011 12:15 ÎĽÎĽ, Tim wrote:
On Fri, 2011-01-21 at 17:46 +0200, Kostas Sfakiotakis wrote:
A desktop computer which runs at home doesn´t necessarily need all the security restrictions that a computer in a company needs .
It may need an awful lot more. A work computer might only be used to type letters to clients, and run the jobs database. A home computer is rarely so specialised. It might be used for banking,
Well it is true that i have done some e-shopping and entered credit card data on amazon but keeping banking data or any such sensitive information is like you are looking to commit suicide . The best scenario is to keep such type of information as far away from computers as possible , since u never know what is going to happen.
browsing random websites (where users just go around clicking on anything), regularly visiting outright hostile or just badly written websites, running all sorts of software, having random discs inserted into it. All of which adds up to a more risky situation.
Well trust me , even under windows all u need is a good antivirus and you can do whatever u wish , i have given it a few shots myself . It´s like walking on the street it is risky ( cars have run over a bus station here ) but u still do it . There are a few things that u do although there is a risk in them .
Tim:
It may need an awful lot more. A work computer might only be used to type letters to clients, and run the jobs database. A home computer is rarely so specialised. It might be used for banking,
Kostas Sfakiotakis:
Well it is true that i have done some e-shopping and entered credit card data on amazon but keeping banking data or any such sensitive information is like you are looking to commit suicide . The best scenario is to keep such type of information as far away from computers as possible , since u never know what is going to happen.
It's impossible to keep it away, when you're having to deal with things that can only be bought, or paid for, over the internet. Likewise with other account managing scenarios.
For a lot of people, that will entail personal details being stored somewhere by their browser. For the more cautious, who don't let their browser store names and passwords, they can still have personal credentials temporarily cached (while the browser is running) in potentially vulnerable places.
Well trust me , even under windows all u need is a good antivirus and you can do whatever u wish
I've yet to find good anti-virus for Windows. No, I don't care to know, I don't use it any more. I and don't provide support to other people using it any more, either. I like being able to tell suffering Windows users who ask for my help, "sorry I don't use it any more, and can't recommend anything to you." What I would consistently find were the following:
Viruses getting through completely unnoticed, since the viruses are always developed well ahead of any anti-virus developments.
Viruses getting through despite the anti-virus software being able to recognise it. You'd get a warning that "you have been infected," and then you had to waste lots of time to disinfect. Where, what we expected is for the anti-virus software to stop the attempt.
Viruses being unremovable because Windows wouldn't let you modify /that/ file at the moment. But, the virus was allowed to modify /that/ file.
The anti-virus software being a complete pain. Making a system run slowly, causing ordinary software to fail, and being a convoluted nightmare to use it.
On 24/01/2011 05:28 πμ, Tim wrote:
< snip >
It's impossible to keep it away, when you're having to deal with things that can only be bought, or paid for, over the internet. Likewise with other account managing scenarios.
Well we live in different countries so i guess things out there are a bit different , around here i guess i should say that internet isn´t that much intergrated to our lives , so there is no such scenario . So i guess i will take your word for that matter
I've yet to find good anti-virus for Windows.
Well all i can say is that a black hole does exist although u can´t see it with your eyes or a normal telescope ( Chandra isn´t a normal telescope ) likewise the fact that u didn´t found one doesn´t necessarily mean that it doesn´t exist .
No, I don't care to know, I don't use it any more.
It figures , if u really wanted one , you would have found it even by accident .
I and don't provide support to other people using it any more, either. I like being able to tell suffering Windows users who ask for my help, "sorry I don't use it > any more, and can't recommend anything to you." What I would> consistently find were the following:
Viruses getting through completely unnoticed, since the viruses are always developed well ahead of any anti-virus developments.
That is because they are supposed to be developed that way . If there was an antivirus that could heal all viruses then there wouldn´t be any need for further developing antivirus software .
Viruses getting through despite the anti-virus software being able to recognise it. You'd get a warning that "you have been infected," and then you had to waste lots of time to disinfect. Where, what we expected is for the anti-virus software to stop the attempt.
Well if the antivirus software doesn´t have the antivirus signature then there is noway that it would prevent the infection . If u don´t know that something is out there in front of u , u can´t avoid it . That would be quite normal .
Viruses being unremovable because Windows wouldn't let you modify /that/ file at the moment. But, the virus was allowed to modify /that/ file.
Sorry but that´s a bit flawed . If you had keep some touch with Windows u would know that there are boot viruses , which load ahead of the system and of course the NTFS driver . The NTFS driver is the one that locks the partition containing the system which causes the nightmares and that´s the solution to the problem also .
The anti-virus software being a complete pain. Making a system run slowly, causing ordinary software to fail, and being a convoluted nightmare to use it.
Well i don´t know if SELinux makes a computer far slower but SELinux would be equally a nightmare and by all means before the last update of the SELinux policies , as normal user i was unable even to start X Windows so let´s skip the argument about software failing due to the antivirus but yes if u wish i have run into problems due to the antivirus blocking things but then again the solution was only a minute away and far more easier .
One last note since i forgot to mention it earlier . The thing with the computer at home is that has mostly personal data for the owner of the house and so the damage would be limited to him but on a working environment there are databases with clients data , the logistics department has databases with personnel data , ..... . So if such a database was compromised then the losses would be far worse ( ok granted u would replace the database from a backup ) because the data of the personnel / clients would have leaked to the hacker , .......... so i do believe the side effects of such thing would be far more worse .
Tim wrote:
[...]
Umm, you're making us pay for your mess...
If you mean that he is vulnerable to attacks, and then his machine harbors possibly malicious code w/o his knowledge, then you are blaming the victim.
Mike
On 01/21/2011 09:50 AM, Mike McCarty wrote:
If you mean that he is vulnerable to attacks, and then his machine harbors possibly malicious code w/o his knowledge, then you are blaming the victim.
IMO, an unsecured computer on the net is just as much of an attractive nuisance as a swimming pool that's not properly fenced in and the owner is just as liable for any damage.
On 21 Jan 2011, at 23:31, Joe Zeff joe@zeff.us wrote:
IMO, an unsecured computer on the net is just as much of an attractive nuisance as a swimming pool that's not properly fenced in and the owner is just as liable for any damage.
Your analogy is flawed, as pools are not generally able to conduct remote attacks once compromised. That's why unsecured computers are bad.
On a complete side note, perhaps those worried about unfenced pools should consider keeping a closer eye on the things dear to them that might fall in.
Alan
Tim:
Umm, you're making us pay for your mess...
Mike McCarty:
If you mean that he is vulnerable to attacks, and then his machine harbors possibly malicious code w/o his knowledge, then you are blaming the victim.
No, actually I meant he did something, and then we all had to deal with it. In this case, just a plethora of mails to the list.
On the other hand, if a user deliberately turns off their protective software, and gets infected, then it is right to blame them. Just the same as I'd blame a car owner who finds the brakes a hindrance to them, or adhering to the road rules.
When you have software that stops you doing something, you should, if not must, think about why, before you carry on regardless.
Some people think they're an unfairly victimised Typhoid Mary. Others know that they're a need-to-be-constrained Typhoid Mary.
Now you know what "TM" really stands for, when it's typed next to a Microsoft product name. ;-)
On 1/20/11 2:30 PM, Kostas Sfakiotakis wrote:
On 20/01/2011 11:36 πμ, Tim wrote:
On Thu, 2011-01-20 at 04:23 -0600, Mike McCarty wrote:
Additionally, I note that quite a bit of the bandwidth on the Fedora and CentOS echoes relate to SELinux making ordinary people doing ordinary things difficult.
I really don't know why people have such grand problems with it.
I could think of a million reasons . For example , let´s just say that they don´t have an idea about what mandatory access control is and how to live with it .
I don't. Not even when I run various servers.
Well that could be your problem Tim . As you say , u run SERVERS . Servers are supposed to do very specific things and not every day stuff.
I strongly suspect it's because they're doing daft things with their
computer, in the
first place, then following bad advice to resolve it.
Well that´s the issue . I can´t really understand why i can´t do any stupid thing with the computer i have payed for . I payed for the computer and not the SELinux development it , an agency , a corporation or whatever else . I just want to open my computer and do my stupid things and if i mess things up , then so i did . It would be my mess and i would be really happy to clean it . After all it is my mess and am paying for it ( well the paying part am doing either way ) .
As Tim said: You are not only affecting yourself but by default every other user of the Internet if you get infected with a virus/worm/trojan horse/spyware. SELinux is designed to prevent that level of stupidity. Sorry, but you have to read through several RFCs to understand your ability to screw things up royally when you are on the Information Superhighway. Please take time and read RFC 1087. It basically spells out YOUR responsibilities when driving there.
Now, you are free to take your 'payed for' toy, take it off of the Internet and do whatever you want. At that point, it becomes your problem. Otherwise, you should obey the 'rules of the road' and make your system as secure as you can. I do. I've disabled flash on my browser. I've blocked all sorts of ads. Why? Because both are vectors for malware. I don't like rebuilding my systems, but if they get infected with someone else's 'stupidity' then I'm out hours of work that I won't enjoy doing. How would you feel if failure to use SELinux infects hundreds if not thousands of systems with a virus? How would you feel if not using SELinux saves your work from being inadvertently destroyed? That is why it exists, so stupid people don't do stupid things. Again, you are free to do what you like as long as it will not affect others.
Now, if you are trying to do something that you SHOULD be able to do, and SELinux will not let you, the SELinux people need to know about this and provide either a permanent solution or a work-around. They should not allow you to do stupid stuff with your system when it is on-line and connected to the Internet or any other type of network.
James McKenzie
On 21/01/2011 07:02 πμ, James McKenzie wrote:
On 1/20/11 2:30 PM, Kostas Sfakiotakis wrote:
As Tim said: You are not only affecting yourself but by default every other user of the Internet if you get infected with a virus/worm/trojan horse/spyware.
As i wrote to Tim a minute ago did i read an IF over there ??? Since as u say it´s IF and WHEN i get infected then i will cause problems to others.
SELinux is designed to prevent that level of stupidity. Sorry, but you have to read through several RFCs to understand your ability to screw things up royally when you are on the Information Superhighway. Please take time and read RFC 1087. It basically spells out YOUR responsibilities when driving there.
I would gladly take some pointers . As for RFC 1087 since i don´t think that i have a local copy of it but i guess rfc-editor has . I will get a copy of it in a couple of hours since now i have to run to work .
How would you feel if failure to use SELinux infects hundreds if not thousands of systems with a virus?
Not very well i guess .
How would you feel if not using SELinux saves your work from being inadvertently destroyed?
Well i never stopped using SELinux , just in case something that SELinux was doing something good and i didn´t have an idea about it . For this particular subject that I opened the thread in the first place besides disabling execstack with the information provided in this very thread ( on all system libraries , not just those of Acrobat Reader ) i just updated my computer since that would probably resolve the issue ( well that was suggested and it actually resolved the problem ) . Don´t take me wrong if i was aware of all the RFCs that u mention above i would gladly take time and read them . But since my normal work doesn´t have to do with RFC studying i am not doing it . Do also consider that if am unaware that something is out there then am not going to prevent myself from running into it .
Mike McCarty <Mike.McCarty <at> sbcglobal.net> writes:
... Additionally, I note that quite a bit of the bandwidth on the Fedora and CentOS echoes relate to SELinux making ordinary people doing ordinary things difficult. It's a complex subsystem, and I don't need more complexity on my machine, either just in defective code (which it certainly must have) or in additional administration requirements.
Anyway, it's enough simply to say that I don't want it, for whatever reasons, and so I'm on my way not to using any Linux distro which forces it upon me.
Mike
Yes, I agree with you. It is a product of academics employed by NSA, and so of questionable practical use for people who are dealing with system admin and security issues on daily basis.
While being aware that I am expanding the thread with another sub-topic, let me inject here another fiasco in waiting (or already done). This one will also affect UNIX/Linux system programming and introduce MORE complexity and LESS security. How about that "for a change" ?
It is called "capabilities".
http://fedoraproject.org/wiki/Features/RemoveSETUID
Read this carefully (it will scare you if you bother to get deep into it):
http://fedoraproject.org/wiki/Talk:Features/RemoveSETUID
JB
It is a product of academics employed by NSA, and so of questionable practical use for people who are dealing with system admin and security issues on daily basis.
Not exactly. It's the product of sixty years of work on security models in all sorts of areas. This particular implementation was done initially by the NSA along with similar code for other OSs but its not entirely NSA code or ideas, far from it.
Security models are complex for a complex system. That would appear to be unavoidable given the law of necessary variety.
Capabilities help with a few small problems in reducing the privileges of some things that could be subject to attack but don't need that degree of rights.
Doesn't really help against things like browser based attacks where you need a model that can express things like "web browsers don't XYZ"
Alan
Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:
...
Hi,
Let's keep in mind that we talk about computer systems security.
The terms of interest to me are innovation, variety, diversity, complexity.
I think innovation does not need to mean complexity as a result of it.
With regard to "law of necessary variety" I assume you mean Law of Requisite Variety. "In cybernetics the term variety denotes the total number of distinct states of a system." It describes "the condition for dynamic stability under perturbation (or input)." "If a system is to be stable the number of states of its control mechanism must be greater than or equal to the number of states in the system being controlled." I think this law applies to building, exploitation and performance of a defined, working, reliable, dynamic system. It uses the term "control" in the context of interactions between system's components, not security of the system. The term security means "freedom from risk or danger; safety", or measures adopted to prevent crime, attack, escape, espionage, sabotage, etc.
I like to use the term "diversity" (as opposite to "monoculture") when I want to describe an ecosystem more capable of progress and survival. I would apply it when I tried to explain my preference for multiplicity of OSs (UNIX, Linux, Windows, *BSD, Mac, etc) or kernels (monolithic, micro, hybrid, etc). Diversity per se does not ensure security, which (once again) means measures undertaken and a state achieved as a result of them. Having a multitude of security measures ((sub-)systems) per se does not ensure security.
Complexity means multitude of components in intricate arrangement. An assumption that complex systems need per se variety of internal complex security sub-systems or external complex security systems is of questionable value. Let me concentrate on one important explanation of why complex systems (security systems inclusive) are prone to fail. There is an inherent conflict between level of complexity and benefits of complexity. Complex systems require very high costs just to maintain them, not to mention costs to expand them. This is validated by decreasing net return on input to complex systems. I think complex monolithic kernels, complex system/application/library APIs, complex security models (consisting of multitude of different security (sub-)systems) are not effective.
We forget that people write software and have to account for all the diversity of system and application programming issues, also with regard to security. We forget that people administer those hardware and software systems and have to understand them from functional and operational point of view. Consider multitude of OSs and programming languages/scripts that are involved, which must be learned to various extent by the above two groups of professionals and which bring their own inherent security problems to the table. There are also multitude of managers and analysts (business, architecture, systems, security, etc) who want/have to understand these issues to a greater or lesser extent as well in order to be able to manage and build them for themselves or clients.
I say once again, MORE complexity is LESS security.
That's why complex systems (civilizations, societies, economies, financials, computing, etc) are inevitably destined to fail or fall. I am tempted to say - it is a law of nature.
JB
Well, I think we deserve it ...
Jerome Hines, Paul Plishka - Verdi - Don Carlo - Il Grande Inquisitor http://www.youtube.com/watch?v=IOTm_ec42z4
It uses the term "control" in the context of interactions between system's components, not security of the system.
Security *is* a part of a set of interactions between system components. It has to be able to mediate all sorts of complex interactions between components and decide which are permissible. All those components have state and all that state has to be managed.
I say once again, MORE complexity is LESS security.
I'd like to see a mathematical proof of that, but I don't believe it's ever been done. Intutively it is true which is why important systems are kept simple. Unfortunately simple systems are not capable of being your desktop.
That's why complex systems (civilizations, societies, economies, financials, computing, etc) are inevitably destined to fail or fall.
Failure is a necessary part of progress. It's called learning. Without failure you have stasis.
Alan
Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:
...
I say once again, MORE complexity is LESS security.
I'd like to see a mathematical proof of that, but I don't believe it's ever been done. Intutively it is true which is why important systems are kept simple. Unfortunately simple systems are not capable of being your desktop. ...
Google search: mathematical proof MORE complexity is LESS security
It looks like quite few hits.
Let's take a look at these papers and share our findings here.
JB
On Thu, 2011-01-20 at 16:35 +0000, Alan Cox wrote:
It uses the term "control" in the context of interactions between system's components, not security of the system.
Security *is* a part of a set of interactions between system components. It has to be able to mediate all sorts of complex interactions between components and decide which are permissible. All those components have state and all that state has to be managed.
I say once again, MORE complexity is LESS security.
I'd like to see a mathematical proof of that, but I don't believe it's ever been done. Intutively it is true which is why important systems are kept simple. Unfortunately simple systems are not capable of being your desktop.
I'd suggest there's something like a "neo-Laffer curve"[1] relating complexity and security. No security at all is pretty insecure (obviously), and overly simple security isn't much better. Vastly involved security systems are likely to be not very secure (because they contain large numbers of defects and/or because they are too hard to manage effectively). In between those extremes, though, the smooth relationship breaks down. There's no "optimal" level of complexity because of dependencies on environmental conditions.
That's why complex systems (civilizations, societies, economies, financials, computing, etc) are inevitably destined to fail or fall.
Failure is a necessary part of progress. It's called learning. Without failure you have stasis.
Alan
[1] http://everything2.com/title/neo-Laffer+curve
No security at all is pretty insecure (obviously)
Surprisingly that isn't always the case. A situation where there is known to be no system security will often mean the other systems adapt appropriately. Email for example provides no security, because of that other things adapt to cope, including behaviour.
The end result at a higher level can still be secure. "I know this machine is probably untrusted so I won't log in via it" and "I'll phone my card details instead" are both secure results.
involved security systems are likely to be not very secure (because they contain large numbers of defects and/or because they are too hard to manage effectively). In between those extremes, though, the smooth relationship breaks down. There's no "optimal" level of complexity because of dependencies on environmental conditions.
The environment is variety that needs to be absorbed. It would seem to be its interactions with the environment (user included) that determine the variety of inputs permissible and thus the complexity.
This is why a cashpoint has minimal interface. It is why a lot of industrial control and military systems do one job. It is why basic firewalls are simple. User desktops that work on the "you may only run the exact listed commands, which may use the exact listed files, and run each other in the exact listed way" have been done, but while they work for certain things (eg fixed purpose front desks) they tend to annoy the hell out of anyone else. When you generalise them by making the categories broad you get the Android model which works for certain limited phone cases but even then is not really up to more complex stuff.
The firewall case is a good one. A simple firewall reduces the whole security model to a very simple set of questions. When you try to do complex analysis of attacks patterns and detect stuff like post break-in suspicious activity the code in question explodes in complexity at amazing speed.
SELinux is the same - login/password is easy, beyond that the complexity of a general purpose desktop is massive
Alan
Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:
... Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes: ... Security models are complex for a complex system. That would appear to be unavoidable given the law of necessary variety. ...
On 1/2o/2011 5:04 PM, JB wrote: ... With regard to ... Law of Requisite Variety. ... "If a system is to be stable the number of states of its control mechanism must be greater than or equal to the number of states in the system being controlled." ...
,,,
It uses the term "control" in the context of interactions between system's components, not security of the system.
Security *is* a part of a set of interactions between system components. It has to be able to mediate all sorts of complex interactions between components and decide which are permissible. All those components have state and all that state has to be managed. ...
I think the Law of Requisite Variety does not apply here.
"A scientific law or scientific principle is a concise verbal or mathematical statement of a relation that expresses a fundamental principle of science."
If that law applied here, the following would have to be true at *all* times: "If a security system is to be stable the number of states of its control mechanism must be greater than or equal to the number of states in the security system being controlled."
What you probably do is instinctively applying the "control system " model and its law to a corresponding "security" model. Admittedly, there is a similarity in models. The model of a "control system" could be utilized in that system's "security" model. For example, the components of a PC system (hardware: CPU, hard disk, keyboard, etc; software: corresponding kernel subsystems, other subsystems like networking, etc; at least a fixed minimum number of them are required to consitute a working PC) and their states could be considered a complex control system, for which the Law's "... greater than or equal ..." statement would apply.
You could take that "control system" complex model and consider each of the hardware and software components worth of a corresponding security component, and that would make the security model complex as well.
But, once again, "security" is a state and any measures to achieve it.
The same "control"/"security" model, however useful to analyze security, would not be subjected to that Law's statement if we decided that only one of them, namely networking component, is *required* to have (worth of) a corresponding security component, namely iptables.
From a "control system" point of view the system would be complex, but from
a "security" point of view not. But what is most important, our perception of security (according to its definition) would be satisfied.
Perhaps because we are on an internal network that we consider secure. So why would we need SELinux on that machine ? We would like not to have it, but we are not allowed to. We could disable it ..., but suddenly perhaps not ! What if SELinux becomes an object of a hacker attack ? We know that in order to remove SELinux to disinfect the system you have to remove everything else with it. How about that for a security concept ?
... Failure is a necessary part of progress. It's called learning. Without failure you have stasis.
Alan
JB
I think the Law of Requisite Variety does not apply here.
Feel free to think that, but I would suggest Beer's analysis of the US tax system is a direct match for the symptoms in SELinux, if you simply swap crackers in for tax specialists.
The model of a "control system" could be utilized in that system's "security" model.
Your security model is a control system. It's complexity depends upon the state you manage. In the case of file permissions systems you manage fairly small amounts of state - and most importantly with limited interconnectedness. That said people often get it wrong as early tools like Satan show.
You have a lot of state in the controlled system you don't manage because they are not states you need to distinguish.
Simple example is a heating system - to control a system that can do anything between 0 and 100C stably is more states than controlling the same system to do a single temperature where it only needs to worry about "too hot" and "too cold".
The same "control"/"security" model, however useful to analyze security, would not be subjected to that Law's statement if we decided that only one of them, namely networking component, is *required* to have (worth of) a corresponding security component, namely iptables.
The same laws still apply, but the system you are looking at is different.
Perhaps because we are on an internal network that we consider secure. So why would we need SELinux on that machine ? We would like not to have it, but we
If you consider your internal network secure and that all data passing through it is safe you could use telnet and get rid of all your passwords. In practice you'd question the assumption pretty hard.
are not allowed to. We could disable it ..., but suddenly perhaps not ! What if SELinux becomes an object of a hacker attack ? We know that in order to remove SELinux to disinfect the system you have to remove everything else
Actually you don't. You can just turn it off. The ability to do that or to use multiple different security plugins and models is part of the kernel. The user space libraries cope just fine with no SELinux present.
Alan
Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:
I think the Law of Requisite Variety does not apply here.
Feel free to think that, but I would suggest Beer's analysis of the US tax system is a direct match for the symptoms in SELinux, if you simply swap crackers in for tax specialists. ...
Actually, the US tax system is one of the best things there are - if Linux security were like that, hackers would have to look for a different source of fun. Remember, the Republic was established to, among others, secure "the right to happiness" :-)
One more shot at complex security.
Security *is* a part of a set of interactions between system components. It has to be able to mediate all sorts of complex interactions between components and decide which are permissible. All those components have state and all that state has to be managed. ...
Let's consider, as only one example of many, a society. The society is a complex system.
Every member of it needs some *basic* security (body, possessions, contract law, privacy), and for that purpose he is willing to water down a limited number of his own natural rights to form a government and delegate some powers to it to protect individual and thru that societal rights.
If the gov, in order to fulfill its obligations, had to mediate (oversee, monitor, spy, etc) all interactions of all citizens and institutions to make them "permissible", it would have to become a totalitarian Big Brother.
Instead, and what is expected it to be, it concentrates on the most important and sensitive components (people and institutions) and enforcement measures, and by that it reduces a complex problem to a manageable one.
By that it achieves a state of acceptable security.
Why can not we do that with security of a complex computer system ?
JB
Additionally, I note that quite a bit of the bandwidth on the Fedora and CentOS echoes relate to SELinux making ordinary people doing ordinary things difficult. It's a complex subsystem, and I don't need
So do file permissions, and people had the same moans about those when they came from DOS. Quite funny really.
Anyway, it's enough simply to say that I don't want it, for whatever reasons, and so I'm on my way not to using any Linux distro which forces it upon me.
Of course you could just boot with selinux disabled, it does have a boot option, but if you want to do it the hard way don't let anyone stop you.
Alan
to access my machine at all. I don't run Apache, sshd, or any other server which would allow ingress to my machine. I've never have anyone even attempt to get root access but me.
Most modern attacks are against web browsers so your logic is a bit flawed.
Perhaps you should investigate LFS (Linux From Scratch). It isn't that hard to build your own custom system which has exactly what you want on it, no more and no less.
With the proviso that you also then need to do your own security updates, package management and each one you do that is untested by others is in turn adding to the probability of flaws.
Fedora is quite probably not the right basepoint to build a very small mini-distro but I'm not sure LFS is the right way to go about it either.
Alan
Alan Cox wrote:
to access my machine at all. I don't run Apache, sshd, or any other server which would allow ingress to my machine. I've never have anyone even attempt to get root access but me.
Most modern attacks are against web browsers so your logic is a bit flawed.
Not flawed, but also not completely presented. You do have a point. However, my browser configuration is reasonable as well. There are always the exploits of unrepaired defects, of course. I try to keep my browser up to date as much as possible. Most of the attacks are aimed somewhat at Windows systems, however, so even if some software got loaded on my machine which I didn't request (so far none), it most likely couldn't actually execute on my machine.
I don't permit scripts to run on my browser. To keep a little privacy, I also don't permit cookies, though they aren't really a threat to the machine's security. No FLASH, no multimedia. My e-mail reader is set not to permit scripts nor to allow loading of images nor loading of files. It also isn't permitted to open links.
So, without scripts or FLASH (which has had a number of security flaws, I believe) or other multimedia "plugins" to exploit, I haven't had a problem with stuff getting sent to my machine w/o my knowledge and consent.
Perhaps you should investigate LFS (Linux From Scratch). It isn't that hard to build your own custom system which has exactly what you want on it, no more and no less.
With the proviso that you also then need to do your own security updates, package management and each one you do that is untested by others is in turn adding to the probability of flaws.
That's certainly true. I haven't claimed that the producers of the various distros don't do a "value added".
Fedora is quite probably not the right basepoint to build a very small mini-distro but I'm not sure LFS is the right way to go about it either.
Depends upon one's goals, I suppose. Gentoo is one way to have some reasonable control, as well, and puts less responsibility upon the system owner.
Since I was a professional software developer for more than twenty years, building from scratch and doing package management and version control are not in any way daunting to me. I have written a small RTOS, and supported three other hard real time systems over a period of fifteen years, so fiddling around with kernels and device drivers also isn't scary.
However, discussing the relative merits of various distros is likely not really germane to the Fedora list.
Mike
-
Aaron Konstam -
Alan Cox -
Alan Peery -
Andreas M. Kirchwitz -
Bruno Wolff III -
Charles Zeitler -
Daniel J Walsh -
Dr J Austin -
Ed Greshko -
Genes MailLists -
James McKenzie -
JB -
Joe Zeff -
Jorge Fábregas -
Kostas Sfakiotakis -
Lamar Owen -
Mark Eggers -
Mark LaPierre -
Marko Vojinovic -
Matthew Saltzman -
Mike McCarty -
Mike Williams -
Sam Sharpe -
Suvayu Ali -
Tim -
Tom Horsley -
Wolfgang S. Rupprecht