I'm never gonna use selinx, yet every new batch of updates seems to have yet another new version of a slew of selinux packages to download and install, with half of them wasting time doing find commands to do god knows what to every file on my system :-).
Out of idle curiosity, I asked yum what would happen if I tried to remove every rpm that has selinux in its description.
The result was that just about (maybe not even about) every single rpm on my system would be removed for dependencies.
Is there any set of selinux stuff I can actually remove?
Anyone working on a alternate repo of bizzaro-selinux packages that will satisfy the dependencies while only downloading a few hundred bytes and executing no complicated side effects when installed?
Or maybe a selinux free fedora spin?
Maybe on the more realistic side: How about a /etc/sysconfig/selinux variable I could set that would inform the rpms I'm never ever gonna enable selinux, and they can just skip all the time wasting nonsense they normally do when installed?
Tom Horsley wrote:
I'm never gonna use selinx, yet every new batch of updates seems to have yet another new version of a slew of selinux packages to download and install, with half of them wasting time doing find commands to do god knows what to every file on my system :-).
Out of idle curiosity, I asked yum what would happen if I tried to remove every rpm that has selinux in its description.
The result was that just about (maybe not even about) every single rpm on my system would be removed for dependencies.
Is there any set of selinux stuff I can actually remove?
Anyone working on a alternate repo of bizzaro-selinux packages that will satisfy the dependencies while only downloading a few hundred bytes and executing no complicated side effects when installed?
Or maybe a selinux free fedora spin?
Maybe on the more realistic side: How about a /etc/sysconfig/selinux variable I could set that would inform the rpms I'm never ever gonna enable selinux, and they can just skip all the time wasting nonsense they normally do when installed?
Except the very small libselinux package, you should be able to remove everything else. Note that there are other packages that are related to SELinux but don't have selinux in the package name. rpm -qa | grep -i policy should help find them. Remember to disable SELinux first if you haven't done so already.
Rahul
On Tue, 2007-06-26 at 21:29 -0400, Tom Horsley wrote:
I'm never gonna use selinx, yet every new batch of updates seems to have yet another new version of a slew of selinux packages to download and install, with half of them wasting time doing find commands to do god knows what to every file on my system :-).
I would think the easiest solution would be to disable it, and disable the services or cron scripts that do the drive trawling.
I have actually tried to uninstall selinux from my system & because everything seems to be Dependant on it now it made the system irreparably unusable & had to reinstall the hole OS to get the system functional. the only thing you can do is disable selinux.
On 6/26/07, Tim ignored_mailbox@yahoo.com.au wrote:
On Tue, 2007-06-26 at 21:29 -0400, Tom Horsley wrote:
I'm never gonna use selinx, yet every new batch of updates seems to have yet another new version of a slew of selinux packages to download and install, with half of them wasting time doing find commands to do god knows what to every file on my system :-).
I would think the easiest solution would be to disable it, and disable the services or cron scripts that do the drive trawling.
-- [tim@bigblack ~]$ rm -rfd /*^H^H^H^H^H^H^H^H^H^Huname -ipr 2.6.21-1.3228.fc7 i686 i386
Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7.
Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
On Wed, 27 Jun 2007 11:24:07 +0930 Tim ignored_mailbox@yahoo.com.au wrote:
I would think the easiest solution would be to disable it, and disable the services or cron scripts that do the drive trawling.
It appears to be a pre or post install script doing the work (at least when I see it taking forever to finish an install of some selinux rpm duing yum update, a ps command usually shows a find command running as a child in the yum process tree).
Tom Horsley wrote:
I'm never gonna use selinx, yet every new batch of updates seems to have yet another new version of a slew of selinux packages to download and install, with half of them wasting time doing find commands to do god knows what to every file on my system :-).
Out of idle curiosity, I asked yum what would happen if I tried to remove every rpm that has selinux in its description.
The result was that just about (maybe not even about) every single rpm on my system would be removed for dependencies.
Is there any set of selinux stuff I can actually remove?
Anyone working on a alternate repo of bizzaro-selinux packages that will satisfy the dependencies while only downloading a few hundred bytes and executing no complicated side effects when installed?
Or maybe a selinux free fedora spin?
Maybe on the more realistic side: How about a /etc/sysconfig/selinux variable I could set that would inform the rpms I'm never ever gonna enable selinux, and they can just skip all the time wasting nonsense they normally do when installed?
Tom we need to find place in /etc/rc.d/init.d/ where we can turn selinux OFF! If your not using it don't let init turn anything on. I will watch this computer come on and see if Selinux is turned on. I think it is.
Karl
Tom Horsley wrote:
Or maybe a selinux free fedora spin?
[snippage]
Why not? I don't want it on my machine, either. I suspect quite a few people would prefer not to have it. It could be made an optional part of the install. Putting selinux as a requirement into the individual packages is silly. If RPM is incapable of recognizing some sort of package dependency like "I play with these versions, but do not require any of them", then RPM needs an enhancemet.
Mike
Mike McCarty wrote:
Tom Horsley wrote:
Or maybe a selinux free fedora spin?
[snippage]
Why not? I don't want it on my machine, either. I suspect quite a few people would prefer not to have it. It could be made an optional part of the install. Putting selinux as a requirement into the individual packages is silly. If RPM is incapable of recognizing some sort of package dependency like "I play with these versions, but do not require any of them", then RPM needs an enhancemet.
Mike
Hi Mike, I looked at my dmesg and here is the part about selinux:
SELinux: Completing initialization. SELinux: Setting up existing superblocks. SELinux: initialized (dev hdb5, type ext3), uses xattr SELinux: initialized (dev usbfs, type usbfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev debugfs, type debugfs), uses genfs_contexts SELinux: initialized (dev selinuxfs, type selinuxfs), uses genfs_contexts SELinux: initialized (dev mqueue, type mqueue), uses transition SIDs SELinux: initialized (dev hugetlbfs, type hugetlbfs), uses genfs_contexts SELinux: initialized (dev devpts, type devpts), uses transition SIDs SELinux: initialized (dev eventpollfs, type eventpollfs), uses task SIDs SELinux: initialized (dev inotifyfs, type inotifyfs), uses genfs_contexts SELinux: initialized (dev tmpfs, type tmpfs), uses transition SIDs SELinux: initialized (dev futexfs, type futexfs), uses genfs_contexts SELinux: initialized (dev pipefs, type pipefs), uses task SIDs SELinux: initialized (dev sockfs, type sockfs), uses task SIDs SELinux: initialized (dev cpuset, type cpuset), uses genfs_contexts SELinux: initialized (dev proc, type proc), uses genfs_contexts SELinux: initialized (dev bdev, type bdev), uses genfs_contexts SELinux: initialized (dev rootfs, type rootfs), uses genfs_contexts SELinux: initialized (dev sysfs, type sysfs), uses genfs_contexts audit(1183008052.901:2): policy loaded auid=4294967295
This tells me that init is running a selinux demon and I know how to stop that I think. I looked at /etc/rc.d/init.d/ but no selinux switch. So I ask where in hell is it?
[root@k5d init.d]# whereis selinux selinux: /etc/selinux /usr/include/selinux /usr/share/selinux /usr/share/man/man8/selinux.8.gz [root@k5d init.d]#
So there is some reading that needs doing.
Karl
Karl Larsen wrote:
This tells me that init is running a selinux demon and I know how to stop that I think. I looked at /etc/rc.d/init.d/ but no selinux switch. So I ask where in hell is it?
[root@k5d init.d]# whereis selinux selinux: /etc/selinux /usr/include/selinux /usr/share/selinux /usr/share/man/man8/selinux.8.gz [root@k5d init.d]#
So there is some reading that needs doing.
Karl,
The SELinux settings are contained in "/etc/sysconfig/selinux". I have SELinux disabled, and the file looks like this:
[root@server ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
Note that any changes to this file require a reboot to take affect. "sestatus" can then be used to verify the change:
[root@server ~]# sestatus SELinux status: disabled
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
Matthew J. Roth wrote:
Karl Larsen wrote:
This tells me that init is running a selinux demon and I know how to stop that I think. I looked at /etc/rc.d/init.d/ but no selinux switch. So I ask where in hell is it?
[root@k5d init.d]# whereis selinux selinux: /etc/selinux /usr/include/selinux /usr/share/selinux /usr/share/man/man8/selinux.8.gz [root@k5d init.d]#
So there is some reading that needs doing.
Karl,
The SELinux settings are contained in "/etc/sysconfig/selinux". I have SELinux disabled, and the file looks like this:
[root@server ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
Note that any changes to this file require a reboot to take affect. "sestatus" can then be used to verify the change:
[root@server ~]# sestatus SELinux status: disabled
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
Boy! What a gold mine of information! No reason for anyone to complain about selinux any more. I did what is above and it was easy with the joe editor. But I need to set it to put the original in /tmp/ :-) I'm tired of rm *~ which works but geeze.
Then a reboot and a test:
[root@k5d ~]# sestatus SELinux status: disabled [root@k5d ~]#
So I can't complain about it again. It sure was a lot less obvious in FC4.
Karl
on 6/28/2007 3:13 PM, Karl Larsen wrote:
Matthew J. Roth wrote:
Karl Larsen wrote:
This tells me that init is running a selinux demon and I know how to stop that I think. I looked at /etc/rc.d/init.d/ but no selinux switch. So I ask where in hell is it?
[root@k5d init.d]# whereis selinux selinux: /etc/selinux /usr/include/selinux /usr/share/selinux /usr/share/man/man8/selinux.8.gz [root@k5d init.d]#
So there is some reading that needs doing.
Karl,
The SELinux settings are contained in "/etc/sysconfig/selinux". I have SELinux disabled, and the file looks like this:
[root@server ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
Note that any changes to this file require a reboot to take affect. "sestatus" can then be used to verify the change:
[root@server ~]# sestatus SELinux status: disabled
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
Boy! What a gold mine of information! No reason for anyone to complain about selinux any more. I did what is above and it was easy with the joe editor. But I need to set it to put the original in /tmp/ :-) I'm tired of rm *~ which works but geeze.
Then a reboot and a test:
[root@k5d ~]# sestatus SELinux status: disabled [root@k5d ~]#
So I can't complain about it again. It sure was a lot less obvious in FC4.
Karl
Good for you!!!!
What you just did was something like:
Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff. Like that guy at the University that you mentioned earlier.
On Thu, 28 Jun 2007 16:14:25 -0700 David Boles dgboles@gmail.com wrote:
Good for you!!!!
What you just did was something like:
Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors.
And then walk away.
Nope, what he did was disable the alarm system inside the house that forces him to type his 16 digit passcode every time he wants to move from one room to the other or open the refrigerator, and refuses to let him sit in any new furniture he might buy until it has been taken apart, photographed from every angle, stamped with a seal of approval, and put back together again :-).
David Boles wrote:
on 6/28/2007 3:13 PM, Karl Larsen wrote:
[that he disabled SELinux]
Good for you!!!!
What you just did was something like:
Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff. Like that guy at the University that you mentioned earlier.
This is a completely unreasonable comparison.
First:
You have no idea how secure or insecure his machine is. Any machine with external access via modem etc. is insecure. Once one has such access, then one has only relative security. If he runs behind a hardware firewall, and has all ports closed or "stealthed", then he's as secure as one can be and still have connections. SELinux does not provide (AFAIK) any way to prevent compromise, only an attempt at containment after compromise.
Second:
I've seen industry estimates of approximately one defect per 50 non-commentary source code lines. How many lines of code are in SELinux? Divide by 50, and that's the estimated number of defects being introduced by loading that software onto your machine. So, loading SELinux onto your machine provides more opportunity for compromise via defect exploit. AFAIK, no one has actually done any scientific study as to whether a machine with SELinux active on it be any more secure than otherwise.
Until such time, efficacy in loading or not loading SELinux to achieve enhanced security is a matter of conjecture, opinion, and personal preference.
Mike
Mike McCarty wrote:
If he runs behind a
hardware firewall, and has all ports closed or "stealthed", then he's as secure as one can be and still have connections.
SELinux is not related to any traditional firewalls at all just in case someone is confused about that still.
SELinux
does not provide (AFAIK) any way to prevent compromise, only an attempt at containment after compromise.
Incorrect. It can do both.
AFAIK, no one has actually done any
scientific study as to whether a machine with SELinux active on it be any more secure than otherwise.
If you consider practical situations where SELinux has prevented or mitigated the issue there are many. There has been innumerous studies on the effectiveness of MAC based security over traditional DAC security and they are scientific ones. Use google.
Until such time, efficacy in loading or not loading SELinux to achieve enhanced security is a matter of conjecture, opinion, and personal preference.
It is very much not conjecture. Use any good search engine and do your own research rather speculate. One point that should be noted is that unlike the original analogy SELinux is a additional security layer and turning it off doesnt not equate to turning off all security measures and of course the management of SELinux needs and will improve with the continuous development of better user space tools but what the underlying architecture is based on decades of research and work. NSA SELinux site has various docs on this.
Rahul
Rahul Sundaram wrote:
Mike McCarty wrote:
If he runs behind a
hardware firewall, and has all ports closed or "stealthed", then he's as secure as one can be and still have connections.
SELinux is not related to any traditional firewalls at all just in case someone is confused about that still.
Agreed on this point. I hope what I wrote wouldn't cause anyone to think otherwise.
[snip]
Until such time, efficacy in loading or not loading SELinux to achieve enhanced security is a matter of conjecture, opinion, and personal preference.
It is very much not conjecture. Use any good search engine and do your own research rather speculate. One point that should be noted is that
You mean like these security vulnerabilities introduced by SELinux:
http://www.nsa.gov/selinux/list-archive/0306/4468.cfm http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1052 http://www.gentoo.org/security/en/glsa/glsa-200510-22.xml http://marc.info/?l=selinux&m=105492305125090&w=2 http://osvdb.org/displayvuln.php?osvdb_id=25232
It appears that SELinux can be disabled via a kernel exploit in FC6:
http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html
For another "supporter" whose comments can actually be read as a criticism, see
http://lwn.net/Articles/111437/
Here's an example of a defect added to the kernel as a result of attempting to accomodate SELinux
http://projects.info-pull.com/mokb/MOKB-14-11-2006.html
unlike the original analogy SELinux is a additional security layer and turning it off doesnt not equate to turning off all security measures
Also agreed that it is an additional security measure, though I wouldn't use the term "layer".
and of course the management of SELinux needs and will improve with the continuous development of better user space tools but what the underlying architecture is based on decades of research and work. NSA SELinux site has various docs on this.
Spoken by a True Convert.
Mike
Mike McCarty wrote:
Until such time, efficacy in loading or not loading SELinux to achieve enhanced security is a matter of conjecture, opinion, and personal preference.
It is very much not conjecture. Use any good search engine and do your own research rather speculate. One point that should be noted is that
You mean like these security vulnerabilities introduced by SELinux:
These vulnerabilities do not support your point that it is merely conjecture as long as there are provable advantages which it has. Are you going to argue that we should disable PAM and iptables because security issues have been found on them? I guess not.
Also agreed that it is an additional security measure, though I wouldn't use the term "layer".
Why not?
Spoken by a True Convert.
If you can't keep the argument technical you would do well by not participating in the discussion. Dragging this discussion to focus on me is completely unwarranted.
Rahul
Rahul Sundaram wrote:
Mike McCarty wrote:
[...]
You mean like these security vulnerabilities introduced by SELinux:
These vulnerabilities do not support your point that it is merely conjecture as long as there are provable advantages which it has. Are
What they show is that there are provable DISadvantages. No amount of weighing advantages on one side vs. disadvantages on the other is going to amount to proof of whether any individual person should or should not use it.
Clearly, not having any security measures at all is demonstrably worse than having some, by overwhelming evidence. Such is not the case for the "additional" security provided by SELinux.
you going to argue that we should disable PAM and iptables because security issues have been found on them? I guess not.
Partially, my point is that any time one modifies any package, no matter for what reason, there is the opportunity to introduce defects. Therefore, all applications which are affected by SELinux, potentially all of them, now have an opportunity for defects to be introduced; a circumstance which would not occur if not for SELinux.
Also, SELinux is itself a large chunk of code, with its own defects.
Also agreed that it is an additional security measure, though I wouldn't use the term "layer".
Why not?
The term "layer" indicates a single object with multiple parts, which support one another. SELinux is not a "layer" like in a cake. It is an adjunct, alongside the usual UNIX- like security measures present in all Linux systems. It does have certain wedge-like characteristics, in which it intrudes into other packages.
Spoken by a True Convert.
If you can't keep the argument technical you would do well by not participating in the discussion. Dragging this discussion to focus on me is completely unwarranted.
You expressed faith, which is purely personal. How else am I to comment? Keep your own comments technical, and you won't evoke such kinds of responses.
My bottom line: There is not overwhelming evidence that SELinux provides a net wothwhile increase in security of non secure systems. As long as this situation continues, then there is room for people like Karl not to want it on his machine.
I'm not lobbying for anyone to remove it. I'm not trying to convince anyone that it's a bad thing. I'm lobbying for people to have a CHOICE whether to install it, without also having to exercise the choice to use a different distro. I thinks that's only reasonable.
Mike
Mike McCarty wrote:
What they show is that there are provable DISadvantages. No amount of weighing advantages on one side vs. disadvantages on the other is going to amount to proof of whether any individual person should or should not use it.
No but you argument was that the advantages are merely conjecture and that is very clearly false.
Partially, my point is that any time one modifies any package, no matter for what reason, there is the opportunity to introduce defects.
This is a generic argument and you can apply it to any piece of code and indeed against new development. These overtly generic arguments bring nothing useful to the discussion.
You expressed faith, which is purely personal. How else am I to comment? Keep your own comments technical, and you won't evoke such kinds of responses.
No my comments were purely technical and had technical references and had nothing to do with faith. We aren't talking about religion here.
I'm not lobbying for anyone to remove it. I'm not trying to convince anyone that it's a bad thing. I'm lobbying for people to have a CHOICE whether to install it, without also having to exercise the choice to use a different distro. I thinks that's only reasonable.
You do have a choice not to use SELinux if it is not wanted by you which is reasonable. Not being able to install every small libraries is not really worth the effort. Like I said there are several core libraries which cannot be easily removed from Fedora.
Last I heard you were running Fedora Core 2 which has only strict policy disabled by default and you were not planning to move to any new version of Fedora. So any new development and choice is a theoretical benefit for anyone who has no practical experience with SELinux but if you consider the advantages of saving a few kilobytes worth the effort, talk to the SELinux developers, understand the best way to split up the packages (hint: this is pretty difficult to do and there has been past discussions on this that you can refer to first) and send patches. That would much more reasonable that theoretical discussions.
Rahul
Rahul Sundaram wrote:
Mike McCarty wrote:
What they show is that there are provable DISadvantages. No amount of weighing advantages on one side vs. disadvantages on the other is going to amount to proof of whether any individual person should or should not use it.
No but you argument was that the advantages are merely conjecture and that is very clearly false.
No, that was not my argument. My argument is that people are commenting from a position of conjecture. There is no scientific conclusive study showing that SELinux unarguably improves security of machines. What is conjecture is that any given machine running SELinux is more secure than it would be not running SELinux.
Not one attack on my machine has made it past my router. Not one. My router sometimes logs thousands of attempts per month. I've been running since about October 2005. I'd say it's pretty debatable that my machine would be more secure with SELinux enabled.
Partially, my point is that any time one modifies any package, no
matter for what reason, there is the opportunity to introduce defects.
This is a generic argument and you can apply it to any piece of code and indeed against new development. These overtly generic arguments bring nothing useful to the discussion.
Yes, they do. Because currently the onus is still on the side of proponents of SELinux to show that it is conclusively better than what already exists. The current argument is still in the stage wherein one should view SELinux with a jaundiced eye, and ask "Why should I add still more code, and its associated defects and vulnerabilities, to my computer?" rather than provide arguments not to.
Installing and running SELinux closes certain types of holes, and opens up some others. It is a certainty that running SELinux makes a machine more vulnerable in some respects. It is also a certainty that it increases the irritation factor in using what is actually a single user computer sitting on my desktop. It is possible that in some theoretical sense it improves the security of such a machine against attacks which will never actually occur. It is also possible that my router will some day allow someone into my machine.
OTOH, I do regular backups of all the information on my machine which I would miss if it were destroyed. This is something I do because I know that some day my machine will have a physical failure.
Also, I don't keep dangerous information on my machine, like bank account numbers.
You expressed faith, which is purely personal. How else am I to comment? Keep your own comments technical, and you won't evoke such kinds of responses.
No my comments were purely technical and had technical references and had nothing to do with faith. We aren't talking about religion here.
I quote:
"the management of SELinux needs and will improve with the continuous development of better user space tools"
That is faith, not a matter of technical fact.
[snip]
discussions on this that you can refer to first) and send patches. That would much more reasonable that theoretical discussions.
I did not respond to what you wrote, you responded to me. I saw Karl ask for a change to FC which I thought was reasonable. I saw a response which was not a reasonable one, and responded to it. This is not a "theoretical" matter. A fellow was being roundly and unreasonably criticized for not wanting to run SELinux.
If I saw a request here asking how one would make root not have a password, I might comment that IMO it was a bad idea, but I wouldn't use sarcastic criticism[*] to try to convince him of that idea. I would supply the information on how to do it. Certainly, until one knows what the eventual goal of someone else it, it doesn't make sense to criticize it. Having root have no password is a reasonable thing for a LiveCD, for example.
[*] I don't mean to imply that you have been sarcastic at all. You've been a polite gentleman.
Mike
Mike McCarty wrote:
Rahul Sundaram wrote:
Mike McCarty wrote:
What they show is that there are provable DISadvantages. No amount of weighing advantages on one side vs. disadvantages on the other is going to amount to proof of whether any individual person should or should not use it.
No but you argument was that the advantages are merely conjecture and that is very clearly false.
No, that was not my argument. My argument is that people are commenting from a position of conjecture. There is no scientific conclusive study showing that SELinux unarguably improves security of machines.
There is. SELinux is MAC security framework and is based on scientific studies over decades which clearly show their advantages. Again read some of the work at NSA SElinux site.
Not one attack on my machine has made it past my router. Not one. My router sometimes logs thousands of attempts per month. I've been running since about October 2005. I'd say it's pretty debatable that my machine would be more secure with SELinux enabled.
A machine running SELinux enabled is provably more secure than a machine running merely a firewall or router. They are not comparable security technologies.
Yes, they do. Because currently the onus is still on the side of proponents of SELinux to show that it is conclusively better than what already exists
... which they already have for those who bother to look.
I quote:
"the management of SELinux needs and will improve with the continuous development of better user space tools"
That is faith, not a matter of technical fact.
It is a fact because actual development work is being done on these user space tools as it has happened over several Fedora releases. It is undeniable and easily verifiable that SELinux user space tools have improved very heavily from the early introduction during FC2 time frame.
[snip] I did not respond to what you wrote, you responded to me. I saw Karl ask for a change to FC which I thought was reasonable. I saw a response which was not a reasonable one, and responded to it.
You actually missed out my very reasonable and clear answer and I had to respond to you again to point out that I have already answered the question you were asking which is not a new one and has been answered many times before and you have made several incorrect assumptions about SELinux which I had to correct.
So again, completely removing all SELinux libraries (as opposed to merely turning it off) is very intrusive and significant amount of effort that does not offer any significant advantages but if you want really want to put the effort and send patches you are welcome to do so. It is certainly easier than creating a different spin however which you were advocating for.
Rahul
Rahul Sundaram wrote:
Mike McCarty wrote:
No, that was not my argument. My argument is that people are commenting from a position of conjecture. There is no scientific conclusive study showing that SELinux unarguably improves security of machines.
There is. SELinux is MAC security framework and is based on scientific studies over decades which clearly show their advantages. Again read some of the work at NSA SElinux site.
Mandatory Access Control is not a thing, it is a technique. SELinux is a thing, which may or may not be a good implementation of MAC.
Not one attack on my machine has made it past my router. Not one. My router sometimes logs thousands of attempts per month. I've been running since about October 2005. I'd say it's pretty debatable that my machine would be more secure with SELinux enabled.
A machine running SELinux enabled is provably more secure than a machine running merely a firewall or router. They are not comparable security technologies.
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
Yes, they do. Because currently the onus is still on the side of proponents of SELinux to show that it is conclusively better than what already exists
... which they already have for those who bother to look.
I have already demonstrated that I have looked, I just disagree with you.
I quote:
"the management of SELinux needs and will improve with the continuous development of better user space tools"
That is faith, not a matter of technical fact.
It is a fact because actual development work is being done on these user
It is faith that SELinux will survive at all.
[snip]
So again, completely removing all SELinux libraries (as opposed to merely turning it off) is very intrusive and significant amount of effort that does not offer any significant advantages but if you want really want to put the effort and send patches you are welcome to do so. It is certainly easier than creating a different spin however which you were advocating for.
Erm, ADDING SELinux was an intrusive effort, which is now difficult to undo.
Mike
Mike McCarty wrote:
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
From a very recent security update for httpd.
Update Information:
The Apache HTTP Server did not verify that a process was an Apache child process before sending it signals. A local attacker with the ability to run scripts on the Apache HTTP Server could manipulate the scoreboard and cause arbitrary processes to be terminated which could lead to a denial of service (CVE-2007-3304). This issue is not exploitable on Fedora if using the default SELinux targeted policy.
Just a passing example.
Jim
Jim Cornette wrote:
Mike McCarty wrote:
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
From a very recent security update for httpd.
Update Information:
The Apache HTTP Server did not verify that a process was an
[snip]
And I gave a few examples where running SELinux caused the machine to be more vulnerable.
[snip]
Just a passing example.
Indeed. Just as passing as the ones I gave. Read what I wrote above. I put in "in some senses" for a reason.
SELinux improves security in some senses, and reduces it in some other senses. It also unarguably makes administration of a machine more complex and involved. Whether the extra benefit be worth the extra complexity and vulnerabilites should be a personal decision at present.
Actually, it always will be, I suppose, like running root with no password. I won't do that, but I've seen some who do, or who use "root" or "toor" as the root password.
Mike
Mike McCarty wrote:
Jim Cornette wrote:
Mike McCarty wrote:
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
From a very recent security update for httpd.
Update Information:
The Apache HTTP Server did not verify that a process was an
[snip]
And I gave a few examples where running SELinux caused the machine to be more vulnerable.
[snip]
Just a passing example.
Indeed. Just as passing as the ones I gave. Read what I wrote above. I put in "in some senses" for a reason.
I'll have to check out the info related to vulnerabilities. SELinux seems to be more of a system for denials rather than privilege escalation.
SELinux improves security in some senses, and reduces it in some other senses. It also unarguably makes administration of a machine more complex and involved. Whether the extra benefit be worth the extra complexity and vulnerabilites should be a personal decision at present.
No doubt the choice should be up to the person responsible for running the computer.
Mike
Mike McCarty wrote:
Rahul Sundaram wrote:
Mike McCarty wrote:
No, that was not my argument. My argument is that people are commenting from a position of conjecture. There is no scientific conclusive study showing that SELinux unarguably improves security of machines.
There is. SELinux is MAC security framework and is based on scientific studies over decades which clearly show their advantages. Again read some of the work at NSA SElinux site.
Mandatory Access Control is not a thing, it is a technique. SELinux is a thing, which may or may not be a good implementation of MAC.
There is lots of good evidence that SELinux is a good implementation. An example of this is LSPP and RBAC certification of RHEL 5 based on SELinux technology. You have zero practical experience with it.
I have already demonstrated that I have looked, I just disagree with you.
You haven't demonstrated that you looked at any of the research since you made obviously incorrect speculations about it in your earlier mails.
It is faith that SELinux will survive at all.
This is too broad a statement and speculative to be meaningful.
Erm, ADDING SELinux was an intrusive effort, which is now difficult to undo.
Nobody claimed it was easy to introduce a fundamental new security paradigm. You just prove my point that the effort to not install SELinux libraries offers pretty much no advantage over merely enabling or disabling it as required.
Rahul
On 6/28/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:
Rahul Sundaram wrote:
Mike McCarty wrote:
No, that was not my argument. My argument is that people are commenting from a position of conjecture. There is no scientific conclusive study showing that SELinux unarguably improves security of machines.
There is. SELinux is MAC security framework and is based on scientific studies over decades which clearly show their advantages. Again read some of the work at NSA SElinux site.
Mandatory Access Control is not a thing, it is a technique. SELinux is a thing, which may or may not be a good implementation of MAC.
Not one attack on my machine has made it past my router. Not one. My router sometimes logs thousands of attempts per month. I've been running since about October 2005. I'd say it's pretty debatable that my machine would be more secure with SELinux enabled.
A machine running SELinux enabled is provably more secure than a machine running merely a firewall or router. They are not comparable security technologies.
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
I don't often agree with Rahul Sundaram, plus I get the feeling that he doesn't like me. But I can't stand by and have you spreading this kind of FUD, especially considering that you have admitted to _not_ using SELinux.
Please show some geek pride and not speak on this matter since by your own admission you have no recent experience with it.
Furthermore this claim of yours is extremely broad, and baseless.
[ snip ]
It is a fact because actual development work is being done on these user
It is faith that SELinux will survive at all.
How faith entered into a thread about software I have on idea.
[snip]
So again, completely removing all SELinux libraries (as opposed to merely turning it off) is very intrusive and significant amount of effort that does not offer any significant advantages but if you want really want to put the effort and send patches you are welcome to do so. It is certainly easier than creating a different spin however which you were advocating for.
Erm, ADDING SELinux was an intrusive effort, which is now difficult to undo.
My thanks to all those who worked, and continue to work on SELinux
Arthur Pemberton wrote:
On 6/28/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:
[snip]
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
I don't often agree with Rahul Sundaram, plus I get the feeling that he doesn't like me. But I can't stand by and have you spreading this kind of FUD, especially considering that you have admitted to _not_ using SELinux.
No fear. No uncertainty. No doubt. If that's what you meant.
Please show some geek pride and not speak on this matter since by your own admission you have no recent experience with it.
Furthermore this claim of yours is extremely broad, and baseless.
It is neither of those. If you wish to continue this, please take it to private e-mail.
I already gave instances published by the US Government which demonstrate that machines which run SELinux are subject to attacks which would not otherwise have succeeded. If that's not what is meant by what I wrote, then I am hereby clarifying what I meant. In SOME senses, a machine running SELinux is less secure than one which does. In particular, there are security attacks which a machine without SELinux will not suffer compromise from, and which a machine running SELinux will suffer compromise from. These compromises include password capture, among other things.
That's not fear, it's not uncertain, and it's not in doubt, unless you think the govt. web sites are unreliable.
[snip]
Mike
On 7/3/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:
Arthur Pemberton wrote:
On 6/28/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:
[snip]
A machine running current SELinux implementation is provably less secure in some senses than one which is not.
I don't often agree with Rahul Sundaram, plus I get the feeling that he doesn't like me. But I can't stand by and have you spreading this kind of FUD, especially considering that you have admitted to _not_ using SELinux.
No fear. No uncertainty. No doubt. If that's what you meant.
Please show some geek pride and not speak on this matter since by your own admission you have no recent experience with it.
Furthermore this claim of yours is extremely broad, and baseless.
It is neither of those. If you wish to continue this, please take it to private e-mail.
I already gave instances published by the US Government which demonstrate that machines which run SELinux are subject to attacks which would not otherwise have succeeded.
Thanks for brining my attention to that, went back through the thread and found those links.
As I expected, all those exploits/bugs, require local account access. I don't consider any system in which a local account is attacking the systems integrity to be very secure, do you? I say that to show that, in such a case, the presence of SELinux cannot be lowering the systems security that much - the attacker already has local access.
Now, SELinux helps to prevent a remote attacker from getting local access, and (as far as I know) it has no internet facing ports or other connections.
So in a case where a machine is being used to host several local accounts, and local multiuser usage, then I can accept that SELinux adds vulnerabilities, but I even in that situation, I believe SELinux adds (security) more than it removes.
Arthur Pemberton wrote:
On 7/3/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:
I already gave instances published by the US Government which demonstrate that machines which run SELinux are subject to attacks which would not otherwise have succeeded.
Thanks for brining my attention to that, went back through the thread and found those links.
As I expected, all those exploits/bugs, require local account access.
Yes, no surprise there.
I don't consider any system in which a local account is attacking the systems integrity to be very secure, do you? I say that to show that,
I consider that any machine for which access is not physically assured not to be secure. If there is access which is not physically secured, as in no external connections, and no one is allowed to touch the machine physically, then it is not secure. This includes terminal connections, network connections, modems, etc. Once one has left total physical security, then one must accept that one does not have a secure machine, but an insecure one. Then we leave the realm of security, and enter the realm of relative security.
A machine which is not secure may be relatively secure compared to another machine. (The other machine may be the same machine, but running different software. For example, a machine when booted up under Linux may be relatively secure compared to the same machine booted under XP. Or with different external connections, etc.)
Runing SELinux may make a machine relatively more secure in some senses, and yet make it relatively less secure in other senses.
in such a case, the presence of SELinux cannot be lowering the systems security that much - the attacker already has local access.
Yes. That's all I meant. That's why I used the qualifier "certain senses". In other senses, it may make a machine more secure.
Now, SELinux helps to prevent a remote attacker from getting local access, and (as far as I know) it has no internet facing ports or other connections.
It may help. It may not. It may help, but only minutely, or even only theoretically. If no attacker can get past my hardware firewall, then SELinux cannot improve secrurity, but it may reduce stability and availability.
So in a case where a machine is being used to host several local accounts, and local multiuser usage, then I can accept that SELinux adds vulnerabilities, but I even in that situation, I believe SELinux adds (security) more than it removes.
Well, now we have entered the arena you before described as FUD.
You believe it is better. Perhaps you are right by your own criteria. However, at present, there are no universally accepted criteria by which one may objectively evaluate whether any additional security added by SELinux exceeds its costs in reduced security in some areas, reduced availability and/or reliability, and increased maintenance costs.
At present, this is a subjective matter.
Mike
Mike McCarty wrote:
I quote:
"the management of SELinux needs and will improve with the continuous development of better user space tools"
That is faith, not a matter of technical fact.
Install F7, try out the SELinux Troubleshooter. It is a tool and surely did not simply appear without technically competent people and groups put down their time to the effort for improvement.
A fellow was being roundly and unreasonably criticized for not wanting to run SELinux.
How do we know that? Maybe he is a hacker foiled by SELinux preventing execution of his scripts on target machines.
If I saw a request here asking how one would make root not have a password, I might comment that IMO it was a bad idea, but I wouldn't use sarcastic criticism[*] to try to convince him of that idea. I would supply the information on how to do it. Certainly, until one knows what the eventual goal of someone else it, it doesn't make sense to criticize it. Having root have no password is a reasonable thing for a LiveCD, for example.
Interpretations are different. I read Get rid of needing to install anything ELinux completely or I'm changing to a different distro.
Mike
Jim Cornette wrote:
Mike McCarty wrote:
I quote:
"the management of SELinux needs and will improve with the continuous development of better user space tools"
That is faith, not a matter of technical fact.
Install F7, try out the SELinux Troubleshooter. It is a tool and surely
No, thanks.
[snip]
A fellow was being roundly and unreasonably criticized for not wanting to run SELinux.
How do we know that? Maybe he is a hacker foiled by SELinux preventing execution of his scripts on target machines.
Good point. OTOH, that's not what the criticism was about.
If I saw a request here asking how one would make root not have a password, I might comment that IMO it was a bad idea, but I wouldn't use sarcastic criticism[*] to try to convince him of that idea. I would supply the information on how to do it. Certainly, until one knows what the eventual goal of someone else it, it doesn't make sense to criticize it. Having root have no password is a reasonable thing for a LiveCD, for example.
Interpretations are different. I read Get rid of needing to install anything ELinux completely or I'm changing to a different distro.
That's not what I wrote. I was writing about the distro, not what my plans are. Personally, I don't want SELinux at present. That might change. I don't plan to install later versions of FC, but since that is upstream of RHEL and CentOS which I am likely to move to some day, I have a certain stake in this matter.
I have root set up with password and run as a "normal" user mostly to protect myself from mistakes. The standard commands use terse easy to mistype names which, if run as root, can do substantial damage when mistyped. So, I am very unlikely to do damage to my system when logged in as me. When I switch to root, I then take especial care to watch what I type, and look before I hit return.
Life is easier when you don't have servers running :-)
Life is also easier when you keep your machine backed up.
If I got rooted, I'd probably just install CentOS and reload from backup.
Mike
On Thu, 28 Jun 2007 21:17:40 -0500 Mike McCarty Mike.McCarty@sbcglobal.net wrote:
Yes, they do. Because currently the onus is still on the side of proponents of SELinux to show that it is conclusively better than what already exists.
No, no, no, it isn't about the technology :-).
The true value of selinux will appear when redhat pays off enough Sarbanes-Oxley consultants to get the SOX community to declare all computers must run a security system which may not need to actually be selinux, but merely has to meet requirements which are cut & pasted from the selinux spec.
Then selinux becomes a mint for printing money :-).
Mike McCarty wrote:
Partially, my point is that any time one modifies any package, no matter for what reason, there is the opportunity to introduce defects. Therefore, all applications which are affected by SELinux, potentially all of them, now have an opportunity for defects to be introduced; a circumstance which would not occur if not for SELinux.
An earlier problem with at-spi took down a large range of programs because of a chain of programs linked to it. This has little to do with SELinux except to say that vulnerabilities which could have a domino effect could be halted from action if policy prevented abnormal operation from vulnerable programs.
Also, SELinux is itself a large chunk of code, with its own defects.
No doubt that it can become better as problems are spotted and addressed.
My bottom line: There is not overwhelming evidence that SELinux provides a net wothwhile increase in security of non secure systems. As long as this situation continues, then there is room for people like Karl not to want it on his machine.
I'm not lobbying for anyone to remove it. I'm not trying to convince anyone that it's a bad thing. I'm lobbying for people to have a CHOICE whether to install it, without also having to exercise the choice to use a different distro. I thinks that's only reasonable.
Why anyone would switch distros because of SELinux integration compared to the multimedia digital writes issues preventing out of the box multimedia support.
If they want it completely off of their systems maybe a new distro fork can be born from their desire to eradicate SELinux completely from their systems.
Jim
Mike
Mike McCarty wrote:
[snip]
I've seen industry estimates of approximately one defect per 50 non-commentary source code lines. How many lines of code are in
Here's an example of what I mean...
http://smartbear.com/docs/book/code-review-cisco-case-study.pdf
This study (perhaps the largest ever) found a range of between 10 and 130 defects per KLOC (non commentary source statements, NCSS). Their average was around 1 defect per 31 NCSS.
Mike
Mike McCarty wrote:
David Boles wrote:
on 6/28/2007 3:13 PM, Karl Larsen wrote:
[that he disabled SELinux]
Good for you!!!!
What you just did was something like:
Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff. Like that guy at the University that you mentioned earlier.
This is a completely unreasonable comparison.
First:
You have no idea how secure or insecure his machine is. Any machine with external access via modem etc. is insecure. Once one has such access, then one has only relative security. If he runs behind a hardware firewall, and has all ports closed or "stealthed", then he's as secure as one can be and still have connections. SELinux does not provide (AFAIK) any way to prevent compromise, only an attempt at containment after compromise.
Second:
I've seen industry estimates of approximately one defect per 50 non-commentary source code lines. How many lines of code are in SELinux? Divide by 50, and that's the estimated number of defects being introduced by loading that software onto your machine. So, loading SELinux onto your machine provides more opportunity for compromise via defect exploit. AFAIK, no one has actually done any scientific study as to whether a machine with SELinux active on it be any more secure than otherwise.
Until such time, efficacy in loading or not loading SELinux to achieve enhanced security is a matter of conjecture, opinion, and personal preference.
Mike
Hi Mike, exactly. I have DSL Internet and the 4 port router has hardware firewall and then you hit the red hat linux firewall and then you try to guess the root password or ANY password and then your in.
In 12 years no-one has made it. Been close however.
Karl
On Thu, 2007-06-28 at 18:00 -0600, Karl Larsen wrote:
I have DSL Internet and the 4 port router has hardware firewall and then you hit the red hat linux firewall and then you try to guess the root password or ANY password and then your in.
In 12 years no-one has made it. Been close however.
And do you disable Java and JavaScript in your web browsers? If you don't, as you browse many websites you're running unknown programs on your computer. While SELinux, or its ilk, are no guarentees that you'll be safe, they help to make things safer. External threats to a computer are not just outsiders trying to connect to a port.
David Boles wrote:
Good for you!!!!
What you just did was something like:
Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff. Like that guy at the University that you mentioned earlier.
So you're claiming that with SELinux disabled, a linux computer has almost no protection from abuse? Please back that claim up with data to prove it. Either that or lay off the hyperbole, please.
SELinux is yet another layer of security on a reasonably secure OS. But I've had servers running on the net for years that have not been successfully hacked. And I sleep fine at night without any feeling that my windiws and doors are all open to the world.
on 6/28/2007 4:38 PM, Todd Zullinger wrote:
David Boles wrote:
Good for you!!!!
What you just did was something like:
Build a house. Put everything valuable that you own into it. Disable all of the locks. Open all of the windows and doors.
And then walk away.
Makes it really easy for the 'bad guys' to steal, or break, your stuff. Like that guy at the University that you mentioned earlier.
So you're claiming that with SELinux disabled, a linux computer has almost no protection from abuse? Please back that claim up with data to prove it. Either that or lay off the hyperbole, please.
SELinux is yet another layer of security on a reasonably secure OS. But I've had servers running on the net for years that have not been successfully hacked. And I sleep fine at night without any feeling that my windiws and doors are all open to the world.
No I am not. But if you look very carefully at what SELinux actually does it might make sense to you. All of those 'really bad boy' Trojans, key-loggers, pop-ups' and stuff like that get to 'do their thing' in Windows because there is nothing watching and saying 'now wait a minute - what do you think you are doing here? No you don't'. With SELinux you can make 'exceptions' for certain things just like you do with your firewall.
Oh yeah. I forgot. That 'stuff' does not affect Linux. Yet. But it will. Someday. Just as soon as the 'bad boys' start to think of Linux as a real OS and not a Geek Toy for funny looking home users. ;-)
And the people most vulnerable? Those that use precompiled, closed source, applications and files.
You want to disable it for yourself? Sure. Help yourself Do that. But to suggest that everyone do that because you find it a PITA is wrong. IMHO.
David Boles wrote:
[snip]
You want to disable it for yourself? Sure. Help yourself Do that. But to suggest that everyone do that because you find it a PITA is wrong. IMHO.
I didn't see anyone advocate what you argue against. I saw some advocate not to be forced to install it when they don't want it, in order to use FC.
Mike
on 6/28/2007 6:16 PM, Mike McCarty wrote:
David Boles wrote:
[snip]
You want to disable it for yourself? Sure. Help yourself Do that. But to suggest that everyone do that because you find it a PITA is wrong. IMHO.
I didn't see anyone advocate what you argue against. I saw some advocate not to be forced to install it when they don't want it, in order to use FC.
Mike
The main 'piece' that you don't want, as I understand it which is not that well BTW, is in the kernel. The 'major' parts, SELinux, that you speak of can be disabled. Like turning off a light. The 'massive rpm downloads' you refer to do not exist but can be avoided but excluding them from updates.
Next rant? ;-)
David Boles wrote:
on 6/28/2007 6:16 PM, Mike McCarty wrote:
David Boles wrote:
[snip]
You want to disable it for yourself? Sure. Help yourself Do that. But to suggest that everyone do that because you find it a PITA is wrong. IMHO.
I didn't see anyone advocate what you argue against. I saw some advocate not to be forced to install it when they don't want it, in order to use FC.
Mike
The main 'piece' that you don't want, as I understand it which is not that
The fellow who doesn't want SELinux on his machine is Karl, not me.
well BTW, is in the kernel. The 'major' parts, SELinux, that you speak of can be disabled. Like turning off a light. The 'massive rpm downloads' you refer to do not exist but can be avoided but excluding them from updates.
I did not refer to any "massive rpm downloads" in any of my messages.
Next rant? ;-)
Check to whom you speak. Nothing you wrote seems to apply to me.
SELinux is already inactive on my machine. The daemon isn't even running.
Mike
Karl Larsen wrote:
This tells me that init is running a selinux demon and I know how to stop that I think. I looked at /etc/rc.d/init.d/ but no selinux switch. So I ask where in hell is it?
[root@k5d init.d]# whereis selinux selinux: /etc/selinux /usr/include/selinux /usr/share/selinux /usr/share/man/man8/selinux.8.gz [root@k5d init.d]#
So there is some reading that needs doing.
Karl,
The SELinux settings are contained in "/etc/sysconfig/selinux". I have SELinux disabled, and the file looks like this:
[root@server ~]# cat /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted
Note that any changes to this file require a reboot to take affect. "sestatus" can then be used to verify the change:
[root@server ~]# sestatus SELinux status: disabled
Matthew Roth InterMedia Marketing Solutions Software Engineer and Systems Developer
-
Arthur Pemberton -
Ashley Pritchard -
David -
Jim Cornette -
Karl Larsen -
Matthew J. Roth -
Mike McCarty -
Rahul Sundaram -
Tim -
Todd Zullinger -
Tom Horsley