Hello,
Trying to install the intel compiler, I get: Your system is protected with Security-enhanced Linux (SELinux). We currently support only "Permissive" mode, which is not found on the system. To rectify this issue, you may either disable SELinux by - setting the line "SELINUX=disabled" in your /etc/sysconfig/selinux file - adding "selinux=0" kernel argument in lilo.conf or grub.conf files or make SELinux mode adjustment by - setting the line "SELINUX=permissive" in your /etc/sysconfig/selinux file or ask your system administrator to make SELinux mode adjustment.
Would ou just turn off SELINX ? I know I need to learn about SELinux !
Thank.
On Mon, 30 Aug 2010 13:12:14 +0100 (BST) Patrick Dupre wrote:
Would ou just turn off SELINX ? I know I need to learn about SELinux !
Well, here's my opinion of selinux:
http://home.comcast.net/~tomhorsley/wisdom/braindump/selinux.html
No doubt there are those who disagree though :-).
On 30 August 2010 13:27, Tom Horsley horsley1953@gmail.com wrote:
On Mon, 30 Aug 2010 13:12:14 +0100 (BST) Patrick Dupre wrote:
Would ou just turn off SELINX ? I know I need to learn about SELinux !
Well, here's my opinion of selinux:
http://home.comcast.net/~tomhorsley/wisdom/braindump/selinux.html
No doubt there are those who disagree though :-).
I'm not saying whether I agree or disagree, but I do like to see a little more evidence and references when people quote "Facts". I realise this is your opinion, but you're making statements labelled as facts without backing that up... bad karma...
-- Sam
http://home.comcast.net/~tomhorsley/wisdom/braindump/selinux.html
No doubt there are those who disagree though :-).
Indeed - I think I'd consider a consultant who did that on my systems as setting themselves up for a negligence lawsuit if the box got hacked.
Alan
Alan Cox <alan <at> lxorguk.ukuu.org.uk> writes:
http://home.comcast.net/~tomhorsley/wisdom/braindump/selinux.html
No doubt there are those who disagree though .
Indeed - I think I'd consider a consultant who did that on my systems as setting themselves up for a negligence lawsuit if the box got hacked.
Alan
Hi, Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
http://en.wikipedia.org/wiki/Security-Enhanced_Linux ... Overall, the reception to SELINUX has been mixed in the Linux community with various sys-admins preferring to stay away from it because of the usage issues. ...
http://articles.techrepublic.com.com/5100-10878_11-6156411.html ... SELinux is a mystery to a lot of people. During Linux installation, most administrators either disable the feature or turn it on without knowing exactly what it will do to their systems. ...
http://www.linuxsecurity.com/content/view/129763 Comments too much damn control Written by pauly on 2007-09-28 14:13:42 why should i have to undo controls just to use programs - its seen as unnecessary for the desktop and most people use desktops.
SELinux Written by Jon on 2007-10-01 08:07:07 For desktop users it might take to much time to get working right, but all servers should have SELInux turned on.
SELinux on a server Written by johnny on 2007-10-03 09:30:20 One compromise approach is to switch SELinux to permissive mode until it's settled down and nicely configured, and then switch back to enforcing mode and leave it that way until permissive mode is really needed during a major change to the server. Changes that big should be infrequent. Agreed that it needs to be simplified for desktop users.
Often enough it's difficult enough just to configure and get a new subsystem up and running ... Written by Jim Dennis on 2008-04-10 12:38:24 ... adding SELinux over the top of that is just too onerous for the majority of professional sys admins (let alone normal users). (Even good admins periodically have to spend hours chasing down obscure permissions issues just using the stock 4 octets modes on normal UNIX files and directories). I wouldn't even consider deploying SELinux in an organization of any size or complexity without dedicating at least one full-time security specialist to managing its policies and supporting admins and developers through every new application deployment. That's an expectation which must be firmly and clearly set with management before they attempt any sort of SELinux adoption.
http://lwn.net/Articles/365224/ SELinux ... It is a highly flexible system, but also highly complex; even a minimal SELinux policy can involve thousands of rules. The complexity of SELinux has almost certainly inhibited its adoption in the broader Linux community; when SELinux gets in the way of real work, figuring out how to fix it can be a nontrivial task. Over the years, many administrators have concluded, like Ted Ts'o, that "life is too short for SELinux."
Here is that article by Ted Ts'o: http://lwn.net/Articles/252588/ ... Why do security people think they have the ability to dictate to application writers that they use specialized API's or write arcane security policies?
And I could go on and on ... JB
On Tuesday, August 31, 2010 01:15:15 JB wrote:
Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
Umm, let me see... :-)
(a) because SELinux has a learning curve; (b) because SELinux uncovers bad admin practices by breaking lousy configured apps, and thus uncovers admin incompetence; (c) because SELinux security policies needed some time to mature to a usable state; (d) because people don't like to give up their (bad) habits and accept more strict rules, even when those rules are for their own benefit.
For example, the very first thing a Windows convert whines about in Linux is having to deal with those ugly stupid "rwxrwxrwx" things that make his life so miserable. And he hates having to learn about chown and chmod, let alone those dreaded man pages that are sooooo cryptic... But the fact that all Windows converts regularly whine about permissions doesn't make them right.
Ditto for SELinux.
As to your examples:
http://en.wikipedia.org/wiki/Security-Enhanced_Linux ... Overall, the reception to SELINUX has been mixed in the Linux community with various sys-admins preferring to stay away from it because of the usage issues. ...
You missed to quote the wikipedia's "citation needed" tag at the end of this sentence.
http://articles.techrepublic.com.com/5100-10878_11-6156411.html
This article is from 2007. A lot has changed since then.
This article (and most of the comments) is from 2007. A lot has changed since then.
This article is from 2007. A lot has changed since then. (Am I repeating myself here?)
Aaah, this one is from December 2009, much more recent... :-)
SELinux ... It is a highly flexible system, but also highly complex; even a minimal SELinux policy can involve thousands of rules. The complexity of SELinux has almost certainly inhibited its adoption in the broader Linux community; when SELinux gets in the way of real work, figuring out how to fix it can be a nontrivial task. Over the years, many administrators have concluded, like Ted Ts'o, that "life is too short for SELinux."
How about continuing the quote into the next paragraph:
"That said, Fedora and Red Hat have slowly made progress in using SELinux to confine parts of the system without creating too much user pain. And there is certainly a place for more comprehensive security models in general."
And I could go on and on ...
I didn't bother to read the articles you quoted. First of all, they are just obsolete, given the time when they were written. Second, since SELinux was first introduced, I haven't seen a single reasonable and convincing argument against using it. People just whine that it's cryptic, that it gets in the way when they try to do something (wrong?), and that they don't like it. Those are not real and convincing arguments.
The only critique that came even remotely close to reason was that running SELinux produces a performance penalty, while having no gain if the machine is not exposed to Internet. But in those cases one can just disable it to gain back the performance, provided that security is not an issue.
All my current servers and desktops have SELinux in enforcing mode, and I haven't seen a single AVC denial for two years now (since Fedora 9, to be precise). The only exception was when a script-kiddie managed to guess a ssh password of one of my users, and then tried to escalate to root. The attack was unsuccessful mostly because of SELinux --- I saw a whole bunch of denials, and managed to recover from the intrusion without having to wipe&reinstall the whole system. That was my firsthand experience that SELinux is actually quite useful and effective.
Of course, if you are smart enough to protect your system without SELinux, or stupid enough to believe you cannot benefit from its protection, feel free to disable it. You are also free to shut down the firewall, use your desktop from a root account, publish your root password on the web, etc. :-)
Best, :-) Marko
Marko Vojinovic <vvmarko <at> gmail.com> writes:
... That was my firsthand experience that SELinux is actually quite useful and effective.
Of course, if you are smart enough to protect your system without SELinux, or stupid enough to believe you cannot benefit from its protection, feel free to disable it. You are also free to shut down the firewall, use your desktop from a root account, publish your root password on the web, etc.
Best, Marko
Hi, Please follow me.
System - Administration - SELinux Management Can you see that checkbox labeled "Relabel on next reboot." ? Place your mouse cursor on that label. Can you see this ?
"Select if you wish to relabel then entire file system on next reboot. Relabeling can take a very long time, depending on the size of the system. If you are changing policy types or going from disabled to enforcing, a relabel is required."
OK. ... well, in the meantime, let's be fruitful, multiply, join our hands and sing together ... :-)
Hello. Is there anybody in there ? Comfortably Numb Pink Floyd http://www.youtube.com/watch?v=ZB1cNkC71vE
JB
Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
http://en.wikipedia.org/wiki/Security-Enhanced_Linux ... Overall, the reception to SELINUX has been mixed in the Linux community with various sys-admins preferring to stay away from it because of the usage issues.
Lots of people don't understand it - sadly often the same people who couldn't cope with firewalls, who fought smartcards, and sometimes the same people who put getting to the pub before doing the job right.
And I could go on and on ...
Yes. And a quick look at our local newspaper suggests I can provide a similar stream of comments for or against anything else with the same level of informed content 8)
Do you understand the details of how your airbag system works, or how your ABS braking works. Can you model the crumple zones of a car, or do you just get in and put up with the little safety inconveniences like the weight of the doors, the length fo the vehicle, the seatbelts ?
Alan
On 31/08/10 11:22, Alan Cox wrote:
Do you understand the details of how your airbag system works, or how your ABS braking works. Can you model the crumple zones of a car, or do you just get in and put up with the little safety inconveniences like the weight of the doors, the length fo the vehicle, the seatbelts ?
Why do people always pick examples of features with easy user interface when the fact with selinux is that the user interface is totally incomprehensible for the ordinary home user. I for one disable selinux because I don't want to waste time with learning how to use it. And I have now used red hat/fedora since 2002 without loosing one single e-mail or have suffered from any of the horrors that some believe I am risking.
I don't debate the functionality of selinux just the difficulty in using it and the apparent lack of relevance.
On Tuesday, August 31, 2010 21:18:16 Erik P. Olsen wrote:
On 31/08/10 11:22, Alan Cox wrote:
Do you understand the details of how your airbag system works, or how your ABS braking works. Can you model the crumple zones of a car, or do you just get in and put up with the little safety inconveniences like the weight of the doors, the length fo the vehicle, the seatbelts ?
Why do people always pick examples of features with easy user interface when the fact with selinux is that the user interface is totally incomprehensible for the ordinary home user. I for one disable selinux because I don't want to waste time with learning how to use it.
The user interface of SELinux is the most trivial one possible --- it is supposed to Just Work, completely transparently. An ordinary user should never get into a situation to ever interact with SELinux policy.
If you do get an AVC denial and a warning in the system tray, something is *wrong* with the machine. Either you are trying to do something you shouldn't, or someone else is. In both cases you are better off investigating what went wrong and correcting the cause of the denial, rather than modifying the policy to allow the rouge access.
The analogy with ABS would be you trying to tinker with the wheel lock-up detection system in order to tweak it to work differently (and probably less safe then the factory default). The user interface for that simply doesn't exist on an ABS system, and you need detailed technical knowledge on how to tinker with it. And as a regular user you should never do that.
SELinux is the same --- in normal usage you simply don't interact with it. That is the easiest "user interface" imaginable. If you want to tinker with it, you need detailed technical knowledge on how to do it.
The issue here is that a lot of people are used to the *wrong* idea that SELinux is the one needing adjustment when something goes wrong. Today this is rarely the case (was more frequent in the past, but not anymore), and you should file a bugzilla if it happens. What typically needs adjustment is the cause of the AVC denial, ie. the program that caused the denial, or the user who is manipulating the program and files in a wrong way.
How many times did you get into a situation to execute some command, only to be responded with a "permission denied, you are not root" kind of message? When that happens, who is at fault? Do you go change the permissions of relevant files to allow access to yourself, or do you understand that you are trying to do something in the wrong way, and adjust your own behavior?
Some people like logging in as root and having root privileges all the time, because of the illusion that it is easier. But aside from some special cases, that is very well known to be a Bad Idea. Ditto for disabling SELinux.
And in regular use, you just shouldn't need to adjust SELinux policy, and therefore should not need any user interface for it. Anything else is a bug, and nowdays typically not in the policy but somewhere else.
Best, :-) Marko
O> Why do people always pick examples of features with easy user interface when the
fact with selinux is that the user interface is totally incomprehensible for the ordinary home user. I for one disable selinux because I don't want to waste time
The ordinary home user shouldn't even notice it is enabled, which has been the case for some time now. In the early days it did most definitely get in the way - just as early distros had permission problems that needed ironing out.
Very occasionally you hit stuff in a home user environment - usually non Fedora packages. It's only when you are doing custom web and server stuff it gets noticable and you have to read the two pages or so of documentation on labelling cgi that its non-trivial and its rare it gets hard but some weird cases are fun (eg printing files from a cgi script).
with learning how to use it. And I have now used red hat/fedora since 2002 without loosing one single e-mail or have suffered from any of the horrors that some believe I am risking.
Is that the "I talk on my mobile phone while driving but its ok as I've not killed anyone yet" ? argument.
Alan
On Tue, 2010-08-31 at 00:15 +0000, JB wrote:
Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
Because people like to bitch, particularly the ignorant ones.
Why do security people think they have the ability to dictate to application writers that they use specialized API's or write arcane security policies?
Gee, that's a tough one. Probably because security people know more about security than non-security-aware programmers...
On Mon, Aug 30, 2010 at 8:15 PM, JB jb.1234abcd@gmail.com wrote:
Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
http://en.wikipedia.org/wiki/Security-Enhanced_Linux ... Overall, the reception to SELINUX has been mixed in the Linux community with various sys-admins preferring to stay away from it because of the usage issues. ...
http://articles.techrepublic.com.com/5100-10878_11-6156411.html ... SELinux is a mystery to a lot of people. During Linux installation, most administrators either disable the feature or turn it on without knowing exactly what it will do to their systems. ...
The learning curve is relatively high. When I first deployed it, it took a couple days of experimentation to get it to where apps weren't complaining. Once it's done though, it has been pain free. Interesting note is that if you check through the Bugzillas, there are a few security errata that SELinux will prevent from being exploitable.
The default configurations are getting a lot better as they now set the proper contexts. I remember not long ago application installations would often fail because the firewalls weren't configured at the same time. SELinux may be the same way. The major apps are ready, but total acceptance may not happen until the RPM/yum tools can auto-magically set the proper contexts or at least do some of the initial grunt work in getting the app to work. It's happening though...
The audit subsystem is in a similar situation. Initially it was a PITA to configure. A front-end tool would make things simpler rather than editing rules directly and may drive acceptance.
The thing is, with heightened PCI awareness and more stringent requirements, it's only a matter of time. auditd is a requirement. iptables is a requirement. So is anti-virus, configuration management, and rigid authentication policies. ACLs will probably become a requirement. SELinux is required on some systems. Only a matter of time...
Patrick Dupre <pd520 <at> york.ac.uk> writes:
Hello,
Trying to install the intel compiler, I get: Your system is protected with Security-enhanced Linux (SELinux). We currently support only "Permissive" mode, which is not found on the system. To rectify this issue, you may either disable SELinux by - setting the line "SELINUX=disabled" in your /etc/sysconfig/selinux file - adding "selinux=0" kernel argument in lilo.conf or grub.conf files or make SELinux mode adjustment by - setting the line "SELINUX=permissive" in your /etc/sysconfig/selinux file or ask your system administrator to make SELinux mode adjustment.
Would ou just turn off SELINX ? I know I need to learn about SELinux !
Thank.
Enforcing mode = Security policy decisions are enforced, policy violations are logged. Permissive mode = Security policy decisions are not enforced, policy violations are logged. Disabled = Security policy decisions are not computed.
So, permissive mode is only useful for policy development. If you do not, you may as well disable selinux. JB
On Mon, Aug 30, 2010 at 12:43:39 +0000, JB jb.1234abcd@gmail.com wrote:
So, permissive mode is only useful for policy development. If you do not, you may as well disable selinux. JB
Permissive mode keeps files properly labelled. If you ever use disabled mode, you need to do a relabel if you go back to permissive or enforcing. You really want permissive unless you know you plan to use disabled for the foreseeable future.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/30/2010 08:12 AM, Patrick Dupre wrote:
Hello,
Trying to install the intel compiler, I get: Your system is protected with Security-enhanced Linux (SELinux). We currently support only "Permissive" mode, which is not found on the system. To rectify this issue, you may either disable SELinux by - setting the line "SELINUX=disabled" in your /etc/sysconfig/selinux file - adding "selinux=0" kernel argument in lilo.conf or grub.conf files or make SELinux mode adjustment by - setting the line "SELINUX=permissive" in your /etc/sysconfig/selinux file or ask your system administrator to make SELinux mode adjustment.
Would ou just turn off SELINX ? I know I need to learn about SELinux !
Thank.
Patrik I have no idea why Intel would require SELinux in permissive mode to install. Actually it might have something to do with the exec* checks.
If you turned off the execmod and execstack check, the intel compiler should be able to install without any problems.
# setsebool allow_execstack=1 allow_execmod=1
I would bet that it will work without you setting it to permissive mode, but you can temporarily set it to permissive mode by executing
# setenforce 0
Then install the package.
# setenforce 1
Puts the machine back into enforcing mode.
-
Alan Cox -
Bruno Wolff III -
Daniel J Walsh -
Erik P. Olsen -
JB -
Kwan Lowe -
Marko Vojinovic -
Patrick Dupre -
Sam Sharpe -
Tim -
Tom Horsley