Takehiko Abe keke@gol.com wrote:
Sent: Sep 1, 2010 5:25 AM To: Community support for Fedora users users@lists.fedoraproject.org Subject: Re: SELinux
I assume you know the chances that an average linux user actually get exploited in that way is very low.
I would love to see the academic paper reference for this and the analysis as to why - maybe it's because most of them use SELinux ;)
Just count the known incidents of such exploits. ZERO. No WMD.
Pure bullshit. There are PLENTY of UNIX/Linux systems that are 'powned'. SeLinux prevents but does not stop this, if running in permissive mode. In enforcing mode, all hell breaks loose. At least you will be aware that this has happened and in enforcing mode the attack maybe stopped. In enforcing mode, you can attempt to evaluate and eliminate the damage. You don't READ about this because most companies don't want to admit their security system don't work. Remember the TV add about the fact that the firewall did not stop the 17 year old hacker from taking almost 200,000 credit card records and then building the robot of his dreams (this was an actual event folks, don't laugh)? This MIGHT have been prevented if the company used and enforced a high quality security system like SeLinux. SeLinux acts as a host based security system and is only as good as YOU make it. If you don't want it, you don't have to have it. But when the PCI folks (aka MasterCard/Visa/AMEX/Discover/JCB) shut off your ability to accept and process Credit/Debit transactions, you have no one to blame but yourself. When your competition 'mysteriously' shows up with your design, then you have to ask, "How did they get that?" Security systems are there for a reason. We all have information that others desire and it is up to us to ensure that it does not appear in the hands of the 'bad guys'. So, are you going to run around the Internet 'naked' or are you going to use every tool at your hands (Bastille/iptables/SeLinux)? I prefer the latter scenario. Of course, a very determined cracker is going to get in, but the ordinary Joe is not.
BTW, the EASIEST system to 'pown' is a Mac. I'll leave it up to you to do the work (Google is definitely your friend with this.)
Please remember, it is up to YOU to protect YOUR data, no one else.
James McKenzie
Takehiko Abe wrote:
Just count the known incidents of such exploits. ZERO. No WMD.
Hmmm. Is that why we run it on our systems? Just for the record I cannot discuss anything else, but believe me, the vulnerabilities and their exploits do exist. There are vulnerabilities and exploits for every operating system out there on the Internet. However, you are correct in that there are no active Linux exploits. However, that does not discount the folks who run Linux and use weak passwords on their systems. SeLinux has 'saved their bacon' more than once. I don't walk around with my guard down just because no one has been mugged in my neighborhood. The same concept applies here. If you are in your home with all of the doors locked and bolted, you won't get broken into, if the neighboor has his front door wide open. Living on an island is sort of what I'm doing with my Linux system, it is not connected nor connectable to the Internet. My chances of being attacked are zero and if I was, there would be no net gain for the attacker.
So that is the way it is. You can and did choose not to run SELinux. That is your decision. If I go on-line with my Linux system, it will be in permissive mode and that is my decision. I do agree that SELinux is not the easiest thing to configure (I don't know if there is a GUI interface and I would be pleasantly surprised if there is.) However, reading man pages and deciphering them can be tricky. It is best to use the configurations provided and extend them if needed.
And as to the 'strawman' comment, not needed, I had not read your message completely and did not give myself enough comprehension time.
We do have the ability and necessity to disagree.
My apology from earlier stands to you and the most of all the list.
James McKenzie
On 09/01/2010 10:17 PM, James McKenzie wrote:
not the easiest thing to configure (I don't know if there is a GUI interface and I would be pleasantly surprised if there is.)
Not sure if this is what you needed or not but this is a GUI:
system->Administration->Selinux Management
gene/
On Thursday, 02 September, 2010 @02:17 zulu, James McKenzie scribed:
be in permissive mode and that is my decision. I do agree that SELinux is not the easiest thing to configure (I don't know if there is a GUI interface and I would be pleasantly surprised if there is.)
# yum install policycoreutils-gui
Start it with $ system-config-selinux or from System->Administration->SELinux Management in the menu panels, and you'll be prompted for the root password.
Just count the known incidents of such exploits. ZERO. No WMD.
Hmmm. Is that why we run it on our systems? Just for the record I cannot discuss anything else, but believe me, the vulnerabilities and their exploits do exist.
The "such exploits" refers to buffer overrun type exploits (I don't know the correct terminology). e.g. the flash exploit reported last June -- the one that made 64-bit plugin discontinued. Mostly the web based exploits.
They exploit certain bugs in application/library. But the exploitable bugs are usually discovered and patched before any actual exploit takes place. I know none that successfully exploited a linux system and that is my "ZERO".
-
Darr -
Genes MailLists -
James McKenzie -
Takehiko Abe