9:52 a.m.
Hi.
In testing out creating/setting up remote droplets on digital
ocean/fed (centos), I realize that it should be secured as
much/tightly as possible. However, I also realize that if I screw
something up, I could have an instance that has issues. I'm not a sys
admin, and not trying to be one.
So, here's my question. If I'm going to be spinning up/down an
instance, could I simply disable selinux? For my scenario, I'll be
creating a base instance, with the required apps/processes, and then
using that base instance for any testing droplets I need to create, to
test my apps.
So, if I create an instance, spin it up, fire off my tests on the
instance, run everything for a few hours, and then shut it off, would
that be "reasonably safe/secure"?
My testing apps are a mix of python/php/perl/shell scripts, there's no
web stuff as of yet. Although, there will be dns/nfs/mysql
functionality.
Thanks for thoughts..
6:45 p.m.
On Sat, 23 Jan 2016 10:52:28 -0500
bruce <badouglas(a)gmail.com> wrote:
[snip]
So, if I create an instance, spin it up, fire off my tests on the
instance, run everything for a few hours, and then shut it off, would
that be "reasonably safe/secure"?
My testing apps are a mix of python/php/perl/shell scripts, there's no
web stuff as of yet. Although, there will be dns/nfs/mysql
functionality.
For your use case, I would do it without a qualm, especially since you
are isolated from the web. Once you connect to the web, you will
have exposure, but even then, as you say, it will be minimal. And
limited to the time you have the instance up. If you give it access
to any vital data while it is up, it could be a slight risk.
But, why do you have to disable SElinux? Are you building cracker
suites? :-) Will your apps never run on systems that have SElinux
enabled? Why not just put it in permissive mode, so it warns at
violations, but doesn't stop them, if it is a concern?
I'm not an expert, but in the wild, with internet facing apps, I think
SElinux is a good thing to have enabled. Belt and suspenders, and all
that.
7:57 a.m.
On Sat, 2016-01-23 at 10:52 -0500, bruce wrote:
So, if I create an instance, spin it up, fire off my tests on the
instance, run everything for a few hours, and then shut it off, would
that be "reasonably safe/secure"?
I am always amazed that people think shutting off a security
something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's
something wrong with that /thing/ that required it. It could simply be
crap programming, or it could be malicious. And even crap programming
can be destructive outside of its own files.
--
tim@localhost ~]$ uname -rsvp
Linux 3.19.8-100.fc20.i686 #1 SMP Tue May 12 17:42:35 UTC 2015 i686
All mail to my mailbox is automatically deleted, there is no point trying
to privately email me, I will only read messages posted to the public lists.
George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.
9:11 a.m.
I am always amazed that people think shutting off a security
something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's
something wrong with that /thing/ that required it. It could simply be
crap programming, or it could be malicious. And even crap programming
can be destructive outside of its own files.
really???
it could also be, prob often is.. is that the person who's doing X is
simply trying to get something done, and not be a Sys Admin!!!
Doing security right.. is an effort in understanding the nuances.. If
you've been playing with OS X, than you might have insight into what's
required. But someone who's not gotten into the "guts" of what
something like SeLinux requires, might not have an understanding of
what needs to be configured, or exactly how to configure it, etc..
Or configuring security (firewall, process restrictions, user
restrictions, port issues, rootkit protections, file restrictions,
etc.. ) might be fairly easy to setup, just not obvious to the casual
user on how to do it.
I haven't met a lot of people in my 30+ years of tech who just gloss
over the impotance of security.. I have met alot who aren't sys
admins.. and, even thought they create software projects from time to
time.. wouldn't have a "clue" as to exactly how to set up a good
secure system.. even thought they'd all say.. would be nice to do it!!
peace
On Sun, Jan 24, 2016 at 8:57 AM, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
> On Sat, 2016-01-23 at 10:52 -0500, bruce wrote:
>> So, if I create an instance, spin it up, fire off my tests on the
>> instance, run everything for a few hours, and then shut it off, would
>> that be "reasonably safe/secure"?
>
I am always amazed that people think shutting off a security
something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's
something wrong with that /thing/ that required it. It could simply be
crap programming, or it could be malicious. And even crap programming
can be destructive outside of its own files.
> --
> tim@localhost ~]$ uname -rsvp
>
> Linux 3.19.8-100.fc20.i686 #1 SMP Tue May 12 17:42:35 UTC 2015 i686
>
> All mail to my mailbox is automatically deleted, there is no point trying
> to privately email me, I will only read messages posted to the public lists.
>
> George Orwell's '1984' was supposed to be a warning against tyranny, not
> a set of instructions for supposedly democratic governments.
>
> --
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
5:47 p.m.
On 24 January 2016 at 15:11, bruce <badouglas(a)gmail.com> wrote:
> I am always amazed that people think shutting off a security
> something-or-other for some-amount-of-time can be considered safe.
>
> It takes virtually the blink of an eye to get compromised.
>
> If you need to turn off a security feature to do something, then there's
> something wrong with that /thing/ that required it. It could simply be
> crap programming, or it could be malicious. And even crap programming
> can be destructive outside of its own files.
>
really???
it could also be, prob often is.. is that the person who's doing X is
simply trying to get something done, and not be a Sys Admin!!!
Doing security right.. is an effort in understanding the nuances.. If
you've been playing with OS X, than you might have insight into what's
required. But someone who's not gotten into the "guts" of what
something like SeLinux requires, might not have an understanding of
what needs to be configured, or exactly how to configure it, etc..
Or configuring security (firewall, process restrictions, user
restrictions, port issues, rootkit protections, file restrictions,
etc.. ) might be fairly easy to setup, just not obvious to the casual
user on how to do it.
I haven't met a lot of people in my 30+ years of tech who just gloss
over the impotance of security.. I have met alot who aren't sys
admins.. and, even thought they create software projects from time to
time.. wouldn't have a "clue" as to exactly how to set up a good
secure system.. even thought they'd all say.. would be nice to do it!!
You are unlikely to be able to lock yourself out of a system with a
default SELinux setup (I wont say it's impossible, but I think you'd
have to intentionally create a policy to do it). The kinds of problems
you tend to run into for which turning it off is a quick workaround
are trying to serve files that have the wrong context set, e.g. html
not in the right place or java applets with the wrong settings.
(libexec on exectuables that need it is another good one) Usually
things don't work outright.
--
imalone
http://ibmalone.blogspot.co.uk
9:17 p.m.
Tim:
> I am always amazed that people think shutting off a security
> something-or-other for some-amount-of-time can be considered safe.
>
> It takes virtually the blink of an eye to get compromised.
>
> If you need to turn off a security feature to do something, then there's
> something wrong with that /thing/ that required it. It could simply be
> crap programming, or it could be malicious. And even crap programming
> can be destructive outside of its own files.
bruce:
really???
Yes.
If you're on an ISP, or a compromised LAN, you may find that there's
continual port scans and attacks.
I watched a friend get his box hacked four seconds after establishing a
network connection. He had to re-install to fix the problem. Same
thing happened the next two times he connected up. I just about wet
myself laughing. It took him three hacks before he wised up that he
needed to run protective software all the time. Drop your guard for a
second (or at least a few seconds), and that's enough.
By default, most things work like they're supposed to on Linux. If you
serve out HTML from the normal filepaths, it serves. There is, or was,
a GUI configurator for toggling SELinux permissions for certain services
that it's considered you ought to know what you're doing before you do
them, that's just as easy as similar configurators for enabling
services. e.g. There's a list, and you'd find HTTPD, or NFS, in it...
I'd go as far as to say that if you have no idea about how to run a
service, such as email or httpd, what it does, how it does it, how it
can be compromised, how to enable it, how to set up the firewall for it,
etc., then you have no business trying to run such a service. You'd
better learn how to do it on an isolated LAN. The world is replete with
spam, scams, hacks, etc, that affect everybody, because some dimwit made
it easy for them.
I haven't met a lot of people in my 30+ years of tech who just
gloss
over the impotance of security..
I have, unfortunately. And I see a lot of people who do on this list or
forums. You can recognise them by the ones that when either dealing
with a problem, or the installing a system, the first things they do are
turn off SELinux and firewalls.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Linux servers are always being dæmonised...
9:34 p.m.
On 01/24/2016 10:17 PM, Tim wrote:
Tim:
>> I am always amazed that people think shutting off a security
>> something-or-other for some-amount-of-time can be considered safe.
>>
>> It takes virtually the blink of an eye to get compromised.
>>
>> If you need to turn off a security feature to do something, then there's
>> something wrong with that /thing/ that required it. It could simply be
>> crap programming, or it could be malicious. And even crap programming
>> can be destructive outside of its own files.
bruce:
> really???
Yes.
If you're on an ISP, or a compromised LAN, you may find that there's
continual port scans and attacks.
I watched a friend get his box hacked four seconds after establishing a
network connection. He had to re-install to fix the problem. Same
thing happened the next two times he connected up. I just about wet
myself laughing. It took him three hacks before he wised up that he
needed to run protective software all the time. Drop your guard for a
second (or at least a few seconds), and that's enough.
By default, most things work like they're supposed to on Linux. If you
serve out HTML from the normal filepaths, it serves. There is, or was,
a GUI configurator for toggling SELinux permissions for certain services
that it's considered you ought to know what you're doing before you do
them, that's just as easy as similar configurators for enabling
services. e.g. There's a list, and you'd find HTTPD, or NFS, in it...
I'd go as far as to say that if you have no idea about how to run a
service, such as email or httpd, what it does, how it does it, how it
can be compromised, how to enable it, how to set up the firewall for it,
etc., then you have no business trying to run such a service. You'd
better learn how to do it on an isolated LAN. The world is replete with
spam, scams, hacks, etc, that affect everybody, because some dimwit made
it easy for them.
> I haven't met a lot of people in my 30+ years of tech who just gloss
> over the impotance of security..
I have, unfortunately. And I see a lot of people who do on this list or
forums. You can recognise them by the ones that when either dealing
with a problem, or the installing a system, the first things they do are
turn off SELinux and firewalls.
I don't even understand SELinux that much, but I would never disable it
UNLESS it was running on an isolated network or a box that I wanted to
"sacrifice". Surely its there for a reason. (And I've heard people give
all kinds of excuses when it comes to shutting it off, from "Its the
NSA's baby"....to "You don't need to run it".)....weird....because
in
the world of Windows?....no one....and I mean NO ONE would think of
running a Windows box without SOME form of protection, regardless of
whether its on an isolated LAN, or connected to the world!.....if
anything they would run MULTIPLE security apps/suites to cover the holes
of the others! I guess its just a mindset you either have or don't?...
EGO II
9:44 p.m.
On 01/24/2016 07:17 PM, Tim wrote:
I have, unfortunately. And I see a lot of people who do on this list
or
forums. You can recognise them by the ones that when either dealing
with a problem, or the installing a system, the first things they do are
turn off SELinux and firewalls.
Back when I did tech support for an ISP, I got a call from a man who
wanted to know if he could host a webpage on the Internet using the
Windows Personal Webserver. I quickly realized that if he had to ask,
he probably didn't know enough to do it safely, so I tried to warn him
about the risks. He stopped me and said that he was willing to find out
the hard way and reinstall if he had to, so I told him that what he
wanted to do was possible and ended the call. I've wondered, a few
times, how badly he got infected and just how hard "learning the hard
way" turned out to be, but I've always considered it a case of evolution
in every-day life.
Putting a Linux box on the net with the firewall and SELinux disabled is
just as bad. I've seen all too many posters, here and elsewhere, who
automatically disable SELinux because there were problems and
performance hits associated with it when it first came out eighteen
years ago and I never argue with them or try to get them to move into
the 21st Century. Not only is it a waste of my time, I figure that if
they're that unwilling to learn, they're just getting what they deserve.
The point here is that SELinux wouldn't have been developed and wouldn't
have stuck around as long as it has if it didn't serve an important
purpose. Unless you're sure that you know exactly what you're doing,
don't mess with it. And, if the troubleshooter shows you how to create
a custom policy to work around an alert, ask yourself if you really need
this program working before continuing. Working around a glitch in
Firefox is one thing; getting a game to work may or may not be worth the
trade-off in security. Sorry to go on so long, but once I started, I
found that I had more to say than I'd thought.
1:07 a.m.
On 01/24/2016 10:44 PM, Joe Zeff wrote:
On 01/24/2016 07:17 PM, Tim wrote:
> I have, unfortunately. And I see a lot of people who do on this list or
> forums. You can recognise them by the ones that when either dealing
> with a problem, or the installing a system, the first things they do are
> turn off SELinux and firewalls.
Back when I did tech support for an ISP, I got a call from a man who
wanted to know if he could host a webpage on the Internet using the
Windows Personal Webserver. I quickly realized that if he had to ask,
he probably didn't know enough to do it safely, so I tried to warn him
about the risks. He stopped me and said that he was willing to find
out the hard way and reinstall if he had to, so I told him that what
he wanted to do was possible and ended the call. I've wondered, a few
times, how badly he got infected and just how hard "learning the hard
way" turned out to be, but I've always considered it a case of
evolution in every-day life.
Putting a Linux box on the net with the firewall and SELinux disabled
is just as bad. I've seen all too many posters, here and elsewhere,
who automatically disable SELinux because there were problems and
performance hits associated with it when it first came out eighteen
years ago and I never argue with them or try to get them to move into
the 21st Century. Not only is it a waste of my time, I figure that if
they're that unwilling to learn, they're just getting what they deserve.
The point here is that SELinux wouldn't have been developed and
wouldn't have stuck around as long as it has if it didn't serve an
important purpose. Unless you're sure that you know exactly what
you're doing, don't mess with it. And, if the troubleshooter shows
you how to create a custom policy to work around an alert, ask
yourself if you really need this program working before continuing.
Working around a glitch in Firefox is one thing; getting a game to
work may or may not be worth the trade-off in security. Sorry to go
on so long, but once I started, I found that I had more to say than
I'd thought.
No worries there Mr. Zeff. It's greatly appreciated, I'm
actually going
to use your info to point out to someone who LOVES disabling security in
Linux just how foolish that is!! So thanks for the input!!
EGO II
2:02 a.m.
Look.
I fully get the need for security.. But if I can't get the security
working as it should, but I still need to build whatever the project
might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it. But
when it comes to policies, for differnt users, applications,
files,etc.. and the possiblity of screwing something up if you go
wrong, then you have a bit of an issue there... And you can't simpy
tell someone, "if you don't know what you're doing, don't mess with
linux!" Not going to happen..
But hey.. to each his/her own.
My goal wasn't to start a war.. Lord knows there are plenty of those
on the 'net already!
Thanks to all who've replied.
ps. To all who've replied in favor of someone not really implementing
a fed/centos/linux instance unless secure, I take it you're also
illing to provide pointers/help if someone asks, yes? (And not just
saying go look at youtube vides, or read docs!!)
thanks!!
On Mon, Jan 25, 2016 at 2:07 AM, Eddie G. O'Connor Jr.
<eoconnor25(a)gmail.com> wrote:
On 01/24/2016 10:44 PM, Joe Zeff wrote:
>
> On 01/24/2016 07:17 PM, Tim wrote:
>>
>> I have, unfortunately. And I see a lot of people who do on this list or
>> forums. You can recognise them by the ones that when either dealing
>> with a problem, or the installing a system, the first things they do are
>> turn off SELinux and firewalls.
>
>
> Back when I did tech support for an ISP, I got a call from a man who
> wanted to know if he could host a webpage on the Internet using the Windows
> Personal Webserver. I quickly realized that if he had to ask, he probably
> didn't know enough to do it safely, so I tried to warn him about the risks.
> He stopped me and said that he was willing to find out the hard way and
> reinstall if he had to, so I told him that what he wanted to do was possible
> and ended the call. I've wondered, a few times, how badly he got infected
> and just how hard "learning the hard way" turned out to be, but I've
always
> considered it a case of evolution in every-day life.
>
> Putting a Linux box on the net with the firewall and SELinux disabled is
> just as bad. I've seen all too many posters, here and elsewhere, who
> automatically disable SELinux because there were problems and performance
> hits associated with it when it first came out eighteen years ago and I
> never argue with them or try to get them to move into the 21st Century. Not
> only is it a waste of my time, I figure that if they're that unwilling to
> learn, they're just getting what they deserve.
>
> The point here is that SELinux wouldn't have been developed and wouldn't
> have stuck around as long as it has if it didn't serve an important purpose.
> Unless you're sure that you know exactly what you're doing, don't mess
with
> it. And, if the troubleshooter shows you how to create a custom policy to
> work around an alert, ask yourself if you really need this program working
> before continuing. Working around a glitch in Firefox is one thing; getting
> a game to work may or may not be worth the trade-off in security. Sorry to
> go on so long, but once I started, I found that I had more to say than I'd
> thought.
No worries there Mr. Zeff. It's greatly appreciated, I'm actually going to
use your info to point out to someone who LOVES disabling security in Linux
just how foolish that is!! So thanks for the input!!
EGO II
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
3:40 a.m.
On 01/25/2016 09:02 AM, bruce wrote:
Look.
I fully get the need for security.. But if I can't get the security
working as it should, but I still need to build whatever the project
might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
But when it comes to policies, for differnt users, applications,
files,etc.. and the possiblity of screwing something up if you go
wrong, then you have a bit of an issue there... And you can't simpy
tell someone, "if you don't know what you're doing, don't mess with
linux!" Not going to happen..
Yes, SELinux running in permissive mode is a good start point. We can
say that SELinux is in "learning mode". You adopt SELinux policy for
your setup.
And here the question is how it is complicated?
It depends on your setup. And we are ready to help you on
<selinux(a)lists.fedoraproject.org> if you don't get answers from
documentation.
And even more your feedback is welcome because this is a good way how to
improve documentation.
But hey.. to each his/her own.
My goal wasn't to start a war.. Lord knows there are plenty of those
on the 'net already!
Thanks to all who've replied.
ps. To all who've replied in favor of someone not really implementing
a fed/centos/linux instance unless secure, I take it you're also
illing to provide pointers/help if someone asks, yes? (And not just
saying go look at youtube vides, or read docs!!)
thanks!!
On Mon, Jan 25, 2016 at 2:07 AM, Eddie G. O'Connor Jr.
<eoconnor25(a)gmail.com> wrote:
> On 01/24/2016 10:44 PM, Joe Zeff wrote:
>>
>> On 01/24/2016 07:17 PM, Tim wrote:
>>>
>>> I have, unfortunately. And I see a lot of people who do on this list or
>>> forums. You can recognise them by the ones that when either dealing
>>> with a problem, or the installing a system, the first things they do are
>>> turn off SELinux and firewalls.
>>
>>
>> Back when I did tech support for an ISP, I got a call from a man who
>> wanted to know if he could host a webpage on the Internet using the Windows
>> Personal Webserver. I quickly realized that if he had to ask, he probably
>> didn't know enough to do it safely, so I tried to warn him about the risks.
>> He stopped me and said that he was willing to find out the hard way and
>> reinstall if he had to, so I told him that what he wanted to do was possible
>> and ended the call. I've wondered, a few times, how badly he got infected
>> and just how hard "learning the hard way" turned out to be, but
I've always
>> considered it a case of evolution in every-day life.
>>
>> Putting a Linux box on the net with the firewall and SELinux disabled is
>> just as bad. I've seen all too many posters, here and elsewhere, who
>> automatically disable SELinux because there were problems and performance
>> hits associated with it when it first came out eighteen years ago and I
>> never argue with them or try to get them to move into the 21st Century. Not
>> only is it a waste of my time, I figure that if they're that unwilling to
>> learn, they're just getting what they deserve.
>>
>> The point here is that SELinux wouldn't have been developed and wouldn't
>> have stuck around as long as it has if it didn't serve an important purpose.
>> Unless you're sure that you know exactly what you're doing, don't
mess with
>> it. And, if the troubleshooter shows you how to create a custom policy to
>> work around an alert, ask yourself if you really need this program working
>> before continuing. Working around a glitch in Firefox is one thing; getting
>> a game to work may or may not be worth the trade-off in security. Sorry to
>> go on so long, but once I started, I found that I had more to say than I'd
>> thought.
>
> No worries there Mr. Zeff. It's greatly appreciated, I'm actually going to
> use your info to point out to someone who LOVES disabling security in Linux
> just how foolish that is!! So thanks for the input!!
>
>
> EGO II
>
> --
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
6:19 a.m.
On 25 January 2016 at 08:02, bruce <badouglas(a)gmail.com> wrote:
Look.
I fully get the need for security.. But if I can't get the security
working as it should, but I still need to build whatever the project
might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it. But
when it comes to policies, for differnt users, applications,
files,etc.. and the possiblity of screwing something up if you go
wrong, then you have a bit of an issue there... And you can't simpy
tell someone, "if you don't know what you're doing, don't mess with
linux!" Not going to happen..
But hey.. to each his/her own.
My goal wasn't to start a war.. Lord knows there are plenty of those
on the 'net already!
Thanks to all who've replied.
I think it's partly the direction you started from, which is expecting
there's going to be a problem and planning to turn off SELinux to
forestall it. You may run into problems, but these days they're not
that hard to sort out. sealert is useful if do you think SELinux is
preventing something running and then you can check what the context
should be
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
If starting from nothing then it's probably easier to go from that
direction than start from having it turned off and enabling it once
everything is done. At that point if things stop working then finding
out what the issue is is going to be harder. I think your original
concern was you might have, "an instance that has problems". If you
have ssh access or something then it's not going to go away due to
SELinux. If your only access into the system is a web interface it's
hosting then that could happen.
What SELinux tries to do is constrain access by services to only the
resources they need, whether that's files (for http servers for
example) or types of memory access, in an attempt to limit the
exposure to a compromised application. The fewer outside facing
services you have the less exposed you are. If you needed to grant
unrestricted access to a service that becomes compromised then you
lost the game anyway, whether you did that by turning off SELinux or
by granting that access to that context. But most of the time the
default policies will do what you want and are trivial to apply if
something goes wrong. You don't have to set them up yourself for users
and applications.
Tools like restorecon and fixfiles
https://fedoraproject.org/wiki/SELinux/fixfiles can be used to apply
labelling if you've ended up with files that don't have context. "ls
-Z" will quickly tell you if your files are missing context.
--
imalone
http://ibmalone.blogspot.co.uk
8:28 a.m.
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the
security
working as it should, but I still need to build whatever the project
might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer
in an insecure mode, and all SELinux is doing is logging the things that
it would have stopped.
But when it comes to policies, for differnt users, applications,
files,etc.. and the possiblity of screwing something up if you go
wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
And I haven't had to turn off SELinux, nor do anything beyond open the
configurator GUI and tick the boxes that said to allow those particular
services (look through its list, find HTTPD server, tick it, find
serving CGI scripts, tick that, etc., that was about the extent of what
I had to do). Seriously, setting that right was a damn sight easier
than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances
are that /that/ something is badly written, and needs doing better. Is
it trying to serve files it has no business serving? Is it trying to
execute things that it shouldn't execute but merely read? There's a
plethora of dumb things people try to do with their programs, and
stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
And you can't simpy tell someone, "if you don't know
what you're
doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the
internet. Dumb things on the internet don't just affect you, they
affect other people around you. That's why we have masses of spam on
the internet, and other hacks. Compromised user boxes, compromised ISP
services, abound.
ps. To all who've replied in favor of someone not really
implementing
a fed/centos/linux instance unless secure, I take it you're also
illing to provide pointers/help if someone asks, yes? (And not just
saying go look at youtube vides, or read docs!!)
Here's a loaded weapon, point it at your own foot, and not in our
direction... No, I wouldn't give someone advice on how to insecurely
run their computer, and neither will plenty of others. You will find,
however, that if you try doing it securely, and run into snags, that
people are willing to help you solve the actual problem properly.
Webservers and mailservers, in particular, are at least two things that
need to be run with a great deal of care. Hackers go searching for
badly set up ones to do their nefarious deeds. And here you are
advertising that you're going to do so, identifying yourself in the
process.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Windows, it's enough to make a grown man cry!
9:03 a.m.
On 25 January 2016 at 14:28, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
Allegedly, on or about 25 January 2016, bruce sent:
> I fully get the need for security.. But if I can't get the security
> working as it should, but I still need to build whatever the project
> might be.. the project is going to get created.
>
> If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer
in an insecure mode, and all SELinux is doing is logging the things that
it would have stopped.
I have actually once seen permissive mode preventing login, IIRC this
was something to do with PackageKit doing its own context based
checks.
As for the rest though, Miroslav's reply is spot on, if there are
specific problems or issues then get help from the selinux list to
sort them out, but the policy setup and tools are mature enough at
this point that it's rare. If Bruce is really concerned, run
permissive, check there's no alerts coming up then switch to
enforcing. Worst that happens is you have to kill that instance
because you lose access, and like I've said I think that's hard to do.
It's not something that's suddenly going to kick you out during
operation in any normal circumstance.
--
imalone
http://ibmalone.blogspot.co.uk
9:29 a.m.
--Gawd...
Feels like I'm trying to spit in the wind!!
1st, not trying to set up web servers, but am looking at running tests
on linux servers.
2nd, recognize that one should have "secure" systems on the net, but
realize I don't have the time/set of skills to "fully" get there...
So, if you want to say -- hey, don't have an insecure linux box, it
could be hacked and cause us the Internet community probs due to your
crap, that's fair.
But you need to realize, there are lots of people who are attempting
to do as much as they can with limited resources/time. if anyone here
wants to contact me offline, we can discuss. Heck, I've been looking
for a "sysadmin" type that I can pay, talk with for a bit.
If fed/selinux had a "config" file for simple services/ports, great..
But when you get to policies, and understanding the nuances of
selinux, as far as I can tell, it's a learning curve that has to be
dealt with in order to get it right..
And to be honest, I know of a number of operations/organizations that
have put the "security" sysAdmin stuff off until they could find a
sysadmin resource for that function..
There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in
4 weeks" courses. that only get to the basics of coding, much less the
sysadmin stuff..
None of these are going away.. so some guy who pops up a website/app
on some aws instance.. has security issues that they might not even
realize..
Anyway.. thanks guys!
On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
Allegedly, on or about 25 January 2016, bruce sent:
> I fully get the need for security.. But if I can't get the security
> working as it should, but I still need to build whatever the project
> might be.. the project is going to get created.
>
> If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer
in an insecure mode, and all SELinux is doing is logging the things that
it would have stopped.
> But when it comes to policies, for differnt users, applications,
> files,etc.. and the possiblity of screwing something up if you go
> wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
And I haven't had to turn off SELinux, nor do anything beyond open the
configurator GUI and tick the boxes that said to allow those particular
services (look through its list, find HTTPD server, tick it, find
serving CGI scripts, tick that, etc., that was about the extent of what
I had to do). Seriously, setting that right was a damn sight easier
than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances
are that /that/ something is badly written, and needs doing better. Is
it trying to serve files it has no business serving? Is it trying to
execute things that it shouldn't execute but merely read? There's a
plethora of dumb things people try to do with their programs, and
stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
> And you can't simpy tell someone, "if you don't know what you're
> doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the
internet. Dumb things on the internet don't just affect you, they
affect other people around you. That's why we have masses of spam on
the internet, and other hacks. Compromised user boxes, compromised ISP
services, abound.
> ps. To all who've replied in favor of someone not really implementing
> a fed/centos/linux instance unless secure, I take it you're also
> illing to provide pointers/help if someone asks, yes? (And not just
> saying go look at youtube vides, or read docs!!)
Here's a loaded weapon, point it at your own foot, and not in our
direction... No, I wouldn't give someone advice on how to insecurely
run their computer, and neither will plenty of others. You will find,
however, that if you try doing it securely, and run into snags, that
people are willing to help you solve the actual problem properly.
Webservers and mailservers, in particular, are at least two things that
need to be run with a great deal of care. Hackers go searching for
badly set up ones to do their nefarious deeds. And here you are
advertising that you're going to do so, identifying yourself in the
process.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Windows, it's enough to make a grown man cry!
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
9:56 a.m.
On Mon, 25 Jan 2016, Tim wrote:
I watched a friend get his box hacked four seconds after establishing a
network connection. He had to re-install to fix the problem. Same
thing happened the next two times he connected up. I just about wet
myself laughing. It took him three hacks before he wised up that he
needed to run protective software all the time. Drop your guard for a
second (or at least a few seconds), and that's enough.
Did you mean "hacked" or "attacked?" It seems to me that if there are
successful intrusions by scripted attacks within four seconds of installation of a linux
distro, it's either the wrong distro or it's wrongly installed -- with or without
selinux enabled.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things
always seem easy and straightforward to someone who knows it well. That's the nature
of skill, regardless of the kind of skill it is.
It reminds me of when I was a medical student many years ago, going through my Pathology
laboratory. We were studying inflammation and looking at white blood cells under the
microscope.
I looked through the scope and all I saw were little dots. It made no sense to me. And I
said so. I could see the resident getting more and more frustrated with me as he kept
telling me over and over again how to tell the difference between the various inflammatory
cells -- it so trivially obvious and I was such a moron.
Then, four years later, I was the resident physician in pathology and I was assigned the
second year pathology lab. The student was looking through the microscope and
couldn't tell the difference between a polymorphonuclear leukocyte and a plasma cell
-- two cells that look *totally* different. I remember getting more and more frustrated
with the student as I told her over and over again how to tell the difference. But she
just couldn't see it! I thought to myself "What a moron."
That's what four years of staring through a microscope 18 hours a day buys you.
That's what I think of when I read these discussions. If someone is struggling with
something like this, they may seem like morons, but it is usually someting *other* than
simple supidity or laziness that is the reason. It's because the barrier to doing it
is greater than the perceived benefit.
Yes, selinux is a great tool, particularly for large multiuser systems that serve a lot of
things. But the very thing that makes it a great tool for these systems makes it very
complex and intrusive, particularly on one- or two-user systems that serve personal
things. Do we really need a lot of user-level permission tweaking when every user on the
machine is an administrator?
The selinux protections at the process level are obviously beneficial, but that's
often where the barriers are the highest. Selinux provides exquisite protections at the
process level for servers. Personally, that's where the most frightening attacks on
my boxes have come from in recent years. But, selinux frequently takes a server that
"just works" and turns it into one that "just doesn't work."
Then, you have to figure out whether the misconfiguration is from the server or from
selinux, and how to tweak both so that one will let the other do its thing. And, no, the
answers are not always obvious.
There is a truism that I remember being told about computer security a long, long time ago
that usability and technical security are inversely related. At some point, when you
increase the technical security enough, you will have made the system unusable to the
point that your users will simply start going around it simply to get their work done.
I remember bringing some data to a federal military installation once on a flash drive.
The military had recently put in a policy that flash drives were not allowed, and they had
some sort of enterprise-level monitoring software that watched the usb ports on every
machine in the network. I gave the flash drive to the agent and said "Look,
here's my results. I don't know how you are going to look at them, but this is
what I've got." The agent powered down his computer, unplugged his computer from
the network, booted it up again, put in the flash drive, downloaded the data, pulled out
the flash drive, powered down the computer, plugged it back into the network, and powered
it up again. He said that everybody did it all the time -- because the security policies
had made it impossible for them to do their work otherwise.
The combination of security that ignores users and users that ignore security gives you a
system that has neither security nor usability. And simply calling users morons will not
solve this.
I think a lot of stuff in linux is approaching this complexity/usability tipping point,
not just in security. System admin tools, filesystems, logging, desktops, etc. have
become the playthings of people who like being the chosen few who have mastery over
unnecessarily byzantine and complex systems and tools created to be beyond the effort
barrier of the hobby user. I love KDE, but frankly, it is collapsing under it's own
complexity. Selinux is just another exmple. I used to like linux because it made sense.
Now it seems that it's little different than Windows sometimes -- opaque, overly
complex, and unfriendly.
billo
10:50 a.m.
On 25 January 2016 at 15:56, <vendor(a)billoblog.com> wrote:
On Mon, 25 Jan 2016, Tim wrote:
>
> I watched a friend get his box hacked four seconds after establishing a
> network connection. He had to re-install to fix the problem. Same
> thing happened the next two times he connected up. I just about wet
> myself laughing. It took him three hacks before he wised up that he
> needed to run protective software all the time. Drop your guard for a
> second (or at least a few seconds), and that's enough.
>
Did you mean "hacked" or "attacked?" It seems to me that if there
are
successful intrusions by scripted attacks within four seconds of
installation of a linux distro, it's either the wrong distro or it's wrongly
installed -- with or without selinux enabled.
I have to admit I've heard this often enough (usually about windows),
but not seen it either, Windows or Linux, but I only do installs on
machines that aren't ethernet networked or are behind a NAT.
The problem I see with selinux is that it is so user-unfriendly.
These
kinds of things always seem easy and straightforward to someone who knows it
well. That's the nature of skill, regardless of the kind of skill it is.
That's what I think of when I read these discussions. If someone
is
struggling with something like this, they may seem like morons, but it is
usually someting *other* than simple supidity or laziness that is the
reason. It's because the barrier to doing it is greater than the perceived
benefit.
The take-home message, if there is one is this:
*You generally do not need to do anything*
(for SELinux anyway, there are some services I'd normally use that I'd
lock down a bit)
The policies in Fedora are meant to work out of the box. There are
some cases (generally if a file is moved to a location rather than
created there) where you find you need to add labels, and this is
really simple, e.g.
http://forums.fedoraforum.org/showthread.php?t=296243, which amounts
to make sure the files are in the right place and run restorecon.
For some things like home directory http you need to confirm that you
want them enabled, install policycoreutils-gui and run
system-config-selinux to get a gui for controlling them.
https://wiki.centos.org/TipsAndTricks/SelinuxBooleans has a list.
Really this thread isn't going to get very far, because it's based
around completely hypothetical problems which are impossible to fix
because their only definition is they are caused by selinux.
--
imalone
http://ibmalone.blogspot.co.uk
1:06 p.m.
LOL!!!
I feel you bruce :)
I think a LOT of people are struggling (and frustrated, rightfully so) with SELinux and
simply place it in permissive mode. There is nothing wrong with doing this. Don't buy
into the fear mongering hype. The only think you have to fear is fear itself.
If/when security is a concern (which in your case it doesn't seem to be) then SELinux
is a powerful tool. You would run it along with Tripwire, rkhunter, et al, to validate the
security of a server, and by the time it becomes so you can look back over the audit trail
to see where perms need to be added etc...
If you are just looking to experiment, exposed to the internet or not, SELinux is really
irrelevant, and in many cases can be cumbersome. I personally have had to disable SELinux
(permissive mode) many a time to get things to work, and I have yet to have a system
compromised by doing so. Not that this can't happen, but the actual chances of it
happening are so low, that you ROI is simply not worth it. There really is not some army
out their hit small ops looking for vulnerabilities in anything that's not a standard
package.
So experiment and produce at will with little to fear. A lot of hype is built around
SELinux in naiveté. Someone who really cares about security actually does not rely on
SELinux, they monitor their servers intensely, and know every process running on them
inside and out, review logs often, use tripwire, rkhunter, and monitor network activity
with Security Onion, etc....
Again, this is not to say that SELinux is not part a good strategy, but it is not the holy
grail many make it out to be either. It's a small part of security that as you
mentioned a lot of use common folk can live without, and have done so for a long time,
with no adverse effects.
On Jan 25, 2016, at 7:29 AM, bruce <badouglas(a)gmail.com>
wrote:
--Gawd...
Feels like I'm trying to spit in the wind!!
1st, not trying to set up web servers, but am looking at running tests
on linux servers.
2nd, recognize that one should have "secure" systems on the net, but
realize I don't have the time/set of skills to "fully" get there...
So, if you want to say -- hey, don't have an insecure linux box, it
could be hacked and cause us the Internet community probs due to your
crap, that's fair.
But you need to realize, there are lots of people who are attempting
to do as much as they can with limited resources/time. if anyone here
wants to contact me offline, we can discuss. Heck, I've been looking
for a "sysadmin" type that I can pay, talk with for a bit.
If fed/selinux had a "config" file for simple services/ports, great..
But when you get to policies, and understanding the nuances of
selinux, as far as I can tell, it's a learning curve that has to be
dealt with in order to get it right..
And to be honest, I know of a number of operations/organizations that
have put the "security" sysAdmin stuff off until they could find a
sysadmin resource for that function..
There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in
4 weeks" courses. that only get to the basics of coding, much less the
sysadmin stuff..
None of these are going away.. so some guy who pops up a website/app
on some aws instance.. has security issues that they might not even
realize..
Anyway.. thanks guys!
On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
> Allegedly, on or about 25 January 2016, bruce sent:
>> I fully get the need for security.. But if I can't get the security
>> working as it should, but I still need to build whatever the project
>> might be.. the project is going to get created.
>>
>> If running Selinux in permissive mode is enough, great, so be it.
>
> SELinux in permissive mode is *not* secure. You're using the computer
> in an insecure mode, and all SELinux is doing is logging the things that
> it would have stopped.
>
>> But when it comes to policies, for differnt users, applications,
>> files,etc.. and the possiblity of screwing something up if you go
>> wrong, then you have a bit of an issue there...
>
> I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
> And I haven't had to turn off SELinux, nor do anything beyond open the
> configurator GUI and tick the boxes that said to allow those particular
> services (look through its list, find HTTPD server, tick it, find
> serving CGI scripts, tick that, etc., that was about the extent of what
> I had to do). Seriously, setting that right was a damn sight easier
> than configuring any of those servers.
>
> If you find something is failing because SELinux is stopping it, chances
> are that /that/ something is badly written, and needs doing better. Is
> it trying to serve files it has no business serving? Is it trying to
> execute things that it shouldn't execute but merely read? There's a
> plethora of dumb things people try to do with their programs, and
> stopping those dumb things is the solution, not allowing them.
>
> Do you ignore programming error messages, too?
>
>> And you can't simpy tell someone, "if you don't know what
you're
>> doing, don't mess with linux!" Not going to happen..
>
> I can say if you don't know what you're doing, don't do it on the
> internet. Dumb things on the internet don't just affect you, they
> affect other people around you. That's why we have masses of spam on
> the internet, and other hacks. Compromised user boxes, compromised ISP
> services, abound.
>
>> ps. To all who've replied in favor of someone not really implementing
>> a fed/centos/linux instance unless secure, I take it you're also
>> illing to provide pointers/help if someone asks, yes? (And not just
>> saying go look at youtube vides, or read docs!!)
>
> Here's a loaded weapon, point it at your own foot, and not in our
> direction... No, I wouldn't give someone advice on how to insecurely
> run their computer, and neither will plenty of others. You will find,
> however, that if you try doing it securely, and run into snags, that
> people are willing to help you solve the actual problem properly.
>
> Webservers and mailservers, in particular, are at least two things that
> need to be run with a great deal of care. Hackers go searching for
> badly set up ones to do their nefarious deeds. And here you are
> advertising that you're going to do so, identifying yourself in the
> process.
>
> --
> [tim@localhost ~]$ uname -rsvp
> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>
> Boilerplate: All mail to my mailbox is automatically deleted, there is
> no point trying to privately email me, I only get to see the messages
> posted to the mailing list.
>
> Windows, it's enough to make a grown man cry!
>
>
>
> --
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
9:40 p.m.
Tim:
> SELinux in permissive mode is *not* secure. You're using
the
> computer in an insecure mode, and all SELinux is doing is logging the
> things that it would have stopped.
Ian Malone:
I have actually once seen permissive mode preventing login, IIRC
this
was something to do with PackageKit doing its own context based
checks.
Yes, though that's a fault condition. Permissive mode isn't supposed to
stop anything.
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
10:21 p.m.
Allegedly, on or about 25 January 2016, vendor(a)billoblog.com sent:
Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They
succeeded. Though, to be fair, I didn't say it was Linux computer, but
the principle is the same. All computers are vulnerable, though in our
case it's more the applications than the OS. And if you take no steps
to protect your system, or worse, take steps to remove protection, you
lay yourself wide open.
The problem I see with selinux is that it is so user-unfriendly.
These kinds of things always seem easy and straightforward to someone
who knows it well. That's the nature of skill, regardless of the kind
of skill it is.
I see it no less user-friendly than other things. I look at ACL (access
control lists), and see them as a nightmare. I can see them being used
in security establishments, to control who can see or modify certain
documents that need disseminating. But not in general use. I can't
really imagine employee #54534624 writing a letter, then carefully
considering a list of who can do what with their file (mutter, mutter,
need to add my boss to read/write, my assistant to read/write, my
technically hopeless other boss to read-only so he doesn't foul up my
work, my co-workers to read-only, and I have to remember which of them
are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed
to do. If I create a file in /var/www/html/ to be served, it
automatically gets given the right contects to be served, as part of the
process of *creating* a file at that location. If I copy a file from
somewhere to there, the same thing happens, the copy is a new creation,
and gets the appropriate contexts for where it's created. A confusing
thing happens if you try to move a file, the original file contexts are
moved along with the file, and they're probably going to be wrong. It's
logical, but not obvious to the uninitiated. Though it's not too hard
to find out why, you just problem solve it like any other error that
takes you by surprise.
It's similar with file permissions. Some people declare it too hard,
and want to make everything rwxrwxrwx, and hang the consequences. On a
webserver, that (making everything world-writeable), or letting the
webserver process own the files (making everything writeable by the
server, and hence world-writeable), opens you up to all sorts of abuse,
not just the destruction of that individual file.
That's what I think of when I read these discussions. If someone
is
struggling with something like this, they may seem like morons, but it
is usually someting *other* than simple supidity or laziness that is
the reason. It's because the barrier to doing it is greater than the
perceived benefit.
At times, but the tone of the thread indicates that laziness is an
issue.
There is a truism that I remember being told about computer security
a
long, long time ago that usability and technical security are
inversely related. At some point, when you increase the technical
security enough, you will have made the system unusable to the point
that your users will simply start going around it simply to get their
work done.
That's true on both counts. Though I tend to feel that SELinux has met
that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they
try to do something. My efforts are towards learn it, don't bypass it.
Just the same as well tell people don't do things as root - that's often
the root cause, pun intended, of all of these issues. They do one dumb
thing, then another on top of that, and have several compounded problems
because they will not follow any advice.
It's usually around this point that I bring up an analogy against people
trying to do things on computers when they don't really know how, and
stubbornly resist all efforts to learn: I hope these people never get
it into their head to half-arsedly learn first aid, and refuse to do
something important because they don't want to.
...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do
it is understandable. The concept of doing it in isolation can be a
required step. If the drive manages to do something nasty, it only
affects that one computer, which then gets sterilised before being
allowed back on the network (if the operator knows that, and doesn't
just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses
were the common enemy, there was no/inadequate protection against them.
The only way to stop the spread, was a cold boot in between, and using a
system that booted from the disc in question. That method was no good
against an OS that had another disc-based OS running it.
The combination of security that ignores users and users that ignore
security gives you a system that has neither security nor usability.
And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned
laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought
about, here. It's in the background, and doesn't get in the way. If
you're running services, then it rightly does become something you need
to know about managing.
But what particularly gets my goat, it someone who's a programmer
developing things telling me that SELinux is too hard to deal with. Too
hard? Compared with what? Writing software?! Jeez, you've got much
harder work, *there*. And, as far as I'm concerned, programmers being
hit with the big hammer that says, you have to write data in proper
locations, you can't just read any file you like on the system, you
can't just serve out files from any ad-hoc locations, is only a good set
of conditions to start imposing on so-called programmers. Bring on the
software that pokes them with a sharp stick for doing things that allows
them to create buffer-overflow errors. We could save the entire world a
whole lot of grief if programmers started paying attention to getting
that one bit of programming right.
I love KDE, but frankly, it is collapsing under it's own
complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like
XP had, and a gazillion configuration options that I do not like the
defaults, and it's always been that way (ever since I saw it, a
gazillion configuration options). Coming from an Amiga user background,
I've never agreed with what people said about Gnome looking like
Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is
going to open a new can of worms), is the naming of all programs
starting with a K followed by a name that seems purely random (regarding
what the program actually did). Not only making it hard to locate
software appropriate to your task, but confusingly k-naming things like
kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
something).
Selinux is just another exmple. I used to like linux because it
made
sense. Now it seems that it's little different than Windows sometimes
-- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So
much of it is secret business, and I don't just mean closed-source.
Resolving some whacko fault involves delving into the registry, adding
things with sixteen hexadecimal numbers which mean nothing to no-one,
that are only documented on hacking sites, or incomprehensible gibberish
on the Microsoft that refers to two versions of Windows ago, warns
against doing it on your release, yet the Microsoft search engine
provides it as your solution.
We now return you to your regular programming, from
alt.computers.help.me.commit.die.quickly
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
10:57 a.m.
What the Heck???
So.. people who think/decide to just disable seLinux, instead of
diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and
aren't looking to be a sysAdmin, so they want to (if possible) get to
the quickest way of getting their "project" working/tested.. And if
the "security/process" of X (in this case selinux) is in the way.. The
learning required to implement that gets shoved back. It's a
prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going.
And yeah, you realize that you might be cutting corners re security,
but you keep going.
And before people say, "you need to learn security, or you shouldn't
be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours
on a few sites. You eventually run into issues that "need to be
solved", etc.. which then adds time/effort/resources. And rightly so,
this is why you have skilled sysAdmin resources. But smaller projects
don't have the resources for this process.. so it becomes a matter of
prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone
willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
Allegedly, on or about 25 January 2016, vendor(a)billoblog.com sent:
> Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They
succeeded. Though, to be fair, I didn't say it was Linux computer, but
the principle is the same. All computers are vulnerable, though in our
case it's more the applications than the OS. And if you take no steps
to protect your system, or worse, take steps to remove protection, you
lay yourself wide open.
> The problem I see with selinux is that it is so user-unfriendly.
> These kinds of things always seem easy and straightforward to someone
> who knows it well. That's the nature of skill, regardless of the kind
> of skill it is.
I see it no less user-friendly than other things. I look at ACL (access
control lists), and see them as a nightmare. I can see them being used
in security establishments, to control who can see or modify certain
documents that need disseminating. But not in general use. I can't
really imagine employee #54534624 writing a letter, then carefully
considering a list of who can do what with their file (mutter, mutter,
need to add my boss to read/write, my assistant to read/write, my
technically hopeless other boss to read-only so he doesn't foul up my
work, my co-workers to read-only, and I have to remember which of them
are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed
to do. If I create a file in /var/www/html/ to be served, it
automatically gets given the right contects to be served, as part of the
process of *creating* a file at that location. If I copy a file from
somewhere to there, the same thing happens, the copy is a new creation,
and gets the appropriate contexts for where it's created. A confusing
thing happens if you try to move a file, the original file contexts are
moved along with the file, and they're probably going to be wrong. It's
logical, but not obvious to the uninitiated. Though it's not too hard
to find out why, you just problem solve it like any other error that
takes you by surprise.
It's similar with file permissions. Some people declare it too hard,
and want to make everything rwxrwxrwx, and hang the consequences. On a
webserver, that (making everything world-writeable), or letting the
webserver process own the files (making everything writeable by the
server, and hence world-writeable), opens you up to all sorts of abuse,
not just the destruction of that individual file.
> That's what I think of when I read these discussions. If someone is
> struggling with something like this, they may seem like morons, but it
> is usually someting *other* than simple supidity or laziness that is
> the reason. It's because the barrier to doing it is greater than the
> perceived benefit.
At times, but the tone of the thread indicates that laziness is an
issue.
> There is a truism that I remember being told about computer security a
> long, long time ago that usability and technical security are
> inversely related. At some point, when you increase the technical
> security enough, you will have made the system unusable to the point
> that your users will simply start going around it simply to get their
> work done.
That's true on both counts. Though I tend to feel that SELinux has met
that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they
try to do something. My efforts are towards learn it, don't bypass it.
Just the same as well tell people don't do things as root - that's often
the root cause, pun intended, of all of these issues. They do one dumb
thing, then another on top of that, and have several compounded problems
because they will not follow any advice.
It's usually around this point that I bring up an analogy against people
trying to do things on computers when they don't really know how, and
stubbornly resist all efforts to learn: I hope these people never get
it into their head to half-arsedly learn first aid, and refuse to do
something important because they don't want to.
> ...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do
it is understandable. The concept of doing it in isolation can be a
required step. If the drive manages to do something nasty, it only
affects that one computer, which then gets sterilised before being
allowed back on the network (if the operator knows that, and doesn't
just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses
were the common enemy, there was no/inadequate protection against them.
The only way to stop the spread, was a cold boot in between, and using a
system that booted from the disc in question. That method was no good
against an OS that had another disc-based OS running it.
> The combination of security that ignores users and users that ignore
> security gives you a system that has neither security nor usability.
> And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned
laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought
about, here. It's in the background, and doesn't get in the way. If
you're running services, then it rightly does become something you need
to know about managing.
But what particularly gets my goat, it someone who's a programmer
developing things telling me that SELinux is too hard to deal with. Too
hard? Compared with what? Writing software?! Jeez, you've got much
harder work, *there*. And, as far as I'm concerned, programmers being
hit with the big hammer that says, you have to write data in proper
locations, you can't just read any file you like on the system, you
can't just serve out files from any ad-hoc locations, is only a good set
of conditions to start imposing on so-called programmers. Bring on the
software that pokes them with a sharp stick for doing things that allows
them to create buffer-overflow errors. We could save the entire world a
whole lot of grief if programmers started paying attention to getting
that one bit of programming right.
> I love KDE, but frankly, it is collapsing under it's own complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like
XP had, and a gazillion configuration options that I do not like the
defaults, and it's always been that way (ever since I saw it, a
gazillion configuration options). Coming from an Amiga user background,
I've never agreed with what people said about Gnome looking like
Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is
going to open a new can of worms), is the naming of all programs
starting with a K followed by a name that seems purely random (regarding
what the program actually did). Not only making it hard to locate
software appropriate to your task, but confusingly k-naming things like
kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
something).
> Selinux is just another exmple. I used to like linux because it made
> sense. Now it seems that it's little different than Windows sometimes
> -- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So
much of it is secret business, and I don't just mean closed-source.
Resolving some whacko fault involves delving into the registry, adding
things with sixteen hexadecimal numbers which mean nothing to no-one,
that are only documented on hacking sites, or incomprehensible gibberish
on the Microsoft that refers to two versions of Windows ago, warns
against doing it on your release, yet the Microsoft search engine
provides it as your solution.
We now return you to your regular programming, from
alt.computers.help.me.commit.die.quickly
--
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
11:06 a.m.
Totally agree with you, Bruce.
Cheers,
Sylvia
On Tuesday, 26 January 2016, bruce <badouglas(a)gmail.com> wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of
diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and
aren't looking to be a sysAdmin, so they want to (if possible) get to
the quickest way of getting their "project" working/tested.. And if
the "security/process" of X (in this case selinux) is in the way.. The
learning required to implement that gets shoved back. It's a
prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going.
And yeah, you realize that you might be cutting corners re security,
but you keep going.
And before people say, "you need to learn security, or you shouldn't
be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours
on a few sites. You eventually run into issues that "need to be
solved", etc.. which then adds time/effort/resources. And rightly so,
this is why you have skilled sysAdmin resources. But smaller projects
don't have the resources for this process.. so it becomes a matter of
prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone
willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox(a)yahoo.com.au
<javascript:;>> wrote:
> Allegedly, on or about 25 January 2016, vendor(a)billoblog.com
<javascript:;> sent:
>> Did you mean "hacked" or "attacked?"
>
> To me an attack is the attempt, a hack is they've succeeded. They
> succeeded. Though, to be fair, I didn't say it was Linux computer, but
> the principle is the same. All computers are vulnerable, though in our
> case it's more the applications than the OS. And if you take no steps
> to protect your system, or worse, take steps to remove protection, you
> lay yourself wide open.
>
>> The problem I see with selinux is that it is so user-unfriendly.
>> These kinds of things always seem easy and straightforward to someone
>> who knows it well. That's the nature of skill, regardless of the kind
>> of skill it is.
>
> I see it no less user-friendly than other things. I look at ACL (access
> control lists), and see them as a nightmare. I can see them being used
> in security establishments, to control who can see or modify certain
> documents that need disseminating. But not in general use. I can't
> really imagine employee #54534624 writing a letter, then carefully
> considering a list of who can do what with their file (mutter, mutter,
> need to add my boss to read/write, my assistant to read/write, my
> technically hopeless other boss to read-only so he doesn't foul up my
> work, my co-workers to read-only, and I have to remember which of them
> are working on the same case...).
>
> Barring oversights and errors, SELinux generally does what it's supposed
> to do. If I create a file in /var/www/html/ to be served, it
> automatically gets given the right contects to be served, as part of the
> process of *creating* a file at that location. If I copy a file from
> somewhere to there, the same thing happens, the copy is a new creation,
> and gets the appropriate contexts for where it's created. A confusing
> thing happens if you try to move a file, the original file contexts are
> moved along with the file, and they're probably going to be wrong. It's
> logical, but not obvious to the uninitiated. Though it's not too hard
> to find out why, you just problem solve it like any other error that
> takes you by surprise.
>
> It's similar with file permissions. Some people declare it too hard,
> and want to make everything rwxrwxrwx, and hang the consequences. On a
> webserver, that (making everything world-writeable), or letting the
> webserver process own the files (making everything writeable by the
> server, and hence world-writeable), opens you up to all sorts of abuse,
> not just the destruction of that individual file.
>
>> That's what I think of when I read these discussions. If someone is
>> struggling with something like this, they may seem like morons, but it
>> is usually someting *other* than simple supidity or laziness that is
>> the reason. It's because the barrier to doing it is greater than the
>> perceived benefit.
>
> At times, but the tone of the thread indicates that laziness is an
> issue.
>
>> There is a truism that I remember being told about computer security a
>> long, long time ago that usability and technical security are
>> inversely related. At some point, when you increase the technical
>> security enough, you will have made the system unusable to the point
>> that your users will simply start going around it simply to get their
>> work done.
>
> That's true on both counts. Though I tend to feel that SELinux has met
> that balance at around the right place.
>
> While I have some sympathy for people who haven't yet learnt it, as they
> try to do something. My efforts are towards learn it, don't bypass it.
> Just the same as well tell people don't do things as root - that's often
> the root cause, pun intended, of all of these issues. They do one dumb
> thing, then another on top of that, and have several compounded problems
> because they will not follow any advice.
>
> It's usually around this point that I bring up an analogy against people
> trying to do things on computers when they don't really know how, and
> stubbornly resist all efforts to learn: I hope these people never get
> it into their head to half-arsedly learn first aid, and refuse to do
> something important because they don't want to.
>
>> ...[snip flash drive story]...
>
> I can understand that, and it's not a new story, either. The need to do
> it is understandable. The concept of doing it in isolation can be a
> required step. If the drive manages to do something nasty, it only
> affects that one computer, which then gets sterilised before being
> allowed back on the network (if the operator knows that, and doesn't
> just plug it back in, regardless).
>
> We had similar issues with floppy discs. Back when bootblock viruses
> were the common enemy, there was no/inadequate protection against them.
> The only way to stop the spread, was a cold boot in between, and using a
> system that booted from the disc in question. That method was no good
> against an OS that had another disc-based OS running it.
>
>> The combination of security that ignores users and users that ignore
>> security gives you a system that has neither security nor usability.
>> And simply calling users morons will not solve this.
>
> I don't believe I've said that. In this email I've certainly mentioned
> laziness, because the evidence points that way.
>
> As a general rule, on a user-level, SELinux doesn't get even thought
> about, here. It's in the background, and doesn't get in the way. If
> you're running services, then it rightly does become something you need
> to know about managing.
>
> But what particularly gets my goat, it someone who's a programmer
> developing things telling me that SELinux is too hard to deal with. Too
> hard? Compared with what? Writing software?! Jeez, you've got much
> harder work, *there*. And, as far as I'm concerned, programmers being
> hit with the big hammer that says, you have to write data in proper
> locations, you can't just read any file you like on the system, you
> can't just serve out files from any ad-hoc locations, is only a good set
> of conditions to start imposing on so-called programmers. Bring on the
> software that pokes them with a sharp stick for doing things that allows
> them to create buffer-overflow errors. We could save the entire world a
> whole lot of grief if programmers started paying attention to getting
> that one bit of programming right.
>
>> I love KDE, but frankly, it is collapsing under it's own complexity.
>
> I can't say I've ever liked it. It has the Fisher-Price toy look like
> XP had, and a gazillion configuration options that I do not like the
> defaults, and it's always been that way (ever since I saw it, a
> gazillion configuration options). Coming from an Amiga user background,
> I've never agreed with what people said about Gnome looking like
> Windows, no KDE does. Gnome looked far more old Mac-like.
>
> The other thing that peeved me about KDE (and I can see this thread is
> going to open a new can of worms), is the naming of all programs
> starting with a K followed by a name that seems purely random (regarding
> what the program actually did). Not only making it hard to locate
> software appropriate to your task, but confusingly k-naming things like
> kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
> something).
>
>> Selinux is just another exmple. I used to like linux because it made
>> sense. Now it seems that it's little different than Windows sometimes
>> -- opaque, overly complex, and unfriendly.
>
> I don't think anything compares with the hideousness of Windows. So
> much of it is secret business, and I don't just mean closed-source.
> Resolving some whacko fault involves delving into the registry, adding
> things with sixteen hexadecimal numbers which mean nothing to no-one,
> that are only documented on hacking sites, or incomprehensible gibberish
> on the Microsoft that refers to two versions of Windows ago, warns
> against doing it on your release, yet the Microsoft search engine
> provides it as your solution.
>
> We now return you to your regular programming, from
> alt.computers.help.me.commit.die.quickly
>
> --
> [tim@localhost ~]$ uname -rsvp
> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>
> Boilerplate: All mail to my mailbox is automatically deleted, there is
> no point trying to privately email me, I only get to see the messages
> posted to the mailing list.
>
> Lucky for you I typed this, you'd never be able to read my handwriting.
>
>
>
> --
> users mailing list
> users(a)lists.fedoraproject.org <javascript:;>
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
--
users mailing list
users(a)lists.fedoraproject.org <javascript:;>
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
11:07 a.m.
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent
luxuries.
The rest of us 99% have to work for it :P
On Jan 26, 2016, at 8:57 AM, bruce <badouglas(a)gmail.com>
wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of
diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and
aren't looking to be a sysAdmin, so they want to (if possible) get to
the quickest way of getting their "project" working/tested.. And if
the "security/process" of X (in this case selinux) is in the way.. The
learning required to implement that gets shoved back. It's a
prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going.
And yeah, you realize that you might be cutting corners re security,
but you keep going.
And before people say, "you need to learn security, or you shouldn't
be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours
on a few sites. You eventually run into issues that "need to be
solved", etc.. which then adds time/effort/resources. And rightly so,
this is why you have skilled sysAdmin resources. But smaller projects
don't have the resources for this process.. so it becomes a matter of
prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone
willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox(a)yahoo.com.au> wrote:
> Allegedly, on or about 25 January 2016, vendor(a)billoblog.com sent:
>> Did you mean "hacked" or "attacked?"
>
> To me an attack is the attempt, a hack is they've succeeded. They
> succeeded. Though, to be fair, I didn't say it was Linux computer, but
> the principle is the same. All computers are vulnerable, though in our
> case it's more the applications than the OS. And if you take no steps
> to protect your system, or worse, take steps to remove protection, you
> lay yourself wide open.
>
>> The problem I see with selinux is that it is so user-unfriendly.
>> These kinds of things always seem easy and straightforward to someone
>> who knows it well. That's the nature of skill, regardless of the kind
>> of skill it is.
>
> I see it no less user-friendly than other things. I look at ACL (access
> control lists), and see them as a nightmare. I can see them being used
> in security establishments, to control who can see or modify certain
> documents that need disseminating. But not in general use. I can't
> really imagine employee #54534624 writing a letter, then carefully
> considering a list of who can do what with their file (mutter, mutter,
> need to add my boss to read/write, my assistant to read/write, my
> technically hopeless other boss to read-only so he doesn't foul up my
> work, my co-workers to read-only, and I have to remember which of them
> are working on the same case...).
>
> Barring oversights and errors, SELinux generally does what it's supposed
> to do. If I create a file in /var/www/html/ to be served, it
> automatically gets given the right contects to be served, as part of the
> process of *creating* a file at that location. If I copy a file from
> somewhere to there, the same thing happens, the copy is a new creation,
> and gets the appropriate contexts for where it's created. A confusing
> thing happens if you try to move a file, the original file contexts are
> moved along with the file, and they're probably going to be wrong. It's
> logical, but not obvious to the uninitiated. Though it's not too hard
> to find out why, you just problem solve it like any other error that
> takes you by surprise.
>
> It's similar with file permissions. Some people declare it too hard,
> and want to make everything rwxrwxrwx, and hang the consequences. On a
> webserver, that (making everything world-writeable), or letting the
> webserver process own the files (making everything writeable by the
> server, and hence world-writeable), opens you up to all sorts of abuse,
> not just the destruction of that individual file.
>
>> That's what I think of when I read these discussions. If someone is
>> struggling with something like this, they may seem like morons, but it
>> is usually someting *other* than simple supidity or laziness that is
>> the reason. It's because the barrier to doing it is greater than the
>> perceived benefit.
>
> At times, but the tone of the thread indicates that laziness is an
> issue.
>
>> There is a truism that I remember being told about computer security a
>> long, long time ago that usability and technical security are
>> inversely related. At some point, when you increase the technical
>> security enough, you will have made the system unusable to the point
>> that your users will simply start going around it simply to get their
>> work done.
>
> That's true on both counts. Though I tend to feel that SELinux has met
> that balance at around the right place.
>
> While I have some sympathy for people who haven't yet learnt it, as they
> try to do something. My efforts are towards learn it, don't bypass it.
> Just the same as well tell people don't do things as root - that's often
> the root cause, pun intended, of all of these issues. They do one dumb
> thing, then another on top of that, and have several compounded problems
> because they will not follow any advice.
>
> It's usually around this point that I bring up an analogy against people
> trying to do things on computers when they don't really know how, and
> stubbornly resist all efforts to learn: I hope these people never get
> it into their head to half-arsedly learn first aid, and refuse to do
> something important because they don't want to.
>
>> ...[snip flash drive story]...
>
> I can understand that, and it's not a new story, either. The need to do
> it is understandable. The concept of doing it in isolation can be a
> required step. If the drive manages to do something nasty, it only
> affects that one computer, which then gets sterilised before being
> allowed back on the network (if the operator knows that, and doesn't
> just plug it back in, regardless).
>
> We had similar issues with floppy discs. Back when bootblock viruses
> were the common enemy, there was no/inadequate protection against them.
> The only way to stop the spread, was a cold boot in between, and using a
> system that booted from the disc in question. That method was no good
> against an OS that had another disc-based OS running it.
>
>> The combination of security that ignores users and users that ignore
>> security gives you a system that has neither security nor usability.
>> And simply calling users morons will not solve this.
>
> I don't believe I've said that. In this email I've certainly mentioned
> laziness, because the evidence points that way.
>
> As a general rule, on a user-level, SELinux doesn't get even thought
> about, here. It's in the background, and doesn't get in the way. If
> you're running services, then it rightly does become something you need
> to know about managing.
>
> But what particularly gets my goat, it someone who's a programmer
> developing things telling me that SELinux is too hard to deal with. Too
> hard? Compared with what? Writing software?! Jeez, you've got much
> harder work, *there*. And, as far as I'm concerned, programmers being
> hit with the big hammer that says, you have to write data in proper
> locations, you can't just read any file you like on the system, you
> can't just serve out files from any ad-hoc locations, is only a good set
> of conditions to start imposing on so-called programmers. Bring on the
> software that pokes them with a sharp stick for doing things that allows
> them to create buffer-overflow errors. We could save the entire world a
> whole lot of grief if programmers started paying attention to getting
> that one bit of programming right.
>
>> I love KDE, but frankly, it is collapsing under it's own complexity.
>
> I can't say I've ever liked it. It has the Fisher-Price toy look like
> XP had, and a gazillion configuration options that I do not like the
> defaults, and it's always been that way (ever since I saw it, a
> gazillion configuration options). Coming from an Amiga user background,
> I've never agreed with what people said about Gnome looking like
> Windows, no KDE does. Gnome looked far more old Mac-like.
>
> The other thing that peeved me about KDE (and I can see this thread is
> going to open a new can of worms), is the naming of all programs
> starting with a K followed by a name that seems purely random (regarding
> what the program actually did). Not only making it hard to locate
> software appropriate to your task, but confusingly k-naming things like
> kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
> something).
>
>> Selinux is just another exmple. I used to like linux because it made
>> sense. Now it seems that it's little different than Windows sometimes
>> -- opaque, overly complex, and unfriendly.
>
> I don't think anything compares with the hideousness of Windows. So
> much of it is secret business, and I don't just mean closed-source.
> Resolving some whacko fault involves delving into the registry, adding
> things with sixteen hexadecimal numbers which mean nothing to no-one,
> that are only documented on hacking sites, or incomprehensible gibberish
> on the Microsoft that refers to two versions of Windows ago, warns
> against doing it on your release, yet the Microsoft search engine
> provides it as your solution.
>
> We now return you to your regular programming, from
> alt.computers.help.me.commit.die.quickly
>
> --
> [tim@localhost ~]$ uname -rsvp
> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>
> Boilerplate: All mail to my mailbox is automatically deleted, there is
> no point trying to privately email me, I only get to see the messages
> posted to the mailing list.
>
> Lucky for you I typed this, you'd never be able to read my handwriting.
>
>
>
> --
> users mailing list
> users(a)lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
11:10 a.m.
On 26 January 2016 at 16:57, bruce <badouglas(a)gmail.com> wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of
diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and
aren't looking to be a sysAdmin, so they want to (if possible) get to
the quickest way of getting their "project" working/tested.. And if
the "security/process" of X (in this case selinux) is in the way.. The
learning required to implement that gets shoved back. It's a
prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going.
And yeah, you realize that you might be cutting corners re security,
but you keep going.
And before people say, "you need to learn security, or you shouldn't
be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours
on a few sites. You eventually run into issues that "need to be
solved", etc.. which then adds time/effort/resources. And rightly so,
this is why you have skilled sysAdmin resources. But smaller projects
don't have the resources for this process.. so it becomes a matter of
prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone
willing to work with me on security.. No takers..!!!
If you're really interested in that then it would be better to
actually advertise.
The central point here, you seem to be arguing that you should disable
all security because you don't have time to learn it and it's
difficult. But I bet you don't plan to just make everything on the
machine world writable and turn off the firewall. Things like SELinux
are actually there to help you. They can't make you do things like
properly encrypt user logins, but they can reduce the risk it's going
to matter. What I've been trying to say is leave it on and there are
plenty of people that can give you advice if you run into problems.
And yes, there are people that should not write apps if they aren't
going to bother with security. If you're not from the UK then search
google for Talktalk hacked, or imagine what would happen if people
could get at your uber account details. Failing to protect user data
properly over here (UK) can attract serious fines.
--
imalone
http://ibmalone.blogspot.co.uk
11:13 a.m.
BTW... Yes, you can disable SELinux. Once you have your work done, you can
enable or keep it disabled, as you like it.
Hope it helps,
Sylvia
On Tuesday, 26 January 2016, bruce <badouglas(a)gmail.com> wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of
diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and
aren't looking to be a sysAdmin, so they want to (if possible) get to
the quickest way of getting their "project" working/tested.. And if
the "security/process" of X (in this case selinux) is in the way.. The
learning required to implement that gets shoved back. It's a
prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going.
And yeah, you realize that you might be cutting corners re security,
but you keep going.
And before people say, "you need to learn security, or you shouldn't
be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours
on a few sites. You eventually run into issues that "need to be
solved", etc.. which then adds time/effort/resources. And rightly so,
this is why you have skilled sysAdmin resources. But smaller projects
don't have the resources for this process.. so it becomes a matter of
prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone
willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox(a)yahoo.com.au
<javascript:;>> wrote:
> Allegedly, on or about 25 January 2016, vendor(a)billoblog.com
<javascript:;> sent:
>> Did you mean "hacked" or "attacked?"
>
> To me an attack is the attempt, a hack is they've succeeded. They
> succeeded. Though, to be fair, I didn't say it was Linux computer, but
> the principle is the same. All computers are vulnerable, though in our
> case it's more the applications than the OS. And if you take no steps
> to protect your system, or worse, take steps to remove protection, you
> lay yourself wide open.
>
>> The problem I see with selinux is that it is so user-unfriendly.
>> These kinds of things always seem easy and straightforward to someone
>> who knows it well. That's the nature of skill, regardless of the kind
>> of skill it is.
>
> I see it no less user-friendly than other things. I look at ACL (access
> control lists), and see them as a nightmare. I can see them being used
> in security establishments, to control who can see or modify certain
> documents that need disseminating. But not in general use. I can't
> really imagine employee #54534624 writing a letter, then carefully
> considering a list of who can do what with their file (mutter, mutter,
> need to add my boss to read/write, my assistant to read/write, my
> technically hopeless other boss to read-only so he doesn't foul up my
> work, my co-workers to read-only, and I have to remember which of them
> are working on the same case...).
>
> Barring oversights and errors, SELinux generally does what it's supposed
> to do. If I create a file in /var/www/html/ to be served, it
> automatically gets given the right contects to be served, as part of the
> process of *creating* a file at that location. If I copy a file from
> somewhere to there, the same thing happens, the copy is a new creation,
> and gets the appropriate contexts for where it's created. A confusing
> thing happens if you try to move a file, the original file contexts are
> moved along with the file, and they're probably going to be wrong. It's
> logical, but not obvious to the uninitiated. Though it's not too hard
> to find out why, you just problem solve it like any other error that
> takes you by surprise.
>
> It's similar with file permissions. Some people declare it too hard,
> and want to make everything rwxrwxrwx, and hang the consequences. On a
> webserver, that (making everything world-writeable), or letting the
> webserver process own the files (making everything writeable by the
> server, and hence world-writeable), opens you up to all sorts of abuse,
> not just the destruction of that individual file.
>
>> That's what I think of when I read these discussions. If someone is
>> struggling with something like this, they may seem like morons, but it
>> is usually someting *other* than simple supidity or laziness that is
>> the reason. It's because the barrier to doing it is greater than the
>> perceived benefit.
>
> At times, but the tone of the thread indicates that laziness is an
> issue.
>
>> There is a truism that I remember being told about computer security a
>> long, long time ago that usability and technical security are
>> inversely related. At some point, when you increase the technical
>> security enough, you will have made the system unusable to the point
>> that your users will simply start going around it simply to get their
>> work done.
>
> That's true on both counts. Though I tend to feel that SELinux has met
> that balance at around the right place.
>
> While I have some sympathy for people who haven't yet learnt it, as they
> try to do something. My efforts are towards learn it, don't bypass it.
> Just the same as well tell people don't do things as root - that's often
> the root cause, pun intended, of all of these issues. They do one dumb
> thing, then another on top of that, and have several compounded problems
> because they will not follow any advice.
>
> It's usually around this point that I bring up an analogy against people
> trying to do things on computers when they don't really know how, and
> stubbornly resist all efforts to learn: I hope these people never get
> it into their head to half-arsedly learn first aid, and refuse to do
> something important because they don't want to.
>
>> ...[snip flash drive story]...
>
> I can understand that, and it's not a new story, either. The need to do
> it is understandable. The concept of doing it in isolation can be a
> required step. If the drive manages to do something nasty, it only
> affects that one computer, which then gets sterilised before being
> allowed back on the network (if the operator knows that, and doesn't
> just plug it back in, regardless).
>
> We had similar issues with floppy discs. Back when bootblock viruses
> were the common enemy, there was no/inadequate protection against them.
> The only way to stop the spread, was a cold boot in between, and using a
> system that booted from the disc in question. That method was no good
> against an OS that had another disc-based OS running it.
>
>> The combination of security that ignores users and users that ignore
>> security gives you a system that has neither security nor usability.
>> And simply calling users morons will not solve this.
>
> I don't believe I've said that. In this email I've certainly mentioned
> laziness, because the evidence points that way.
>
> As a general rule, on a user-level, SELinux doesn't get even thought
> about, here. It's in the background, and doesn't get in the way. If
> you're running services, then it rightly does become something you need
> to know about managing.
>
> But what particularly gets my goat, it someone who's a programmer
> developing things telling me that SELinux is too hard to deal with. Too
> hard? Compared with what? Writing software?! Jeez, you've got much
> harder work, *there*. And, as far as I'm concerned, programmers being
> hit with the big hammer that says, you have to write data in proper
> locations, you can't just read any file you like on the system, you
> can't just serve out files from any ad-hoc locations, is only a good set
> of conditions to start imposing on so-called programmers. Bring on the
> software that pokes them with a sharp stick for doing things that allows
> them to create buffer-overflow errors. We could save the entire world a
> whole lot of grief if programmers started paying attention to getting
> that one bit of programming right.
>
>> I love KDE, but frankly, it is collapsing under it's own complexity.
>
> I can't say I've ever liked it. It has the Fisher-Price toy look like
> XP had, and a gazillion configuration options that I do not like the
> defaults, and it's always been that way (ever since I saw it, a
> gazillion configuration options). Coming from an Amiga user background,
> I've never agreed with what people said about Gnome looking like
> Windows, no KDE does. Gnome looked far more old Mac-like.
>
> The other thing that peeved me about KDE (and I can see this thread is
> going to open a new can of worms), is the naming of all programs
> starting with a K followed by a name that seems purely random (regarding
> what the program actually did). Not only making it hard to locate
> software appropriate to your task, but confusingly k-naming things like
> kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
> something).
>
>> Selinux is just another exmple. I used to like linux because it made
>> sense. Now it seems that it's little different than Windows sometimes
>> -- opaque, overly complex, and unfriendly.
>
> I don't think anything compares with the hideousness of Windows. So
> much of it is secret business, and I don't just mean closed-source.
> Resolving some whacko fault involves delving into the registry, adding
> things with sixteen hexadecimal numbers which mean nothing to no-one,
> that are only documented on hacking sites, or incomprehensible gibberish
> on the Microsoft that refers to two versions of Windows ago, warns
> against doing it on your release, yet the Microsoft search engine
> provides it as your solution.
>
> We now return you to your regular programming, from
> alt.computers.help.me.commit.die.quickly
>
> --
> [tim@localhost ~]$ uname -rsvp
> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>
> Boilerplate: All mail to my mailbox is automatically deleted, there is
> no point trying to privately email me, I only get to see the messages
> posted to the mailing list.
>
> Lucky for you I typed this, you'd never be able to read my handwriting.
>
>
>
> --
> users mailing list
> users(a)lists.fedoraproject.org <javascript:;>
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
--
users mailing list
users(a)lists.fedoraproject.org <javascript:;>
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
11:13 a.m.
On 26 January 2016 at 17:07, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent
luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
--
imalone
http://ibmalone.blogspot.co.uk
11:15 a.m.
On Tue, Jan 26, 2016 at 3:10 PM, Ian Malone <ibmalone(a)gmail.com> wrote:
Failing to protect user data properly over here (UK) can attract
serious fines.
As it should be all over the World. I image that some sort of cease
and desist should exist for companies with poorly protected user
information. I would ultimately blame the average person for not
valuing privacy enough, though.
Then those relatives who have 3 different passwords for 50 different
services... Ugh.
--
Bernardo Sulzbach
11:18 a.m.
The bank is the bank. I don't work on a bank. I work at home, with a very
limited Internet connection, and on things that are far away from sys
administration. And no, I won't lose my work. It's backed up.
And Bruce said for a while, not permanently. Why all this fuss?
Cheers,
Sylvia
On Tuesday, 26 January 2016, Ian Malone <ibmalone(a)gmail.com> wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar
<shashaness(a)hotmail.com
<javascript:;>> wrote:
> I couldn't agree more bruce.
>
> It's the 1% who get paid too much for doing too little that have such
indulgent luxuries.
>
> The rest of us 99% have to work for it :P
>
>
Remember that next time your bank gets hacked.
--
imalone
http://ibmalone.blogspot.co.uk
--
users mailing list
users(a)lists.fedoraproject.org <javascript:;>
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
11:23 a.m.
On Jan 26, 2016, at 9:13 AM, Ian Malone <ibmalone(a)gmail.com>
wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
> I couldn't agree more bruce.
>
> It's the 1% who get paid too much for doing too little that have such indulgent
luxuries.
>
> The rest of us 99% have to work for it :P
>
>
Remember that next time your bank gets hacked.
Seriously!!?!??! You're comparing a multi-bilion dollar multi-national
institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
--
imalone
http://ibmalone.blogspot.co.uk
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
11:23 a.m.
On Jan 26, 2016, at 9:10 AM, Ian Malone <ibmalone(a)gmail.com>
wrote:
On 26 January 2016 at 16:57, bruce <badouglas(a)gmail.com> wrote:
> What the Heck???
>
> So.. people who think/decide to just disable seLinux, instead of
> diving in to "learn" it are just lazy???? Lord.. shaking my head..
>
> How about.. some might be lazy..
>
> Or, some have a bunch of different things to get accomplished, and
> aren't looking to be a sysAdmin, so they want to (if possible) get to
> the quickest way of getting their "project" working/tested.. And if
> the "security/process" of X (in this case selinux) is in the way.. The
> learning required to implement that gets shoved back. It's a
> prioritization process for a bunch of people.
>
> You have a limited amount of resources, you priortize and keep going.
> And yeah, you realize that you might be cutting corners re security,
> but you keep going.
>
> And before people say, "you need to learn security, or you shouldn't
> be writing apps!!".. not going to happen.
>
> Implementing "good" secutiry, doesn't happen by spending a few hours
> on a few sites. You eventually run into issues that "need to be
> solved", etc.. which then adds time/effort/resources. And rightly so,
> this is why you have skilled sysAdmin resources. But smaller projects
> don't have the resources for this process.. so it becomes a matter of
> prioritization/resource allocation..
>
> And I say again.. I've been willing to pay hard $$$ for someone
> willing to work with me on security.. No takers..!!!
>
If you're really interested in that then it would be better to
actually advertise.
I would agree with you here.
The central point here, you seem to be arguing that you should disable
all security because you don't have time to learn it and it's
difficult.
This is a valid reason given the priorities. A lot of SMB/SOHOs
don't have the resources to use SELinux.
But I bet you don't plan to just make everything on the
machine world writable and turn off the firewall.
These functions are far easier
than understanding the complexities of SELinux.
Things like SELinux
are actually there to help you. They can't make you do things like
properly encrypt user logins, but they can reduce the risk it's going
to matter. What I've been trying to say is leave it on and there are
plenty of people that can give you advice if you run into problems.
And yes, there are people that should not write apps if they aren't
going to bother with security.
Security is a System Administration function. Not a Software Engineering function. A lot
of us function as both, but the idea that we have to be masters off all the disciplines we
practice (when most of us are jack of all traits) is simply false. We do our best, and our
best sometimes means abandoning complicated mechanisms such as SELinux in order get a
project to completion.
SELinux is bonus, not a requirement.
If you're not from the UK then search
google for Talktalk hacked, or imagine what would happen if people
could get at your uber account details. Failing to protect user data
properly over here (UK) can attract serious fines.
That's not true... If you are NEGLIGENT you could face fines. Which I believe was the
case in Talktalk was grossly negligent and in far greater position than most Linux users
to secure their data.
--
imalone
http://ibmalone.blogspot.co.uk
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
12:08 p.m.
On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote:
LOL!!!
I feel you bruce :)
I think a LOT of people are struggling (and frustrated, rightfully so) with
SELinux and simply place it in permissive mode. There is nothing wrong with
doing this. Don't buy into the fear mongering hype. The only think you have
to fear is fear itself.
If/when security is a concern (which in your case it doesn't seem
to be)
then SELinux is a powerful tool. You would run it along with Tripwire,
rkhunter, et al, to validate the security of a server, and by the time it
becomes so you can look back over the audit trail to see where perms need
to be added etc...
If you are just looking to experiment, exposed to the internet or
not,
SELinux is really irrelevant, and in many cases can be cumbersome. I
personally have had to disable SELinux (permissive mode) many a time to get
things to work, and I have yet to have a system compromised by doing so.
Not that this can't happen, but the actual chances of it happening are so
low, that you ROI is simply not worth it. There really is not some army out
their hit small ops looking for vulnerabilities in anything that's not a
standard package.
So experiment and produce at will with little to fear. A lot of hype
is
built around SELinux in naiveté. Someone who really cares about security
actually does not rely on SELinux, they monitor their servers intensely,
and know every process running on them inside and out, review logs often,
use tripwire, rkhunter, and monitor network activity with Security Onion,
etc....
Again, this is not to say that SELinux is not part a good strategy,
but it
is not the holy grail many make it out to be either. It's a small part of
security that as you mentioned a lot of use common folk can live without,
and have done so for a long time, with no adverse effects.
> On Jan 25, 2016, at 7:29 AM, bruce <badouglas(a)gmail.com> wrote:
>
> --Gawd...
>
> Feels like I'm trying to spit in the wind!!
>
> 1st, not trying to set up web servers, but am looking at running tests
> on linux servers.
>
> 2nd, recognize that one should have "secure" systems on the net, but
> realize I don't have the time/set of skills to "fully" get there...
>
> So, if you want to say -- hey, don't have an insecure linux box, it
> could be hacked and cause us the Internet community probs due to your
> crap, that's fair.
>
> But you need to realize, there are lots of people who are attempting
> to do as much as they can with limited resources/time. if anyone here
> wants to contact me offline, we can discuss. Heck, I've been looking
> for a "sysadmin" type that I can pay, talk with for a bit.
>
> If fed/selinux had a "config" file for simple services/ports, great..
> But when you get to policies, and understanding the nuances of
> selinux, as far as I can tell, it's a learning curve that has to be
> dealt with in order to get it right..
>
> And to be honest, I know of a number of operations/organizations that
> have put the "security" sysAdmin stuff off until they could find a
> sysadmin resource for that function..
>
> There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder
in
> 4 weeks" courses. that only get to the basics of coding, much less the
> sysadmin stuff..
>
> None of these are going away.. so some guy who pops up a website/app
> on some aws instance.. has security issues that they might not even
> realize..
>
> Anyway.. thanks guys!
>
>
> On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox(a)yahoo.com.au>
> wrote:
>
>> Allegedly, on or about 25 January 2016, bruce sent:
>>
>>> I fully get the need for security.. But if I can't get the security
>>> working as it should, but I still need to build whatever the project
>>> might be.. the project is going to get created.
>>>
>>> If running Selinux in permissive mode is enough, great, so be it.
>>
>>
>> SELinux in permissive mode is *not* secure. You're using the computer
>> in an insecure mode, and all SELinux is doing is logging the things that
>> it would have stopped.
>>
>>
>>> But when it comes to policies, for differnt users, applications,
>>> files,etc.. and the possiblity of screwing something up if you go
>>> wrong, then you have a bit of an issue there...
>>
>>
>> I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
>> And I haven't had to turn off SELinux, nor do anything beyond open the
>> configurator GUI and tick the boxes that said to allow those particular
>> services (look through its list, find HTTPD server, tick it, find
>> serving CGI scripts, tick that, etc., that was about the extent of what
>> I had to do). Seriously, setting that right was a damn sight easier
>> than configuring any of those servers.
>>
>> If you find something is failing because SELinux is stopping it, chances
>> are that /that/ something is badly written, and needs doing better. Is
>> it trying to serve files it has no business serving? Is it trying to
>> execute things that it shouldn't execute but merely read? There's a
>> plethora of dumb things people try to do with their programs, and
>> stopping those dumb things is the solution, not allowing them.
>>
>> Do you ignore programming error messages, too?
>>
>>
>>> And you can't simpy tell someone, "if you don't know what
you're
>>> doing, don't mess with linux!" Not going to happen..
>>
>>
>> I can say if you don't know what you're doing, don't do it on the
>> internet. Dumb things on the internet don't just affect you, they
>> affect other people around you. That's why we have masses of spam on
>> the internet, and other hacks. Compromised user boxes, compromised ISP
>> services, abound.
>>
>>
>>> ps. To all who've replied in favor of someone not really implementing
>>> a fed/centos/linux instance unless secure, I take it you're also
>>> illing to provide pointers/help if someone asks, yes? (And not just
12:16 p.m.
On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote:
LOL!!!
I feel you bruce :)
I think a LOT of people are struggling (and frustrated, rightfully so) with
SELinux and simply place it in permissive mode. There is nothing wrong with
doing this. Don't buy into the fear mongering hype. The only think you have
to fear is fear itself.
If/when security is a concern (which in your case it doesn't seem
to be)
then SELinux is a powerful tool. You would run it along with Tripwire,
rkhunter, et al, to validate the security of a server, and by the time it
becomes so you can look back over the audit trail to see where perms need
to be added etc...
If you are just looking to experiment, exposed to the internet or
not,
SELinux is really irrelevant, and in many cases can be cumbersome. I
personally have had to disable SELinux (permissive mode) many a time to get
things to work, and I have yet to have a system compromised by doing so.
Not that this can't happen, but the actual chances of it happening are so
low, that you ROI is simply not worth it. There really is not some army out
their hit small ops looking for vulnerabilities in anything that's not a
standard package.
So experiment and produce at will with little to fear. A lot of hype
is
built around SELinux in naiveté. Someone who really cares about security
actually does not rely on SELinux, they monitor their servers intensely,
and know every process running on them inside and out, review logs often,
use tripwire, rkhunter, and monitor network activity with Security Onion,
etc....
Again, this is not to say that SELinux is not part a good strategy,
but it
is not the holy grail many make it out to be either. It's a small part of
security that as you mentioned a lot of use common folk can live without,
and have done so for a long time, with no adverse effects.
> On Jan 25, 2016, at 7:29 AM, bruce <badouglas(a)gmail.com> wrote:
>
> --Gawd...
>
> Feels like I'm trying to spit in the wind!!
>
> 1st, not trying to set up web servers, but am looking at running tests
> on linux servers.
>
> 2nd, recognize that one should have "secure" systems on the net, but
> realize I don't have the time/set of skills to "fully" get there...
>
> So, if you want to say -- hey, don't have an insecure linux box, it
> could be hacked and cause us the Internet community probs due to your
> crap, that's fair.
>
> But you need to realize, there are lots of people who are attempting
> to do as much as they can with limited resources/time. if anyone here
> wants to contact me offline, we can discuss. Heck, I've been looking
> for a "sysadmin" type that I can pay, talk with for a bit.
>
> If fed/selinux had a "config" file for simple services/ports, great..
> But when you get to policies, and understanding the nuances of
> selinux, as far as I can tell, it's a learning curve that has to be
> dealt with in order to get it right..
>
> And to be honest, I know of a number of operations/organizations that
> have put the "security" sysAdmin stuff off until they could find a
> sysadmin resource for that function..
>
> There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder
in
> 4 weeks" courses. that only get to the basics of coding, much less the
> sysadmin stuff..
>
> None of these are going away.. so some guy who pops up a website/app
> on some aws instance.. has security issues that they might not even
> realize..
>
> Anyway.. thanks guys!
>
>
> On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox(a)yahoo.com.au>
> wrote:
>
>> Allegedly, on or about 25 January 2016, bruce sent:
>>
>>> I fully get the need for security.. But if I can't get the security
>>> working as it should, but I still need to build whatever the project
>>> might be.. the project is going to get created.
>>>
>>> If running Selinux in permissive mode is enough, great, so be it.
>>
>>
>> SELinux in permissive mode is *not* secure. You're using the computer
>> in an insecure mode, and all SELinux is doing is logging the things that
>> it would have stopped.
>>
>>
>>> But when it comes to policies, for differnt users, applications,
>>> files,etc.. and the possiblity of screwing something up if you go
>>> wrong, then you have a bit of an issue there...
>>
>>
>> I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
>> And I haven't had to turn off SELinux, nor do anything beyond open the
>> configurator GUI and tick the boxes that said to allow those particular
>> services (look through its list, find HTTPD server, tick it, find
>> serving CGI scripts, tick that, etc., that was about the extent of what
>> I had to do). Seriously, setting that right was a damn sight easier
>> than configuring any of those servers.
>>
>> If you find something is failing because SELinux is stopping it, chances
>> are that /that/ something is badly written, and needs doing better. Is
>> it trying to serve files it has no business serving? Is it trying to
>> execute things that it shouldn't execute but merely read? There's a
>> plethora of dumb things people try to do with their programs, and
>> stopping those dumb things is the solution, not allowing them.
>>
>> Do you ignore programming error messages, too?
>>
>>
>>> And you can't simpy tell someone, "if you don't know what
you're
>>> doing, don't mess with linux!" Not going to happen..
>>
>>
>> I can say if you don't know what you're doing, don't do it on the
>> internet. Dumb things on the internet don't just affect you, they
>> affect other people around you. That's why we have masses of spam on
>> the internet, and other hacks. Compromised user boxes, compromised ISP
>> services, abound.
>>
>>
>>> ps. To all who've replied in favor of someone not really implementing
>>> a fed/centos/linux instance unless secure, I take it you're also
>>> illing to provide pointers/help if someone asks, yes? (And not just
12:33 p.m.
On 26 January 2016 at 17:23, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
> On Jan 26, 2016, at 9:13 AM, Ian Malone <ibmalone(a)gmail.com> wrote:
>
> On 26 January 2016 at 17:07, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
>> I couldn't agree more bruce.
>>
>> It's the 1% who get paid too much for doing too little that have such
indulgent luxuries.
>>
>> The rest of us 99% have to work for it :P
>>
>>
>
> Remember that next time your bank gets hacked.
>
Seriously!!?!??! You're comparing a multi-bilion dollar multi-national institution
with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
Every two bit company that leaks other people's data because they
can't be bothered makes things worse for its customers. Who are often
soon ex-customers. Which means SMBs become former SMBs.
--
imalone
http://ibmalone.blogspot.co.uk
8:41 p.m.
On Jan 26, 2016, at 10:33 AM, Ian Malone <ibmalone(a)gmail.com>
wrote:
On 26 January 2016 at 17:23, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
>
>> On Jan 26, 2016, at 9:13 AM, Ian Malone <ibmalone(a)gmail.com> wrote:
>>
>> On 26 January 2016 at 17:07, Shawn Bakhtiar <shashaness(a)hotmail.com>
wrote:
>>> I couldn't agree more bruce.
>>>
>>> It's the 1% who get paid too much for doing too little that have such
indulgent luxuries.
>>>
>>> The rest of us 99% have to work for it :P
>>>
>>>
>>
>> Remember that next time your bank gets hacked.
>>
> Seriously!!?!??! You're comparing a multi-bilion dollar multi-national
institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
Every two bit company that leaks other people's data because they
can't be bothered makes things worse for its customers. Who are often
soon ex-customers. Which means SMBs become former SMBs.
This is such a load of fear mongering crap. You are acting as if SELinux is the end all
and be all of security, which any “two bit” sysadmin can tell you it is not. It is a SMALL
part of security one that for the pain it causes is simply not worth it.
In fact there isn’t a single good reason to have SELinux enabled out of the box (or
SystemD for that matter- whole other story).
The functions it (as with systemD) servers are limited to a select area of operations.
--
imalone
http://ibmalone.blogspot.co.uk
--
users mailing list
users(a)lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
6:38 a.m.
On 27 January 2016 at 02:41, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
> On Jan 26, 2016, at 10:33 AM, Ian Malone <ibmalone(a)gmail.com> wrote:
>
> On 26 January 2016 at 17:23, Shawn Bakhtiar <shashaness(a)hotmail.com> wrote:
>>
>>> On Jan 26, 2016, at 9:13 AM, Ian Malone <ibmalone(a)gmail.com> wrote:
>>>
>>> On 26 January 2016 at 17:07, Shawn Bakhtiar <shashaness(a)hotmail.com>
wrote:
>>>> I couldn't agree more bruce.
>>>>
>>>> It's the 1% who get paid too much for doing too little that have such
indulgent luxuries.
>>>>
>>>> The rest of us 99% have to work for it :P
>>>>
>>>>
>>>
>>> Remember that next time your bank gets hacked.
>>>
>> Seriously!!?!??! You're comparing a multi-bilion dollar multi-national
institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
>
> Every two bit company that leaks other people's data because they
> can't be bothered makes things worse for its customers. Who are often
> soon ex-customers. Which means SMBs become former SMBs.
>
This is such a load of fear mongering crap. You are acting as if SELinux is the end all
and be all of security, which any “two bit” sysadmin can tell you it is not. It is a SMALL
part of security one that for the pain it causes is simply not worth it.
In fact there isn’t a single good reason to have SELinux enabled out of the box (or
SystemD for that matter- whole other story).
The functions it (as with systemD) servers are limited to a select area of operations.
It's fairly clear you've understood nothing I said. Pointless to continue.
--
imalone
http://ibmalone.blogspot.co.uk
10:25 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2016 09:52 AM, bruce wrote:
Hi.
In testing out creating/setting up remote droplets on digital
ocean/fed (centos), I realize that it should be secured as
much/tightly as possible. However, I also realize that if I screw
something up, I could have an instance that has issues. I'm not a
sys admin, and not trying to be one.
So, here's my question. If I'm going to be spinning up/down an
instance, could I simply disable selinux? For my scenario, I'll be
creating a base instance, with the required apps/processes, and
then using that base instance for any testing droplets I need to
create, to test my apps.
So, if I create an instance, spin it up, fire off my tests on the
instance, run everything for a few hours, and then shut it off,
would that be "reasonably safe/secure"?
My testing apps are a mix of python/php/perl/shell scripts, there's
no web stuff as of yet. Although, there will be dns/nfs/mysql
functionality.
Thanks for thoughts..
Sorry I'm late to the thread.
Bruce, I'd love your opinion on the "SELinux for Mere Mortals" talk
from Red Hat Summit: https://www.youtube.com/watch?v=MxjenQ31b70
Disclaimer: it's a video of me, and I work for Red Hat.
I've gotten a lot of positive feedback on the video, and I hope that
it will make your decision easier. It's only about an hour, and pretty
much everyone who has watched it has said they'd use SELinux after
watching it. I am clearly biased, but I would not run any
internet-facing system without SELinux turned on. Heck, I don't run
*any* system without it.
I hope this helps!
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlao730ACgkQmzle50YHwaA4QgCfb3fp0uFady5EGd0WG/867tYs
aM4AoK3QlegFtyVxc3VARtPe4h6Ctx7j
=z6vI
-----END PGP SIGNATURE-----
2:59 p.m.
On 01/26/2016 06:41 PM, Shawn Bakhtiar wrote:
In fact there isn’t a single good reason to have SELinux enabled out
of the box ...
The functions it (as with systemD) servers are limited to a select area of operations.
I'd like to point out that the default policy is "targeted", which means
that it only affects the "select area of operations" where it can help
to contain an attack.
3009
days inactive
3013
days old
36 comments
14 participants
participants (14)
-
Andy Paterson -
Bernardo Sulzbach -
bruce -
EGO-II.1 -
Gordon Messmer -
Ian Malone -
Joe Zeff -
Miroslav Grepl -
Shawn Bakhtiar -
stan -
Sylvia Sánchez -
thomas cameron -
Tim -
William Oliver