Hi.
In testing out creating/setting up remote droplets on digital ocean/fed (centos), I realize that it should be secured as much/tightly as possible. However, I also realize that if I screw something up, I could have an instance that has issues. I'm not a sys admin, and not trying to be one.
So, here's my question. If I'm going to be spinning up/down an instance, could I simply disable selinux? For my scenario, I'll be creating a base instance, with the required apps/processes, and then using that base instance for any testing droplets I need to create, to test my apps.
So, if I create an instance, spin it up, fire off my tests on the instance, run everything for a few hours, and then shut it off, would that be "reasonably safe/secure"?
My testing apps are a mix of python/php/perl/shell scripts, there's no web stuff as of yet. Although, there will be dns/nfs/mysql functionality.
Thanks for thoughts..
On Sat, 23 Jan 2016 10:52:28 -0500 bruce badouglas@gmail.com wrote: [snip]
So, if I create an instance, spin it up, fire off my tests on the instance, run everything for a few hours, and then shut it off, would that be "reasonably safe/secure"?
My testing apps are a mix of python/php/perl/shell scripts, there's no web stuff as of yet. Although, there will be dns/nfs/mysql functionality.
For your use case, I would do it without a qualm, especially since you are isolated from the web. Once you connect to the web, you will have exposure, but even then, as you say, it will be minimal. And limited to the time you have the instance up. If you give it access to any vital data while it is up, it could be a slight risk.
But, why do you have to disable SElinux? Are you building cracker suites? :-) Will your apps never run on systems that have SElinux enabled? Why not just put it in permissive mode, so it warns at violations, but doesn't stop them, if it is a concern?
I'm not an expert, but in the wild, with internet facing apps, I think SElinux is a good thing to have enabled. Belt and suspenders, and all that.
On Sat, 2016-01-23 at 10:52 -0500, bruce wrote:
So, if I create an instance, spin it up, fire off my tests on the instance, run everything for a few hours, and then shut it off, would that be "reasonably safe/secure"?
I am always amazed that people think shutting off a security something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's something wrong with that /thing/ that required it. It could simply be crap programming, or it could be malicious. And even crap programming can be destructive outside of its own files.
I am always amazed that people think shutting off a security something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's something wrong with that /thing/ that required it. It could simply be crap programming, or it could be malicious. And even crap programming can be destructive outside of its own files.
really???
it could also be, prob often is.. is that the person who's doing X is simply trying to get something done, and not be a Sys Admin!!!
Doing security right.. is an effort in understanding the nuances.. If you've been playing with OS X, than you might have insight into what's required. But someone who's not gotten into the "guts" of what something like SeLinux requires, might not have an understanding of what needs to be configured, or exactly how to configure it, etc..
Or configuring security (firewall, process restrictions, user restrictions, port issues, rootkit protections, file restrictions, etc.. ) might be fairly easy to setup, just not obvious to the casual user on how to do it.
I haven't met a lot of people in my 30+ years of tech who just gloss over the impotance of security.. I have met alot who aren't sys admins.. and, even thought they create software projects from time to time.. wouldn't have a "clue" as to exactly how to set up a good secure system.. even thought they'd all say.. would be nice to do it!!
peace
On Sun, Jan 24, 2016 at 8:57 AM, Tim ignored_mailbox@yahoo.com.au wrote:
On Sat, 2016-01-23 at 10:52 -0500, bruce wrote:
So, if I create an instance, spin it up, fire off my tests on the instance, run everything for a few hours, and then shut it off, would that be "reasonably safe/secure"?
I am always amazed that people think shutting off a security something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's something wrong with that /thing/ that required it. It could simply be crap programming, or it could be malicious. And even crap programming can be destructive outside of its own files.
-- tim@localhost ~]$ uname -rsvp
Linux 3.19.8-100.fc20.i686 #1 SMP Tue May 12 17:42:35 UTC 2015 i686
All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I will only read messages posted to the public lists.
George Orwell's '1984' was supposed to be a warning against tyranny, not a set of instructions for supposedly democratic governments.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 24 January 2016 at 15:11, bruce badouglas@gmail.com wrote:
I am always amazed that people think shutting off a security something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's something wrong with that /thing/ that required it. It could simply be crap programming, or it could be malicious. And even crap programming can be destructive outside of its own files.
really???
it could also be, prob often is.. is that the person who's doing X is simply trying to get something done, and not be a Sys Admin!!!
Doing security right.. is an effort in understanding the nuances.. If you've been playing with OS X, than you might have insight into what's required. But someone who's not gotten into the "guts" of what something like SeLinux requires, might not have an understanding of what needs to be configured, or exactly how to configure it, etc..
Or configuring security (firewall, process restrictions, user restrictions, port issues, rootkit protections, file restrictions, etc.. ) might be fairly easy to setup, just not obvious to the casual user on how to do it.
I haven't met a lot of people in my 30+ years of tech who just gloss over the impotance of security.. I have met alot who aren't sys admins.. and, even thought they create software projects from time to time.. wouldn't have a "clue" as to exactly how to set up a good secure system.. even thought they'd all say.. would be nice to do it!!
You are unlikely to be able to lock yourself out of a system with a default SELinux setup (I wont say it's impossible, but I think you'd have to intentionally create a policy to do it). The kinds of problems you tend to run into for which turning it off is a quick workaround are trying to serve files that have the wrong context set, e.g. html not in the right place or java applets with the wrong settings. (libexec on exectuables that need it is another good one) Usually things don't work outright.
Tim:
I am always amazed that people think shutting off a security something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's something wrong with that /thing/ that required it. It could simply be crap programming, or it could be malicious. And even crap programming can be destructive outside of its own files.
bruce:
really???
Yes.
If you're on an ISP, or a compromised LAN, you may find that there's continual port scans and attacks.
I watched a friend get his box hacked four seconds after establishing a network connection. He had to re-install to fix the problem. Same thing happened the next two times he connected up. I just about wet myself laughing. It took him three hacks before he wised up that he needed to run protective software all the time. Drop your guard for a second (or at least a few seconds), and that's enough.
By default, most things work like they're supposed to on Linux. If you serve out HTML from the normal filepaths, it serves. There is, or was, a GUI configurator for toggling SELinux permissions for certain services that it's considered you ought to know what you're doing before you do them, that's just as easy as similar configurators for enabling services. e.g. There's a list, and you'd find HTTPD, or NFS, in it...
I'd go as far as to say that if you have no idea about how to run a service, such as email or httpd, what it does, how it does it, how it can be compromised, how to enable it, how to set up the firewall for it, etc., then you have no business trying to run such a service. You'd better learn how to do it on an isolated LAN. The world is replete with spam, scams, hacks, etc, that affect everybody, because some dimwit made it easy for them.
I haven't met a lot of people in my 30+ years of tech who just gloss over the impotance of security..
I have, unfortunately. And I see a lot of people who do on this list or forums. You can recognise them by the ones that when either dealing with a problem, or the installing a system, the first things they do are turn off SELinux and firewalls.
On 01/24/2016 10:17 PM, Tim wrote:
Tim:
I am always amazed that people think shutting off a security something-or-other for some-amount-of-time can be considered safe.
It takes virtually the blink of an eye to get compromised.
If you need to turn off a security feature to do something, then there's something wrong with that /thing/ that required it. It could simply be crap programming, or it could be malicious. And even crap programming can be destructive outside of its own files.
bruce:
really???
Yes.
If you're on an ISP, or a compromised LAN, you may find that there's continual port scans and attacks.
I watched a friend get his box hacked four seconds after establishing a network connection. He had to re-install to fix the problem. Same thing happened the next two times he connected up. I just about wet myself laughing. It took him three hacks before he wised up that he needed to run protective software all the time. Drop your guard for a second (or at least a few seconds), and that's enough.
By default, most things work like they're supposed to on Linux. If you serve out HTML from the normal filepaths, it serves. There is, or was, a GUI configurator for toggling SELinux permissions for certain services that it's considered you ought to know what you're doing before you do them, that's just as easy as similar configurators for enabling services. e.g. There's a list, and you'd find HTTPD, or NFS, in it...
I'd go as far as to say that if you have no idea about how to run a service, such as email or httpd, what it does, how it does it, how it can be compromised, how to enable it, how to set up the firewall for it, etc., then you have no business trying to run such a service. You'd better learn how to do it on an isolated LAN. The world is replete with spam, scams, hacks, etc, that affect everybody, because some dimwit made it easy for them.
I haven't met a lot of people in my 30+ years of tech who just gloss over the impotance of security..
I have, unfortunately. And I see a lot of people who do on this list or forums. You can recognise them by the ones that when either dealing with a problem, or the installing a system, the first things they do are turn off SELinux and firewalls.
I don't even understand SELinux that much, but I would never disable it UNLESS it was running on an isolated network or a box that I wanted to "sacrifice". Surely its there for a reason. (And I've heard people give all kinds of excuses when it comes to shutting it off, from "Its the NSA's baby"....to "You don't need to run it".)....weird....because in the world of Windows?....no one....and I mean NO ONE would think of running a Windows box without SOME form of protection, regardless of whether its on an isolated LAN, or connected to the world!.....if anything they would run MULTIPLE security apps/suites to cover the holes of the others! I guess its just a mindset you either have or don't?...
EGO II
On 01/24/2016 07:17 PM, Tim wrote:
I have, unfortunately. And I see a lot of people who do on this list or forums. You can recognise them by the ones that when either dealing with a problem, or the installing a system, the first things they do are turn off SELinux and firewalls.
Back when I did tech support for an ISP, I got a call from a man who wanted to know if he could host a webpage on the Internet using the Windows Personal Webserver. I quickly realized that if he had to ask, he probably didn't know enough to do it safely, so I tried to warn him about the risks. He stopped me and said that he was willing to find out the hard way and reinstall if he had to, so I told him that what he wanted to do was possible and ended the call. I've wondered, a few times, how badly he got infected and just how hard "learning the hard way" turned out to be, but I've always considered it a case of evolution in every-day life.
Putting a Linux box on the net with the firewall and SELinux disabled is just as bad. I've seen all too many posters, here and elsewhere, who automatically disable SELinux because there were problems and performance hits associated with it when it first came out eighteen years ago and I never argue with them or try to get them to move into the 21st Century. Not only is it a waste of my time, I figure that if they're that unwilling to learn, they're just getting what they deserve.
The point here is that SELinux wouldn't have been developed and wouldn't have stuck around as long as it has if it didn't serve an important purpose. Unless you're sure that you know exactly what you're doing, don't mess with it. And, if the troubleshooter shows you how to create a custom policy to work around an alert, ask yourself if you really need this program working before continuing. Working around a glitch in Firefox is one thing; getting a game to work may or may not be worth the trade-off in security. Sorry to go on so long, but once I started, I found that I had more to say than I'd thought.
On 01/24/2016 10:44 PM, Joe Zeff wrote:
On 01/24/2016 07:17 PM, Tim wrote:
I have, unfortunately. And I see a lot of people who do on this list or forums. You can recognise them by the ones that when either dealing with a problem, or the installing a system, the first things they do are turn off SELinux and firewalls.
Back when I did tech support for an ISP, I got a call from a man who wanted to know if he could host a webpage on the Internet using the Windows Personal Webserver. I quickly realized that if he had to ask, he probably didn't know enough to do it safely, so I tried to warn him about the risks. He stopped me and said that he was willing to find out the hard way and reinstall if he had to, so I told him that what he wanted to do was possible and ended the call. I've wondered, a few times, how badly he got infected and just how hard "learning the hard way" turned out to be, but I've always considered it a case of evolution in every-day life.
Putting a Linux box on the net with the firewall and SELinux disabled is just as bad. I've seen all too many posters, here and elsewhere, who automatically disable SELinux because there were problems and performance hits associated with it when it first came out eighteen years ago and I never argue with them or try to get them to move into the 21st Century. Not only is it a waste of my time, I figure that if they're that unwilling to learn, they're just getting what they deserve.
The point here is that SELinux wouldn't have been developed and wouldn't have stuck around as long as it has if it didn't serve an important purpose. Unless you're sure that you know exactly what you're doing, don't mess with it. And, if the troubleshooter shows you how to create a custom policy to work around an alert, ask yourself if you really need this program working before continuing. Working around a glitch in Firefox is one thing; getting a game to work may or may not be worth the trade-off in security. Sorry to go on so long, but once I started, I found that I had more to say than I'd thought.
No worries there Mr. Zeff. It's greatly appreciated, I'm actually going to use your info to point out to someone who LOVES disabling security in Linux just how foolish that is!! So thanks for the input!!
EGO II
Look.
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it. But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there... And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
But hey.. to each his/her own.
My goal wasn't to start a war.. Lord knows there are plenty of those on the 'net already!
Thanks to all who've replied.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just saying go look at youtube vides, or read docs!!)
thanks!!
On Mon, Jan 25, 2016 at 2:07 AM, Eddie G. O'Connor Jr. eoconnor25@gmail.com wrote:
On 01/24/2016 10:44 PM, Joe Zeff wrote:
On 01/24/2016 07:17 PM, Tim wrote:
I have, unfortunately. And I see a lot of people who do on this list or forums. You can recognise them by the ones that when either dealing with a problem, or the installing a system, the first things they do are turn off SELinux and firewalls.
Back when I did tech support for an ISP, I got a call from a man who wanted to know if he could host a webpage on the Internet using the Windows Personal Webserver. I quickly realized that if he had to ask, he probably didn't know enough to do it safely, so I tried to warn him about the risks. He stopped me and said that he was willing to find out the hard way and reinstall if he had to, so I told him that what he wanted to do was possible and ended the call. I've wondered, a few times, how badly he got infected and just how hard "learning the hard way" turned out to be, but I've always considered it a case of evolution in every-day life.
Putting a Linux box on the net with the firewall and SELinux disabled is just as bad. I've seen all too many posters, here and elsewhere, who automatically disable SELinux because there were problems and performance hits associated with it when it first came out eighteen years ago and I never argue with them or try to get them to move into the 21st Century. Not only is it a waste of my time, I figure that if they're that unwilling to learn, they're just getting what they deserve.
The point here is that SELinux wouldn't have been developed and wouldn't have stuck around as long as it has if it didn't serve an important purpose. Unless you're sure that you know exactly what you're doing, don't mess with it. And, if the troubleshooter shows you how to create a custom policy to work around an alert, ask yourself if you really need this program working before continuing. Working around a glitch in Firefox is one thing; getting a game to work may or may not be worth the trade-off in security. Sorry to go on so long, but once I started, I found that I had more to say than I'd thought.
No worries there Mr. Zeff. It's greatly appreciated, I'm actually going to use your info to point out to someone who LOVES disabling security in Linux just how foolish that is!! So thanks for the input!!
EGO II
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 01/25/2016 09:02 AM, bruce wrote:
Look.
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it. But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there... And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
Yes, SELinux running in permissive mode is a good start point. We can say that SELinux is in "learning mode". You adopt SELinux policy for your setup.
And here the question is how it is complicated?
It depends on your setup. And we are ready to help you on selinux@lists.fedoraproject.org if you don't get answers from documentation.
And even more your feedback is welcome because this is a good way how to improve documentation.
But hey.. to each his/her own.
My goal wasn't to start a war.. Lord knows there are plenty of those on the 'net already!
Thanks to all who've replied.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just saying go look at youtube vides, or read docs!!)
thanks!!
On Mon, Jan 25, 2016 at 2:07 AM, Eddie G. O'Connor Jr. eoconnor25@gmail.com wrote:
On 01/24/2016 10:44 PM, Joe Zeff wrote:
On 01/24/2016 07:17 PM, Tim wrote:
I have, unfortunately. And I see a lot of people who do on this list or forums. You can recognise them by the ones that when either dealing with a problem, or the installing a system, the first things they do are turn off SELinux and firewalls.
Back when I did tech support for an ISP, I got a call from a man who wanted to know if he could host a webpage on the Internet using the Windows Personal Webserver. I quickly realized that if he had to ask, he probably didn't know enough to do it safely, so I tried to warn him about the risks. He stopped me and said that he was willing to find out the hard way and reinstall if he had to, so I told him that what he wanted to do was possible and ended the call. I've wondered, a few times, how badly he got infected and just how hard "learning the hard way" turned out to be, but I've always considered it a case of evolution in every-day life.
Putting a Linux box on the net with the firewall and SELinux disabled is just as bad. I've seen all too many posters, here and elsewhere, who automatically disable SELinux because there were problems and performance hits associated with it when it first came out eighteen years ago and I never argue with them or try to get them to move into the 21st Century. Not only is it a waste of my time, I figure that if they're that unwilling to learn, they're just getting what they deserve.
The point here is that SELinux wouldn't have been developed and wouldn't have stuck around as long as it has if it didn't serve an important purpose. Unless you're sure that you know exactly what you're doing, don't mess with it. And, if the troubleshooter shows you how to create a custom policy to work around an alert, ask yourself if you really need this program working before continuing. Working around a glitch in Firefox is one thing; getting a game to work may or may not be worth the trade-off in security. Sorry to go on so long, but once I started, I found that I had more to say than I'd thought.
No worries there Mr. Zeff. It's greatly appreciated, I'm actually going to use your info to point out to someone who LOVES disabling security in Linux just how foolish that is!! So thanks for the input!!
EGO II
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 25 January 2016 at 08:02, bruce badouglas@gmail.com wrote:
Look.
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it. But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there... And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
But hey.. to each his/her own.
My goal wasn't to start a war.. Lord knows there are plenty of those on the 'net already!
Thanks to all who've replied.
I think it's partly the direction you started from, which is expecting there's going to be a problem and planning to turn off SELinux to forestall it. You may run into problems, but these days they're not that hard to sort out. sealert is useful if do you think SELinux is preventing something running and then you can check what the context should be https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
If starting from nothing then it's probably easier to go from that direction than start from having it turned off and enabling it once everything is done. At that point if things stop working then finding out what the issue is is going to be harder. I think your original concern was you might have, "an instance that has problems". If you have ssh access or something then it's not going to go away due to SELinux. If your only access into the system is a web interface it's hosting then that could happen.
What SELinux tries to do is constrain access by services to only the resources they need, whether that's files (for http servers for example) or types of memory access, in an attempt to limit the exposure to a compromised application. The fewer outside facing services you have the less exposed you are. If you needed to grant unrestricted access to a service that becomes compromised then you lost the game anyway, whether you did that by turning off SELinux or by granting that access to that context. But most of the time the default policies will do what you want and are trivial to apply if something goes wrong. You don't have to set them up yourself for users and applications.
Tools like restorecon and fixfiles https://fedoraproject.org/wiki/SELinux/fixfiles can be used to apply labelling if you've ended up with files that don't have context. "ls -Z" will quickly tell you if your files are missing context.
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers. And I haven't had to turn off SELinux, nor do anything beyond open the configurator GUI and tick the boxes that said to allow those particular services (look through its list, find HTTPD server, tick it, find serving CGI scripts, tick that, etc., that was about the extent of what I had to do). Seriously, setting that right was a damn sight easier than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances are that /that/ something is badly written, and needs doing better. Is it trying to serve files it has no business serving? Is it trying to execute things that it shouldn't execute but merely read? There's a plethora of dumb things people try to do with their programs, and stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the internet. Dumb things on the internet don't just affect you, they affect other people around you. That's why we have masses of spam on the internet, and other hacks. Compromised user boxes, compromised ISP services, abound.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just saying go look at youtube vides, or read docs!!)
Here's a loaded weapon, point it at your own foot, and not in our direction... No, I wouldn't give someone advice on how to insecurely run their computer, and neither will plenty of others. You will find, however, that if you try doing it securely, and run into snags, that people are willing to help you solve the actual problem properly.
Webservers and mailservers, in particular, are at least two things that need to be run with a great deal of care. Hackers go searching for badly set up ones to do their nefarious deeds. And here you are advertising that you're going to do so, identifying yourself in the process.
On 25 January 2016 at 14:28, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
I have actually once seen permissive mode preventing login, IIRC this was something to do with PackageKit doing its own context based checks.
As for the rest though, Miroslav's reply is spot on, if there are specific problems or issues then get help from the selinux list to sort them out, but the policy setup and tools are mature enough at this point that it's rare. If Bruce is really concerned, run permissive, check there's no alerts coming up then switch to enforcing. Worst that happens is you have to kill that instance because you lose access, and like I've said I think that's hard to do. It's not something that's suddenly going to kick you out during operation in any normal circumstance.
--Gawd...
Feels like I'm trying to spit in the wind!!
1st, not trying to set up web servers, but am looking at running tests on linux servers.
2nd, recognize that one should have "secure" systems on the net, but realize I don't have the time/set of skills to "fully" get there...
So, if you want to say -- hey, don't have an insecure linux box, it could be hacked and cause us the Internet community probs due to your crap, that's fair.
But you need to realize, there are lots of people who are attempting to do as much as they can with limited resources/time. if anyone here wants to contact me offline, we can discuss. Heck, I've been looking for a "sysadmin" type that I can pay, talk with for a bit.
If fed/selinux had a "config" file for simple services/ports, great.. But when you get to policies, and understanding the nuances of selinux, as far as I can tell, it's a learning curve that has to be dealt with in order to get it right..
And to be honest, I know of a number of operations/organizations that have put the "security" sysAdmin stuff off until they could find a sysadmin resource for that function..
There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in 4 weeks" courses. that only get to the basics of coding, much less the sysadmin stuff..
None of these are going away.. so some guy who pops up a website/app on some aws instance.. has security issues that they might not even realize..
Anyway.. thanks guys!
On Mon, Jan 25, 2016 at 9:28 AM, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers. And I haven't had to turn off SELinux, nor do anything beyond open the configurator GUI and tick the boxes that said to allow those particular services (look through its list, find HTTPD server, tick it, find serving CGI scripts, tick that, etc., that was about the extent of what I had to do). Seriously, setting that right was a damn sight easier than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances are that /that/ something is badly written, and needs doing better. Is it trying to serve files it has no business serving? Is it trying to execute things that it shouldn't execute but merely read? There's a plethora of dumb things people try to do with their programs, and stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the internet. Dumb things on the internet don't just affect you, they affect other people around you. That's why we have masses of spam on the internet, and other hacks. Compromised user boxes, compromised ISP services, abound.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just saying go look at youtube vides, or read docs!!)
Here's a loaded weapon, point it at your own foot, and not in our direction... No, I wouldn't give someone advice on how to insecurely run their computer, and neither will plenty of others. You will find, however, that if you try doing it securely, and run into snags, that people are willing to help you solve the actual problem properly.
Webservers and mailservers, in particular, are at least two things that need to be run with a great deal of care. Hackers go searching for badly set up ones to do their nefarious deeds. And here you are advertising that you're going to do so, identifying yourself in the process.
-- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list.
Windows, it's enough to make a grown man cry!
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Mon, 25 Jan 2016, Tim wrote:
I watched a friend get his box hacked four seconds after establishing a network connection. He had to re-install to fix the problem. Same thing happened the next two times he connected up. I just about wet myself laughing. It took him three hacks before he wised up that he needed to run protective software all the time. Drop your guard for a second (or at least a few seconds), and that's enough.
Did you mean "hacked" or "attacked?" It seems to me that if there are successful intrusions by scripted attacks within four seconds of installation of a linux distro, it's either the wrong distro or it's wrongly installed -- with or without selinux enabled.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
It reminds me of when I was a medical student many years ago, going through my Pathology laboratory. We were studying inflammation and looking at white blood cells under the microscope.
I looked through the scope and all I saw were little dots. It made no sense to me. And I said so. I could see the resident getting more and more frustrated with me as he kept telling me over and over again how to tell the difference between the various inflammatory cells -- it so trivially obvious and I was such a moron.
Then, four years later, I was the resident physician in pathology and I was assigned the second year pathology lab. The student was looking through the microscope and couldn't tell the difference between a polymorphonuclear leukocyte and a plasma cell -- two cells that look *totally* different. I remember getting more and more frustrated with the student as I told her over and over again how to tell the difference. But she just couldn't see it! I thought to myself "What a moron."
That's what four years of staring through a microscope 18 hours a day buys you.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
Yes, selinux is a great tool, particularly for large multiuser systems that serve a lot of things. But the very thing that makes it a great tool for these systems makes it very complex and intrusive, particularly on one- or two-user systems that serve personal things. Do we really need a lot of user-level permission tweaking when every user on the machine is an administrator?
The selinux protections at the process level are obviously beneficial, but that's often where the barriers are the highest. Selinux provides exquisite protections at the process level for servers. Personally, that's where the most frightening attacks on my boxes have come from in recent years. But, selinux frequently takes a server that "just works" and turns it into one that "just doesn't work." Then, you have to figure out whether the misconfiguration is from the server or from selinux, and how to tweak both so that one will let the other do its thing. And, no, the answers are not always obvious.
There is a truism that I remember being told about computer security a long, long time ago that usability and technical security are inversely related. At some point, when you increase the technical security enough, you will have made the system unusable to the point that your users will simply start going around it simply to get their work done.
I remember bringing some data to a federal military installation once on a flash drive. The military had recently put in a policy that flash drives were not allowed, and they had some sort of enterprise-level monitoring software that watched the usb ports on every machine in the network. I gave the flash drive to the agent and said "Look, here's my results. I don't know how you are going to look at them, but this is what I've got." The agent powered down his computer, unplugged his computer from the network, booted it up again, put in the flash drive, downloaded the data, pulled out the flash drive, powered down the computer, plugged it back into the network, and powered it up again. He said that everybody did it all the time -- because the security policies had made it impossible for them to do their work otherwise.
The combination of security that ignores users and users that ignore security gives you a system that has neither security nor usability. And simply calling users morons will not solve this.
I think a lot of stuff in linux is approaching this complexity/usability tipping point, not just in security. System admin tools, filesystems, logging, desktops, etc. have become the playthings of people who like being the chosen few who have mastery over unnecessarily byzantine and complex systems and tools created to be beyond the effort barrier of the hobby user. I love KDE, but frankly, it is collapsing under it's own complexity. Selinux is just another exmple. I used to like linux because it made sense. Now it seems that it's little different than Windows sometimes -- opaque, overly complex, and unfriendly.
billo
On 25 January 2016 at 15:56, vendor@billoblog.com wrote:
On Mon, 25 Jan 2016, Tim wrote:
I watched a friend get his box hacked four seconds after establishing a network connection. He had to re-install to fix the problem. Same thing happened the next two times he connected up. I just about wet myself laughing. It took him three hacks before he wised up that he needed to run protective software all the time. Drop your guard for a second (or at least a few seconds), and that's enough.
Did you mean "hacked" or "attacked?" It seems to me that if there are successful intrusions by scripted attacks within four seconds of installation of a linux distro, it's either the wrong distro or it's wrongly installed -- with or without selinux enabled.
I have to admit I've heard this often enough (usually about windows), but not seen it either, Windows or Linux, but I only do installs on machines that aren't ethernet networked or are behind a NAT.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
The take-home message, if there is one is this: *You generally do not need to do anything* (for SELinux anyway, there are some services I'd normally use that I'd lock down a bit)
The policies in Fedora are meant to work out of the box. There are some cases (generally if a file is moved to a location rather than created there) where you find you need to add labels, and this is really simple, e.g. http://forums.fedoraforum.org/showthread.php?t=296243, which amounts to make sure the files are in the right place and run restorecon.
For some things like home directory http you need to confirm that you want them enabled, install policycoreutils-gui and run system-config-selinux to get a gui for controlling them. https://wiki.centos.org/TipsAndTricks/SelinuxBooleans has a list.
Really this thread isn't going to get very far, because it's based around completely hypothetical problems which are impossible to fix because their only definition is they are caused by selinux.
LOL!!!
I feel you bruce :)
I think a LOT of people are struggling (and frustrated, rightfully so) with SELinux and simply place it in permissive mode. There is nothing wrong with doing this. Don't buy into the fear mongering hype. The only think you have to fear is fear itself.
If/when security is a concern (which in your case it doesn't seem to be) then SELinux is a powerful tool. You would run it along with Tripwire, rkhunter, et al, to validate the security of a server, and by the time it becomes so you can look back over the audit trail to see where perms need to be added etc...
If you are just looking to experiment, exposed to the internet or not, SELinux is really irrelevant, and in many cases can be cumbersome. I personally have had to disable SELinux (permissive mode) many a time to get things to work, and I have yet to have a system compromised by doing so. Not that this can't happen, but the actual chances of it happening are so low, that you ROI is simply not worth it. There really is not some army out their hit small ops looking for vulnerabilities in anything that's not a standard package.
So experiment and produce at will with little to fear. A lot of hype is built around SELinux in naiveté. Someone who really cares about security actually does not rely on SELinux, they monitor their servers intensely, and know every process running on them inside and out, review logs often, use tripwire, rkhunter, and monitor network activity with Security Onion, etc....
Again, this is not to say that SELinux is not part a good strategy, but it is not the holy grail many make it out to be either. It's a small part of security that as you mentioned a lot of use common folk can live without, and have done so for a long time, with no adverse effects.
On Jan 25, 2016, at 7:29 AM, bruce badouglas@gmail.com wrote:
--Gawd...
Feels like I'm trying to spit in the wind!!
1st, not trying to set up web servers, but am looking at running tests on linux servers.
2nd, recognize that one should have "secure" systems on the net, but realize I don't have the time/set of skills to "fully" get there...
So, if you want to say -- hey, don't have an insecure linux box, it could be hacked and cause us the Internet community probs due to your crap, that's fair.
But you need to realize, there are lots of people who are attempting to do as much as they can with limited resources/time. if anyone here wants to contact me offline, we can discuss. Heck, I've been looking for a "sysadmin" type that I can pay, talk with for a bit.
If fed/selinux had a "config" file for simple services/ports, great.. But when you get to policies, and understanding the nuances of selinux, as far as I can tell, it's a learning curve that has to be dealt with in order to get it right..
And to be honest, I know of a number of operations/organizations that have put the "security" sysAdmin stuff off until they could find a sysadmin resource for that function..
There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in 4 weeks" courses. that only get to the basics of coding, much less the sysadmin stuff..
None of these are going away.. so some guy who pops up a website/app on some aws instance.. has security issues that they might not even realize..
Anyway.. thanks guys!
On Mon, Jan 25, 2016 at 9:28 AM, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers. And I haven't had to turn off SELinux, nor do anything beyond open the configurator GUI and tick the boxes that said to allow those particular services (look through its list, find HTTPD server, tick it, find serving CGI scripts, tick that, etc., that was about the extent of what I had to do). Seriously, setting that right was a damn sight easier than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances are that /that/ something is badly written, and needs doing better. Is it trying to serve files it has no business serving? Is it trying to execute things that it shouldn't execute but merely read? There's a plethora of dumb things people try to do with their programs, and stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the internet. Dumb things on the internet don't just affect you, they affect other people around you. That's why we have masses of spam on the internet, and other hacks. Compromised user boxes, compromised ISP services, abound.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just saying go look at youtube vides, or read docs!!)
Here's a loaded weapon, point it at your own foot, and not in our direction... No, I wouldn't give someone advice on how to insecurely run their computer, and neither will plenty of others. You will find, however, that if you try doing it securely, and run into snags, that people are willing to help you solve the actual problem properly.
Webservers and mailservers, in particular, are at least two things that need to be run with a great deal of care. Hackers go searching for badly set up ones to do their nefarious deeds. And here you are advertising that you're going to do so, identifying yourself in the process.
-- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list.
Windows, it's enough to make a grown man cry!
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Tim:
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
Ian Malone:
I have actually once seen permissive mode preventing login, IIRC this was something to do with PackageKit doing its own context based checks.
Yes, though that's a fault condition. Permissive mode isn't supposed to stop anything.
Allegedly, on or about 25 January 2016, vendor@billoblog.com sent:
Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They succeeded. Though, to be fair, I didn't say it was Linux computer, but the principle is the same. All computers are vulnerable, though in our case it's more the applications than the OS. And if you take no steps to protect your system, or worse, take steps to remove protection, you lay yourself wide open.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
I see it no less user-friendly than other things. I look at ACL (access control lists), and see them as a nightmare. I can see them being used in security establishments, to control who can see or modify certain documents that need disseminating. But not in general use. I can't really imagine employee #54534624 writing a letter, then carefully considering a list of who can do what with their file (mutter, mutter, need to add my boss to read/write, my assistant to read/write, my technically hopeless other boss to read-only so he doesn't foul up my work, my co-workers to read-only, and I have to remember which of them are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed to do. If I create a file in /var/www/html/ to be served, it automatically gets given the right contects to be served, as part of the process of *creating* a file at that location. If I copy a file from somewhere to there, the same thing happens, the copy is a new creation, and gets the appropriate contexts for where it's created. A confusing thing happens if you try to move a file, the original file contexts are moved along with the file, and they're probably going to be wrong. It's logical, but not obvious to the uninitiated. Though it's not too hard to find out why, you just problem solve it like any other error that takes you by surprise.
It's similar with file permissions. Some people declare it too hard, and want to make everything rwxrwxrwx, and hang the consequences. On a webserver, that (making everything world-writeable), or letting the webserver process own the files (making everything writeable by the server, and hence world-writeable), opens you up to all sorts of abuse, not just the destruction of that individual file.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
At times, but the tone of the thread indicates that laziness is an issue.
There is a truism that I remember being told about computer security a long, long time ago that usability and technical security are inversely related. At some point, when you increase the technical security enough, you will have made the system unusable to the point that your users will simply start going around it simply to get their work done.
That's true on both counts. Though I tend to feel that SELinux has met that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they try to do something. My efforts are towards learn it, don't bypass it. Just the same as well tell people don't do things as root - that's often the root cause, pun intended, of all of these issues. They do one dumb thing, then another on top of that, and have several compounded problems because they will not follow any advice.
It's usually around this point that I bring up an analogy against people trying to do things on computers when they don't really know how, and stubbornly resist all efforts to learn: I hope these people never get it into their head to half-arsedly learn first aid, and refuse to do something important because they don't want to.
...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do it is understandable. The concept of doing it in isolation can be a required step. If the drive manages to do something nasty, it only affects that one computer, which then gets sterilised before being allowed back on the network (if the operator knows that, and doesn't just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses were the common enemy, there was no/inadequate protection against them. The only way to stop the spread, was a cold boot in between, and using a system that booted from the disc in question. That method was no good against an OS that had another disc-based OS running it.
The combination of security that ignores users and users that ignore security gives you a system that has neither security nor usability. And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought about, here. It's in the background, and doesn't get in the way. If you're running services, then it rightly does become something you need to know about managing.
But what particularly gets my goat, it someone who's a programmer developing things telling me that SELinux is too hard to deal with. Too hard? Compared with what? Writing software?! Jeez, you've got much harder work, *there*. And, as far as I'm concerned, programmers being hit with the big hammer that says, you have to write data in proper locations, you can't just read any file you like on the system, you can't just serve out files from any ad-hoc locations, is only a good set of conditions to start imposing on so-called programmers. Bring on the software that pokes them with a sharp stick for doing things that allows them to create buffer-overflow errors. We could save the entire world a whole lot of grief if programmers started paying attention to getting that one bit of programming right.
I love KDE, but frankly, it is collapsing under it's own complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like XP had, and a gazillion configuration options that I do not like the defaults, and it's always been that way (ever since I saw it, a gazillion configuration options). Coming from an Amiga user background, I've never agreed with what people said about Gnome looking like Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is going to open a new can of worms), is the naming of all programs starting with a K followed by a name that seems purely random (regarding what the program actually did). Not only making it hard to locate software appropriate to your task, but confusingly k-naming things like kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE something).
Selinux is just another exmple. I used to like linux because it made sense. Now it seems that it's little different than Windows sometimes -- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So much of it is secret business, and I don't just mean closed-source. Resolving some whacko fault involves delving into the registry, adding things with sixteen hexadecimal numbers which mean nothing to no-one, that are only documented on hacking sites, or incomprehensible gibberish on the Microsoft that refers to two versions of Windows ago, warns against doing it on your release, yet the Microsoft search engine provides it as your solution.
We now return you to your regular programming, from alt.computers.help.me.commit.die.quickly
What the Heck???
So.. people who think/decide to just disable seLinux, instead of diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and aren't looking to be a sysAdmin, so they want to (if possible) get to the quickest way of getting their "project" working/tested.. And if the "security/process" of X (in this case selinux) is in the way.. The learning required to implement that gets shoved back. It's a prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going. And yeah, you realize that you might be cutting corners re security, but you keep going.
And before people say, "you need to learn security, or you shouldn't be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours on a few sites. You eventually run into issues that "need to be solved", etc.. which then adds time/effort/resources. And rightly so, this is why you have skilled sysAdmin resources. But smaller projects don't have the resources for this process.. so it becomes a matter of prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, vendor@billoblog.com sent:
Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They succeeded. Though, to be fair, I didn't say it was Linux computer, but the principle is the same. All computers are vulnerable, though in our case it's more the applications than the OS. And if you take no steps to protect your system, or worse, take steps to remove protection, you lay yourself wide open.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
I see it no less user-friendly than other things. I look at ACL (access control lists), and see them as a nightmare. I can see them being used in security establishments, to control who can see or modify certain documents that need disseminating. But not in general use. I can't really imagine employee #54534624 writing a letter, then carefully considering a list of who can do what with their file (mutter, mutter, need to add my boss to read/write, my assistant to read/write, my technically hopeless other boss to read-only so he doesn't foul up my work, my co-workers to read-only, and I have to remember which of them are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed to do. If I create a file in /var/www/html/ to be served, it automatically gets given the right contects to be served, as part of the process of *creating* a file at that location. If I copy a file from somewhere to there, the same thing happens, the copy is a new creation, and gets the appropriate contexts for where it's created. A confusing thing happens if you try to move a file, the original file contexts are moved along with the file, and they're probably going to be wrong. It's logical, but not obvious to the uninitiated. Though it's not too hard to find out why, you just problem solve it like any other error that takes you by surprise.
It's similar with file permissions. Some people declare it too hard, and want to make everything rwxrwxrwx, and hang the consequences. On a webserver, that (making everything world-writeable), or letting the webserver process own the files (making everything writeable by the server, and hence world-writeable), opens you up to all sorts of abuse, not just the destruction of that individual file.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
At times, but the tone of the thread indicates that laziness is an issue.
There is a truism that I remember being told about computer security a long, long time ago that usability and technical security are inversely related. At some point, when you increase the technical security enough, you will have made the system unusable to the point that your users will simply start going around it simply to get their work done.
That's true on both counts. Though I tend to feel that SELinux has met that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they try to do something. My efforts are towards learn it, don't bypass it. Just the same as well tell people don't do things as root - that's often the root cause, pun intended, of all of these issues. They do one dumb thing, then another on top of that, and have several compounded problems because they will not follow any advice.
It's usually around this point that I bring up an analogy against people trying to do things on computers when they don't really know how, and stubbornly resist all efforts to learn: I hope these people never get it into their head to half-arsedly learn first aid, and refuse to do something important because they don't want to.
...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do it is understandable. The concept of doing it in isolation can be a required step. If the drive manages to do something nasty, it only affects that one computer, which then gets sterilised before being allowed back on the network (if the operator knows that, and doesn't just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses were the common enemy, there was no/inadequate protection against them. The only way to stop the spread, was a cold boot in between, and using a system that booted from the disc in question. That method was no good against an OS that had another disc-based OS running it.
The combination of security that ignores users and users that ignore security gives you a system that has neither security nor usability. And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought about, here. It's in the background, and doesn't get in the way. If you're running services, then it rightly does become something you need to know about managing.
But what particularly gets my goat, it someone who's a programmer developing things telling me that SELinux is too hard to deal with. Too hard? Compared with what? Writing software?! Jeez, you've got much harder work, *there*. And, as far as I'm concerned, programmers being hit with the big hammer that says, you have to write data in proper locations, you can't just read any file you like on the system, you can't just serve out files from any ad-hoc locations, is only a good set of conditions to start imposing on so-called programmers. Bring on the software that pokes them with a sharp stick for doing things that allows them to create buffer-overflow errors. We could save the entire world a whole lot of grief if programmers started paying attention to getting that one bit of programming right.
I love KDE, but frankly, it is collapsing under it's own complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like XP had, and a gazillion configuration options that I do not like the defaults, and it's always been that way (ever since I saw it, a gazillion configuration options). Coming from an Amiga user background, I've never agreed with what people said about Gnome looking like Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is going to open a new can of worms), is the naming of all programs starting with a K followed by a name that seems purely random (regarding what the program actually did). Not only making it hard to locate software appropriate to your task, but confusingly k-naming things like kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE something).
Selinux is just another exmple. I used to like linux because it made sense. Now it seems that it's little different than Windows sometimes -- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So much of it is secret business, and I don't just mean closed-source. Resolving some whacko fault involves delving into the registry, adding things with sixteen hexadecimal numbers which mean nothing to no-one, that are only documented on hacking sites, or incomprehensible gibberish on the Microsoft that refers to two versions of Windows ago, warns against doing it on your release, yet the Microsoft search engine provides it as your solution.
We now return you to your regular programming, from alt.computers.help.me.commit.die.quickly
-- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Totally agree with you, Bruce.
Cheers, Sylvia
On Tuesday, 26 January 2016, bruce badouglas@gmail.com wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and aren't looking to be a sysAdmin, so they want to (if possible) get to the quickest way of getting their "project" working/tested.. And if the "security/process" of X (in this case selinux) is in the way.. The learning required to implement that gets shoved back. It's a prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going. And yeah, you realize that you might be cutting corners re security, but you keep going.
And before people say, "you need to learn security, or you shouldn't be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours on a few sites. You eventually run into issues that "need to be solved", etc.. which then adds time/effort/resources. And rightly so, this is why you have skilled sysAdmin resources. But smaller projects don't have the resources for this process.. so it becomes a matter of prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox@yahoo.com.au javascript:;> wrote:
Allegedly, on or about 25 January 2016, vendor@billoblog.com
javascript:; sent:
Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They succeeded. Though, to be fair, I didn't say it was Linux computer, but the principle is the same. All computers are vulnerable, though in our case it's more the applications than the OS. And if you take no steps to protect your system, or worse, take steps to remove protection, you lay yourself wide open.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
I see it no less user-friendly than other things. I look at ACL (access control lists), and see them as a nightmare. I can see them being used in security establishments, to control who can see or modify certain documents that need disseminating. But not in general use. I can't really imagine employee #54534624 writing a letter, then carefully considering a list of who can do what with their file (mutter, mutter, need to add my boss to read/write, my assistant to read/write, my technically hopeless other boss to read-only so he doesn't foul up my work, my co-workers to read-only, and I have to remember which of them are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed to do. If I create a file in /var/www/html/ to be served, it automatically gets given the right contects to be served, as part of the process of *creating* a file at that location. If I copy a file from somewhere to there, the same thing happens, the copy is a new creation, and gets the appropriate contexts for where it's created. A confusing thing happens if you try to move a file, the original file contexts are moved along with the file, and they're probably going to be wrong. It's logical, but not obvious to the uninitiated. Though it's not too hard to find out why, you just problem solve it like any other error that takes you by surprise.
It's similar with file permissions. Some people declare it too hard, and want to make everything rwxrwxrwx, and hang the consequences. On a webserver, that (making everything world-writeable), or letting the webserver process own the files (making everything writeable by the server, and hence world-writeable), opens you up to all sorts of abuse, not just the destruction of that individual file.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
At times, but the tone of the thread indicates that laziness is an issue.
There is a truism that I remember being told about computer security a long, long time ago that usability and technical security are inversely related. At some point, when you increase the technical security enough, you will have made the system unusable to the point that your users will simply start going around it simply to get their work done.
That's true on both counts. Though I tend to feel that SELinux has met that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they try to do something. My efforts are towards learn it, don't bypass it. Just the same as well tell people don't do things as root - that's often the root cause, pun intended, of all of these issues. They do one dumb thing, then another on top of that, and have several compounded problems because they will not follow any advice.
It's usually around this point that I bring up an analogy against people trying to do things on computers when they don't really know how, and stubbornly resist all efforts to learn: I hope these people never get it into their head to half-arsedly learn first aid, and refuse to do something important because they don't want to.
...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do it is understandable. The concept of doing it in isolation can be a required step. If the drive manages to do something nasty, it only affects that one computer, which then gets sterilised before being allowed back on the network (if the operator knows that, and doesn't just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses were the common enemy, there was no/inadequate protection against them. The only way to stop the spread, was a cold boot in between, and using a system that booted from the disc in question. That method was no good against an OS that had another disc-based OS running it.
The combination of security that ignores users and users that ignore security gives you a system that has neither security nor usability. And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought about, here. It's in the background, and doesn't get in the way. If you're running services, then it rightly does become something you need to know about managing.
But what particularly gets my goat, it someone who's a programmer developing things telling me that SELinux is too hard to deal with. Too hard? Compared with what? Writing software?! Jeez, you've got much harder work, *there*. And, as far as I'm concerned, programmers being hit with the big hammer that says, you have to write data in proper locations, you can't just read any file you like on the system, you can't just serve out files from any ad-hoc locations, is only a good set of conditions to start imposing on so-called programmers. Bring on the software that pokes them with a sharp stick for doing things that allows them to create buffer-overflow errors. We could save the entire world a whole lot of grief if programmers started paying attention to getting that one bit of programming right.
I love KDE, but frankly, it is collapsing under it's own complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like XP had, and a gazillion configuration options that I do not like the defaults, and it's always been that way (ever since I saw it, a gazillion configuration options). Coming from an Amiga user background, I've never agreed with what people said about Gnome looking like Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is going to open a new can of worms), is the naming of all programs starting with a K followed by a name that seems purely random (regarding what the program actually did). Not only making it hard to locate software appropriate to your task, but confusingly k-naming things like kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE something).
Selinux is just another exmple. I used to like linux because it made sense. Now it seems that it's little different than Windows sometimes -- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So much of it is secret business, and I don't just mean closed-source. Resolving some whacko fault involves delving into the registry, adding things with sixteen hexadecimal numbers which mean nothing to no-one, that are only documented on hacking sites, or incomprehensible gibberish on the Microsoft that refers to two versions of Windows ago, warns against doing it on your release, yet the Microsoft search engine provides it as your solution.
We now return you to your regular programming, from alt.computers.help.me.commit.die.quickly
-- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
-- users mailing list users@lists.fedoraproject.org javascript:; To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
-- users mailing list users@lists.fedoraproject.org javascript:; To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
On Jan 26, 2016, at 8:57 AM, bruce badouglas@gmail.com wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and aren't looking to be a sysAdmin, so they want to (if possible) get to the quickest way of getting their "project" working/tested.. And if the "security/process" of X (in this case selinux) is in the way.. The learning required to implement that gets shoved back. It's a prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going. And yeah, you realize that you might be cutting corners re security, but you keep going.
And before people say, "you need to learn security, or you shouldn't be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours on a few sites. You eventually run into issues that "need to be solved", etc.. which then adds time/effort/resources. And rightly so, this is why you have skilled sysAdmin resources. But smaller projects don't have the resources for this process.. so it becomes a matter of prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, vendor@billoblog.com sent:
Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They succeeded. Though, to be fair, I didn't say it was Linux computer, but the principle is the same. All computers are vulnerable, though in our case it's more the applications than the OS. And if you take no steps to protect your system, or worse, take steps to remove protection, you lay yourself wide open.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
I see it no less user-friendly than other things. I look at ACL (access control lists), and see them as a nightmare. I can see them being used in security establishments, to control who can see or modify certain documents that need disseminating. But not in general use. I can't really imagine employee #54534624 writing a letter, then carefully considering a list of who can do what with their file (mutter, mutter, need to add my boss to read/write, my assistant to read/write, my technically hopeless other boss to read-only so he doesn't foul up my work, my co-workers to read-only, and I have to remember which of them are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed to do. If I create a file in /var/www/html/ to be served, it automatically gets given the right contects to be served, as part of the process of *creating* a file at that location. If I copy a file from somewhere to there, the same thing happens, the copy is a new creation, and gets the appropriate contexts for where it's created. A confusing thing happens if you try to move a file, the original file contexts are moved along with the file, and they're probably going to be wrong. It's logical, but not obvious to the uninitiated. Though it's not too hard to find out why, you just problem solve it like any other error that takes you by surprise.
It's similar with file permissions. Some people declare it too hard, and want to make everything rwxrwxrwx, and hang the consequences. On a webserver, that (making everything world-writeable), or letting the webserver process own the files (making everything writeable by the server, and hence world-writeable), opens you up to all sorts of abuse, not just the destruction of that individual file.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
At times, but the tone of the thread indicates that laziness is an issue.
There is a truism that I remember being told about computer security a long, long time ago that usability and technical security are inversely related. At some point, when you increase the technical security enough, you will have made the system unusable to the point that your users will simply start going around it simply to get their work done.
That's true on both counts. Though I tend to feel that SELinux has met that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they try to do something. My efforts are towards learn it, don't bypass it. Just the same as well tell people don't do things as root - that's often the root cause, pun intended, of all of these issues. They do one dumb thing, then another on top of that, and have several compounded problems because they will not follow any advice.
It's usually around this point that I bring up an analogy against people trying to do things on computers when they don't really know how, and stubbornly resist all efforts to learn: I hope these people never get it into their head to half-arsedly learn first aid, and refuse to do something important because they don't want to.
...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do it is understandable. The concept of doing it in isolation can be a required step. If the drive manages to do something nasty, it only affects that one computer, which then gets sterilised before being allowed back on the network (if the operator knows that, and doesn't just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses were the common enemy, there was no/inadequate protection against them. The only way to stop the spread, was a cold boot in between, and using a system that booted from the disc in question. That method was no good against an OS that had another disc-based OS running it.
The combination of security that ignores users and users that ignore security gives you a system that has neither security nor usability. And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought about, here. It's in the background, and doesn't get in the way. If you're running services, then it rightly does become something you need to know about managing.
But what particularly gets my goat, it someone who's a programmer developing things telling me that SELinux is too hard to deal with. Too hard? Compared with what? Writing software?! Jeez, you've got much harder work, *there*. And, as far as I'm concerned, programmers being hit with the big hammer that says, you have to write data in proper locations, you can't just read any file you like on the system, you can't just serve out files from any ad-hoc locations, is only a good set of conditions to start imposing on so-called programmers. Bring on the software that pokes them with a sharp stick for doing things that allows them to create buffer-overflow errors. We could save the entire world a whole lot of grief if programmers started paying attention to getting that one bit of programming right.
I love KDE, but frankly, it is collapsing under it's own complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like XP had, and a gazillion configuration options that I do not like the defaults, and it's always been that way (ever since I saw it, a gazillion configuration options). Coming from an Amiga user background, I've never agreed with what people said about Gnome looking like Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is going to open a new can of worms), is the naming of all programs starting with a K followed by a name that seems purely random (regarding what the program actually did). Not only making it hard to locate software appropriate to your task, but confusingly k-naming things like kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE something).
Selinux is just another exmple. I used to like linux because it made sense. Now it seems that it's little different than Windows sometimes -- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So much of it is secret business, and I don't just mean closed-source. Resolving some whacko fault involves delving into the registry, adding things with sixteen hexadecimal numbers which mean nothing to no-one, that are only documented on hacking sites, or incomprehensible gibberish on the Microsoft that refers to two versions of Windows ago, warns against doing it on your release, yet the Microsoft search engine provides it as your solution.
We now return you to your regular programming, from alt.computers.help.me.commit.die.quickly
-- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 26 January 2016 at 16:57, bruce badouglas@gmail.com wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and aren't looking to be a sysAdmin, so they want to (if possible) get to the quickest way of getting their "project" working/tested.. And if the "security/process" of X (in this case selinux) is in the way.. The learning required to implement that gets shoved back. It's a prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going. And yeah, you realize that you might be cutting corners re security, but you keep going.
And before people say, "you need to learn security, or you shouldn't be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours on a few sites. You eventually run into issues that "need to be solved", etc.. which then adds time/effort/resources. And rightly so, this is why you have skilled sysAdmin resources. But smaller projects don't have the resources for this process.. so it becomes a matter of prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone willing to work with me on security.. No takers..!!!
If you're really interested in that then it would be better to actually advertise.
The central point here, you seem to be arguing that you should disable all security because you don't have time to learn it and it's difficult. But I bet you don't plan to just make everything on the machine world writable and turn off the firewall. Things like SELinux are actually there to help you. They can't make you do things like properly encrypt user logins, but they can reduce the risk it's going to matter. What I've been trying to say is leave it on and there are plenty of people that can give you advice if you run into problems.
And yes, there are people that should not write apps if they aren't going to bother with security. If you're not from the UK then search google for Talktalk hacked, or imagine what would happen if people could get at your uber account details. Failing to protect user data properly over here (UK) can attract serious fines.
BTW... Yes, you can disable SELinux. Once you have your work done, you can enable or keep it disabled, as you like it.
Hope it helps, Sylvia
On Tuesday, 26 January 2016, bruce badouglas@gmail.com wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and aren't looking to be a sysAdmin, so they want to (if possible) get to the quickest way of getting their "project" working/tested.. And if the "security/process" of X (in this case selinux) is in the way.. The learning required to implement that gets shoved back. It's a prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going. And yeah, you realize that you might be cutting corners re security, but you keep going.
And before people say, "you need to learn security, or you shouldn't be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours on a few sites. You eventually run into issues that "need to be solved", etc.. which then adds time/effort/resources. And rightly so, this is why you have skilled sysAdmin resources. But smaller projects don't have the resources for this process.. so it becomes a matter of prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone willing to work with me on security.. No takers..!!!
So, please, no disparaging "laxy" remarks, ok!
Thanks!
On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox@yahoo.com.au javascript:;> wrote:
Allegedly, on or about 25 January 2016, vendor@billoblog.com
javascript:; sent:
Did you mean "hacked" or "attacked?"
To me an attack is the attempt, a hack is they've succeeded. They succeeded. Though, to be fair, I didn't say it was Linux computer, but the principle is the same. All computers are vulnerable, though in our case it's more the applications than the OS. And if you take no steps to protect your system, or worse, take steps to remove protection, you lay yourself wide open.
The problem I see with selinux is that it is so user-unfriendly. These kinds of things always seem easy and straightforward to someone who knows it well. That's the nature of skill, regardless of the kind of skill it is.
I see it no less user-friendly than other things. I look at ACL (access control lists), and see them as a nightmare. I can see them being used in security establishments, to control who can see or modify certain documents that need disseminating. But not in general use. I can't really imagine employee #54534624 writing a letter, then carefully considering a list of who can do what with their file (mutter, mutter, need to add my boss to read/write, my assistant to read/write, my technically hopeless other boss to read-only so he doesn't foul up my work, my co-workers to read-only, and I have to remember which of them are working on the same case...).
Barring oversights and errors, SELinux generally does what it's supposed to do. If I create a file in /var/www/html/ to be served, it automatically gets given the right contects to be served, as part of the process of *creating* a file at that location. If I copy a file from somewhere to there, the same thing happens, the copy is a new creation, and gets the appropriate contexts for where it's created. A confusing thing happens if you try to move a file, the original file contexts are moved along with the file, and they're probably going to be wrong. It's logical, but not obvious to the uninitiated. Though it's not too hard to find out why, you just problem solve it like any other error that takes you by surprise.
It's similar with file permissions. Some people declare it too hard, and want to make everything rwxrwxrwx, and hang the consequences. On a webserver, that (making everything world-writeable), or letting the webserver process own the files (making everything writeable by the server, and hence world-writeable), opens you up to all sorts of abuse, not just the destruction of that individual file.
That's what I think of when I read these discussions. If someone is struggling with something like this, they may seem like morons, but it is usually someting *other* than simple supidity or laziness that is the reason. It's because the barrier to doing it is greater than the perceived benefit.
At times, but the tone of the thread indicates that laziness is an issue.
There is a truism that I remember being told about computer security a long, long time ago that usability and technical security are inversely related. At some point, when you increase the technical security enough, you will have made the system unusable to the point that your users will simply start going around it simply to get their work done.
That's true on both counts. Though I tend to feel that SELinux has met that balance at around the right place.
While I have some sympathy for people who haven't yet learnt it, as they try to do something. My efforts are towards learn it, don't bypass it. Just the same as well tell people don't do things as root - that's often the root cause, pun intended, of all of these issues. They do one dumb thing, then another on top of that, and have several compounded problems because they will not follow any advice.
It's usually around this point that I bring up an analogy against people trying to do things on computers when they don't really know how, and stubbornly resist all efforts to learn: I hope these people never get it into their head to half-arsedly learn first aid, and refuse to do something important because they don't want to.
...[snip flash drive story]...
I can understand that, and it's not a new story, either. The need to do it is understandable. The concept of doing it in isolation can be a required step. If the drive manages to do something nasty, it only affects that one computer, which then gets sterilised before being allowed back on the network (if the operator knows that, and doesn't just plug it back in, regardless).
We had similar issues with floppy discs. Back when bootblock viruses were the common enemy, there was no/inadequate protection against them. The only way to stop the spread, was a cold boot in between, and using a system that booted from the disc in question. That method was no good against an OS that had another disc-based OS running it.
The combination of security that ignores users and users that ignore security gives you a system that has neither security nor usability. And simply calling users morons will not solve this.
I don't believe I've said that. In this email I've certainly mentioned laziness, because the evidence points that way.
As a general rule, on a user-level, SELinux doesn't get even thought about, here. It's in the background, and doesn't get in the way. If you're running services, then it rightly does become something you need to know about managing.
But what particularly gets my goat, it someone who's a programmer developing things telling me that SELinux is too hard to deal with. Too hard? Compared with what? Writing software?! Jeez, you've got much harder work, *there*. And, as far as I'm concerned, programmers being hit with the big hammer that says, you have to write data in proper locations, you can't just read any file you like on the system, you can't just serve out files from any ad-hoc locations, is only a good set of conditions to start imposing on so-called programmers. Bring on the software that pokes them with a sharp stick for doing things that allows them to create buffer-overflow errors. We could save the entire world a whole lot of grief if programmers started paying attention to getting that one bit of programming right.
I love KDE, but frankly, it is collapsing under it's own complexity.
I can't say I've ever liked it. It has the Fisher-Price toy look like XP had, and a gazillion configuration options that I do not like the defaults, and it's always been that way (ever since I saw it, a gazillion configuration options). Coming from an Amiga user background, I've never agreed with what people said about Gnome looking like Windows, no KDE does. Gnome looked far more old Mac-like.
The other thing that peeved me about KDE (and I can see this thread is going to open a new can of worms), is the naming of all programs starting with a K followed by a name that seems purely random (regarding what the program actually did). Not only making it hard to locate software appropriate to your task, but confusingly k-naming things like kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE something).
Selinux is just another exmple. I used to like linux because it made sense. Now it seems that it's little different than Windows sometimes -- opaque, overly complex, and unfriendly.
I don't think anything compares with the hideousness of Windows. So much of it is secret business, and I don't just mean closed-source. Resolving some whacko fault involves delving into the registry, adding things with sixteen hexadecimal numbers which mean nothing to no-one, that are only documented on hacking sites, or incomprehensible gibberish on the Microsoft that refers to two versions of Windows ago, warns against doing it on your release, yet the Microsoft search engine provides it as your solution.
We now return you to your regular programming, from alt.computers.help.me.commit.die.quickly
-- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list.
Lucky for you I typed this, you'd never be able to read my handwriting.
-- users mailing list users@lists.fedoraproject.org javascript:; To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
-- users mailing list users@lists.fedoraproject.org javascript:; To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 26 January 2016 at 17:07, Shawn Bakhtiar shashaness@hotmail.com wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
On Tue, Jan 26, 2016 at 3:10 PM, Ian Malone ibmalone@gmail.com wrote:
Failing to protect user data properly over here (UK) can attract serious fines.
As it should be all over the World. I image that some sort of cease and desist should exist for companies with poorly protected user information. I would ultimately blame the average person for not valuing privacy enough, though.
Then those relatives who have 3 different passwords for 50 different services... Ugh.
The bank is the bank. I don't work on a bank. I work at home, with a very limited Internet connection, and on things that are far away from sys administration. And no, I won't lose my work. It's backed up. And Bruce said for a while, not permanently. Why all this fuss?
Cheers, Sylvia
On Tuesday, 26 January 2016, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar <shashaness@hotmail.com javascript:;> wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such
indulgent luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
-- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@lists.fedoraproject.org javascript:; To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Jan 26, 2016, at 9:13 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar shashaness@hotmail.com wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
Seriously!!?!??! You're comparing a multi-bilion dollar multi-national institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
-- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Jan 26, 2016, at 9:10 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 16:57, bruce badouglas@gmail.com wrote:
What the Heck???
So.. people who think/decide to just disable seLinux, instead of diving in to "learn" it are just lazy???? Lord.. shaking my head..
How about.. some might be lazy..
Or, some have a bunch of different things to get accomplished, and aren't looking to be a sysAdmin, so they want to (if possible) get to the quickest way of getting their "project" working/tested.. And if the "security/process" of X (in this case selinux) is in the way.. The learning required to implement that gets shoved back. It's a prioritization process for a bunch of people.
You have a limited amount of resources, you priortize and keep going. And yeah, you realize that you might be cutting corners re security, but you keep going.
And before people say, "you need to learn security, or you shouldn't be writing apps!!".. not going to happen.
Implementing "good" secutiry, doesn't happen by spending a few hours on a few sites. You eventually run into issues that "need to be solved", etc.. which then adds time/effort/resources. And rightly so, this is why you have skilled sysAdmin resources. But smaller projects don't have the resources for this process.. so it becomes a matter of prioritization/resource allocation..
And I say again.. I've been willing to pay hard $$$ for someone willing to work with me on security.. No takers..!!!
If you're really interested in that then it would be better to actually advertise.
I would agree with you here.
The central point here, you seem to be arguing that you should disable all security because you don't have time to learn it and it's difficult.
This is a valid reason given the priorities. A lot of SMB/SOHOs don't have the resources to use SELinux.
But I bet you don't plan to just make everything on the machine world writable and turn off the firewall.
These functions are far easier than understanding the complexities of SELinux.
Things like SELinux are actually there to help you. They can't make you do things like properly encrypt user logins, but they can reduce the risk it's going to matter. What I've been trying to say is leave it on and there are plenty of people that can give you advice if you run into problems.
And yes, there are people that should not write apps if they aren't going to bother with security.
Security is a System Administration function. Not a Software Engineering function. A lot of us function as both, but the idea that we have to be masters off all the disciplines we practice (when most of us are jack of all traits) is simply false. We do our best, and our best sometimes means abandoning complicated mechanisms such as SELinux in order get a project to completion.
SELinux is bonus, not a requirement.
If you're not from the UK then search google for Talktalk hacked, or imagine what would happen if people could get at your uber account details. Failing to protect user data properly over here (UK) can attract serious fines.
That's not true... If you are NEGLIGENT you could face fines. Which I believe was the case in Talktalk was grossly negligent and in far greater position than most Linux users to secure their data.
-- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote:
LOL!!!
I feel you bruce :)
I think a LOT of people are struggling (and frustrated, rightfully so) with SELinux and simply place it in permissive mode. There is nothing wrong with doing this. Don't buy into the fear mongering hype. The only think you have to fear is fear itself.
If/when security is a concern (which in your case it doesn't seem to be) then SELinux is a powerful tool. You would run it along with Tripwire, rkhunter, et al, to validate the security of a server, and by the time it becomes so you can look back over the audit trail to see where perms need to be added etc...
If you are just looking to experiment, exposed to the internet or not, SELinux is really irrelevant, and in many cases can be cumbersome. I personally have had to disable SELinux (permissive mode) many a time to get things to work, and I have yet to have a system compromised by doing so. Not that this can't happen, but the actual chances of it happening are so low, that you ROI is simply not worth it. There really is not some army out their hit small ops looking for vulnerabilities in anything that's not a standard package.
So experiment and produce at will with little to fear. A lot of hype is built around SELinux in naiveté. Someone who really cares about security actually does not rely on SELinux, they monitor their servers intensely, and know every process running on them inside and out, review logs often, use tripwire, rkhunter, and monitor network activity with Security Onion, etc....
Again, this is not to say that SELinux is not part a good strategy, but it is not the holy grail many make it out to be either. It's a small part of security that as you mentioned a lot of use common folk can live without, and have done so for a long time, with no adverse effects.
On Jan 25, 2016, at 7:29 AM, bruce badouglas@gmail.com wrote:
--Gawd...
Feels like I'm trying to spit in the wind!!
1st, not trying to set up web servers, but am looking at running tests on linux servers.
2nd, recognize that one should have "secure" systems on the net, but realize I don't have the time/set of skills to "fully" get there...
So, if you want to say -- hey, don't have an insecure linux box, it could be hacked and cause us the Internet community probs due to your crap, that's fair.
But you need to realize, there are lots of people who are attempting to do as much as they can with limited resources/time. if anyone here wants to contact me offline, we can discuss. Heck, I've been looking for a "sysadmin" type that I can pay, talk with for a bit.
If fed/selinux had a "config" file for simple services/ports, great.. But when you get to policies, and understanding the nuances of selinux, as far as I can tell, it's a learning curve that has to be dealt with in order to get it right..
And to be honest, I know of a number of operations/organizations that have put the "security" sysAdmin stuff off until they could find a sysadmin resource for that function..
There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in 4 weeks" courses. that only get to the basics of coding, much less the sysadmin stuff..
None of these are going away.. so some guy who pops up a website/app on some aws instance.. has security issues that they might not even realize..
Anyway.. thanks guys!
On Mon, Jan 25, 2016 at 9:28 AM, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers. And I haven't had to turn off SELinux, nor do anything beyond open the configurator GUI and tick the boxes that said to allow those particular services (look through its list, find HTTPD server, tick it, find serving CGI scripts, tick that, etc., that was about the extent of what I had to do). Seriously, setting that right was a damn sight easier than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances are that /that/ something is badly written, and needs doing better. Is it trying to serve files it has no business serving? Is it trying to execute things that it shouldn't execute but merely read? There's a plethora of dumb things people try to do with their programs, and stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the internet. Dumb things on the internet don't just affect you, they affect other people around you. That's why we have masses of spam on the internet, and other hacks. Compromised user boxes, compromised ISP services, abound.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just
On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote:
LOL!!!
I feel you bruce :)
I think a LOT of people are struggling (and frustrated, rightfully so) with SELinux and simply place it in permissive mode. There is nothing wrong with doing this. Don't buy into the fear mongering hype. The only think you have to fear is fear itself.
If/when security is a concern (which in your case it doesn't seem to be) then SELinux is a powerful tool. You would run it along with Tripwire, rkhunter, et al, to validate the security of a server, and by the time it becomes so you can look back over the audit trail to see where perms need to be added etc...
If you are just looking to experiment, exposed to the internet or not, SELinux is really irrelevant, and in many cases can be cumbersome. I personally have had to disable SELinux (permissive mode) many a time to get things to work, and I have yet to have a system compromised by doing so. Not that this can't happen, but the actual chances of it happening are so low, that you ROI is simply not worth it. There really is not some army out their hit small ops looking for vulnerabilities in anything that's not a standard package.
So experiment and produce at will with little to fear. A lot of hype is built around SELinux in naiveté. Someone who really cares about security actually does not rely on SELinux, they monitor their servers intensely, and know every process running on them inside and out, review logs often, use tripwire, rkhunter, and monitor network activity with Security Onion, etc....
Again, this is not to say that SELinux is not part a good strategy, but it is not the holy grail many make it out to be either. It's a small part of security that as you mentioned a lot of use common folk can live without, and have done so for a long time, with no adverse effects.
On Jan 25, 2016, at 7:29 AM, bruce badouglas@gmail.com wrote:
--Gawd...
Feels like I'm trying to spit in the wind!!
1st, not trying to set up web servers, but am looking at running tests on linux servers.
2nd, recognize that one should have "secure" systems on the net, but realize I don't have the time/set of skills to "fully" get there...
So, if you want to say -- hey, don't have an insecure linux box, it could be hacked and cause us the Internet community probs due to your crap, that's fair.
But you need to realize, there are lots of people who are attempting to do as much as they can with limited resources/time. if anyone here wants to contact me offline, we can discuss. Heck, I've been looking for a "sysadmin" type that I can pay, talk with for a bit.
If fed/selinux had a "config" file for simple services/ports, great.. But when you get to policies, and understanding the nuances of selinux, as far as I can tell, it's a learning curve that has to be dealt with in order to get it right..
And to be honest, I know of a number of operations/organizations that have put the "security" sysAdmin stuff off until they could find a sysadmin resource for that function..
There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in 4 weeks" courses. that only get to the basics of coding, much less the sysadmin stuff..
None of these are going away.. so some guy who pops up a website/app on some aws instance.. has security issues that they might not even realize..
Anyway.. thanks guys!
On Mon, Jan 25, 2016 at 9:28 AM, Tim ignored_mailbox@yahoo.com.au wrote:
Allegedly, on or about 25 January 2016, bruce sent:
I fully get the need for security.. But if I can't get the security working as it should, but I still need to build whatever the project might be.. the project is going to get created.
If running Selinux in permissive mode is enough, great, so be it.
SELinux in permissive mode is *not* secure. You're using the computer in an insecure mode, and all SELinux is doing is logging the things that it would have stopped.
But when it comes to policies, for differnt users, applications, files,etc.. and the possiblity of screwing something up if you go wrong, then you have a bit of an issue there...
I run webservers, mailservers, fileservers, DNS servers, DHCP servers. And I haven't had to turn off SELinux, nor do anything beyond open the configurator GUI and tick the boxes that said to allow those particular services (look through its list, find HTTPD server, tick it, find serving CGI scripts, tick that, etc., that was about the extent of what I had to do). Seriously, setting that right was a damn sight easier than configuring any of those servers.
If you find something is failing because SELinux is stopping it, chances are that /that/ something is badly written, and needs doing better. Is it trying to serve files it has no business serving? Is it trying to execute things that it shouldn't execute but merely read? There's a plethora of dumb things people try to do with their programs, and stopping those dumb things is the solution, not allowing them.
Do you ignore programming error messages, too?
And you can't simpy tell someone, "if you don't know what you're doing, don't mess with linux!" Not going to happen..
I can say if you don't know what you're doing, don't do it on the internet. Dumb things on the internet don't just affect you, they affect other people around you. That's why we have masses of spam on the internet, and other hacks. Compromised user boxes, compromised ISP services, abound.
ps. To all who've replied in favor of someone not really implementing a fed/centos/linux instance unless secure, I take it you're also illing to provide pointers/help if someone asks, yes? (And not just
On 26 January 2016 at 17:23, Shawn Bakhtiar shashaness@hotmail.com wrote:
On Jan 26, 2016, at 9:13 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar shashaness@hotmail.com wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
Seriously!!?!??! You're comparing a multi-bilion dollar multi-national institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
Every two bit company that leaks other people's data because they can't be bothered makes things worse for its customers. Who are often soon ex-customers. Which means SMBs become former SMBs.
On Jan 26, 2016, at 10:33 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:23, Shawn Bakhtiar shashaness@hotmail.com wrote:
On Jan 26, 2016, at 9:13 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar shashaness@hotmail.com wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
Seriously!!?!??! You're comparing a multi-bilion dollar multi-national institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
Every two bit company that leaks other people's data because they can't be bothered makes things worse for its customers. Who are often soon ex-customers. Which means SMBs become former SMBs.
This is such a load of fear mongering crap. You are acting as if SELinux is the end all and be all of security, which any “two bit” sysadmin can tell you it is not. It is a SMALL part of security one that for the pain it causes is simply not worth it.
In fact there isn’t a single good reason to have SELinux enabled out of the box (or SystemD for that matter- whole other story).
The functions it (as with systemD) servers are limited to a select area of operations.
-- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 27 January 2016 at 02:41, Shawn Bakhtiar shashaness@hotmail.com wrote:
On Jan 26, 2016, at 10:33 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:23, Shawn Bakhtiar shashaness@hotmail.com wrote:
On Jan 26, 2016, at 9:13 AM, Ian Malone ibmalone@gmail.com wrote:
On 26 January 2016 at 17:07, Shawn Bakhtiar shashaness@hotmail.com wrote:
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
Remember that next time your bank gets hacked.
Seriously!!?!??! You're comparing a multi-bilion dollar multi-national institution with a SMB/SOHO engineer. Sorry they fall int the 1% last I checked.
Every two bit company that leaks other people's data because they can't be bothered makes things worse for its customers. Who are often soon ex-customers. Which means SMBs become former SMBs.
This is such a load of fear mongering crap. You are acting as if SELinux is the end all and be all of security, which any “two bit” sysadmin can tell you it is not. It is a SMALL part of security one that for the pain it causes is simply not worth it.
In fact there isn’t a single good reason to have SELinux enabled out of the box (or SystemD for that matter- whole other story).
The functions it (as with systemD) servers are limited to a select area of operations.
It's fairly clear you've understood nothing I said. Pointless to continue.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/23/2016 09:52 AM, bruce wrote:
Hi.
In testing out creating/setting up remote droplets on digital ocean/fed (centos), I realize that it should be secured as much/tightly as possible. However, I also realize that if I screw something up, I could have an instance that has issues. I'm not a sys admin, and not trying to be one.
So, here's my question. If I'm going to be spinning up/down an instance, could I simply disable selinux? For my scenario, I'll be creating a base instance, with the required apps/processes, and then using that base instance for any testing droplets I need to create, to test my apps.
So, if I create an instance, spin it up, fire off my tests on the instance, run everything for a few hours, and then shut it off, would that be "reasonably safe/secure"?
My testing apps are a mix of python/php/perl/shell scripts, there's no web stuff as of yet. Although, there will be dns/nfs/mysql functionality.
Thanks for thoughts..
Sorry I'm late to the thread.
Bruce, I'd love your opinion on the "SELinux for Mere Mortals" talk from Red Hat Summit: https://www.youtube.com/watch?v=MxjenQ31b70
Disclaimer: it's a video of me, and I work for Red Hat.
I've gotten a lot of positive feedback on the video, and I hope that it will make your decision easier. It's only about an hour, and pretty much everyone who has watched it has said they'd use SELinux after watching it. I am clearly biased, but I would not run any internet-facing system without SELinux turned on. Heck, I don't run *any* system without it.
I hope this helps!
Thomas
On 01/26/2016 06:41 PM, Shawn Bakhtiar wrote:
In fact there isn’t a single good reason to have SELinux enabled out of the box ... The functions it (as with systemD) servers are limited to a select area of operations.
I'd like to point out that the default policy is "targeted", which means that it only affects the "select area of operations" where it can help to contain an attack.
-
Andy Paterson -
Bernardo Sulzbach -
bruce -
EGO-II.1 -
Gordon Messmer -
Ian Malone -
Joe Zeff -
Miroslav Grepl -
Shawn Bakhtiar -
stan -
Sylvia Sánchez -
thomas cameron -
Tim -
William Oliver