How best get rid of SELinux?

List overview All Threads
Download

newer

older

LimitRequestBody config

Re: fedora-list Digest, Vol 43,...

Beartooth

20 Sep 2007 20 Sep '07

10:47 a.m.

I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Show replies by date

Rahul Sundaram

20 Sep 20 Sep

11:01 a.m.

Beartooth wrote:

...

I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway.

It shouldn't cause any trouble if you set to permissive mode. Can you explain what problems you are having?

Run the following command as root to verify the mode

# getenforce

Can I just command "yum remove selinux"?

SELinux is not a single package. You can remove the policy files but the SELinux library is used by many core packages and cannot be removed easily. See previous discussions in this list in the archives for more details.

Rahul

Brian A. Seklecki

11:11 a.m.

As expected, this can probably be caned during run-time:

[seklecki@hv00 ~]$ more /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted

~BAS

On Thu, 20 Sep 2007, Rahul Sundaram wrote:

...

Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway.

It shouldn't cause any trouble if you set to permissive mode. Can you explain what problems you are having?

Run the following command as root to verify the mode

# getenforce

Can I just command "yum remove selinux"?

SELinux is not a single package. You can remove the policy files but the SELinux library is used by many core packages and cannot be removed easily. See previous discussions in this list in the archives for more details.

Rahul

-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/

"Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan

Beartooth

11:29 a.m.

On Thu, 20 Sep 2007 21:31:51 +0530, Rahul Sundaram wrote:

...

It shouldn't cause any trouble if you set to permissive mode. Can you explain what problems you are having?

I've just recently deleted a bunch of its incomprehensible reportage from the machine I'm on at the moment; this has come in since (with my apologies for what c&p does to the formatting) :

SummarySELinux is preventing semodule (semanage_t) "getattr" to / (fs_t).Detailed DescriptionSELinux denied access requested by semodule. It is not expected that this access is required by semodule and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: user_u:system_r:semanage_tTarget Context: system_u:object_r:fs_tTarget Objects: / [ filesystem ]Affected RPM Packages: filesystem-2.4.6-1.fc7 [target]Policy RPM: selinux- policy-2.6.4-38.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchallHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.22.4-65.fc7 #1 SMP Tue Aug 21 22:36:56 EDT 2007 i686 athlon Alert Count: 1First Seen: Wed 05 Sep 2007 09:37:21 AM EDTLast Seen: Wed 05 Sep 2007 09:37:21 AM EDTLocal ID: fb994b74-5944-49d4-836b- f9011476aec6Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm="semodule" dev=dm-0 name="/" pid=28412 scontext=user_u:system_r:semanage_t:s0 tclass=filesystem tcontext=system_u:object_r:fs_t:s0

Quite commmonly, along with all the stuff that would take me years of study (years I don't have) to understand, I get either a recommendation to run some command ending in "reboot," which is very tiresome to do, and also takes inordinate time. Or else it asks for a bug report, which I am not competent to write, nor do I have time for it.

...

Run the following command as root to verify the mode

# getenforce

I get this, on all three machines that live on my desk :

[root@localhost ~]# getenforce Permissive [root@localhost ~]#

...

Can I just command "yum remove selinux"?

SELinux is not a single package. You can remove the policy files but the SELinux library is used by many core packages and cannot be removed easily. See previous discussions in this list in the archives for more details.

More details? I'm already drowning in details meaningless to me!

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Jos Vos

11:33 a.m.

On Thu, Sep 20, 2007 at 04:29:05PM +0000, Beartooth wrote:

...

I get this, on all three machines that live on my desk :

[root@localhost ~]# getenforce Permissive [root@localhost ~]#

Edit /etc/sysconfig/selinux, set "SELINUX=disabled" at the appropriate line, reboot and you're done, IIRC.

-- -- Jos Vos jos@xos.nl -- X/OS Experts in Open Systems BV | Phone: +31 20 6938364 -- Amsterdam, The Netherlands | Fax: +31 20 6948204

Beartooth

11:53 a.m.

On Thu, 20 Sep 2007 18:33:43 +0200, Jos Vos wrote:

...

On Thu, Sep 20, 2007 at 04:29:05PM +0000, Beartooth wrote:

...
I get this, on all three machines that live on my desk :

[root@localhost ~]# getenforce Permissive [root@localhost ~]#

Edit /etc/sysconfig/selinux, set "SELINUX=disabled" at the appropriate line, reboot and you're done, IIRC.

Aha! I hadn't thought of rebooting; I have it doing that now. Thanks!

Btw, I don't know if it's worth a whole nuther thread, but I've been finding it advised or necessary to reboot a *lot* more in the last year of three than before. And a lot fewer people vaunt their uptime in their .sigs.

It reminds me, alas!, of certain operating systems than which any other whatever is a lesser evil, and usually a vast improvement. We can't be sliding this direction by choice; can anyone tell a subtechnoid what's going on??

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Ashley M. Kirchner

2:55 p.m.

New subject: [Fedora] Re: How best get rid of SELinux?

Beartooth wrote:

...

Btw, I don't know if it's worth a whole nuther thread, but I've been finding it advised or necessary to reboot a *lot* more in the last year of three than before. And a lot fewer people vaunt their uptime in their .sigs

The only time I reboot any of my systems is after an update and mostly if it involved the kernel or libraries. I have a pair of RH7.3 machines that have not had any updates performed (not supported anymore) and those things are rock solid, with one of them boasting an uptime of 634 days. As of right now, they look like:

Uptime on avalon: 13:49:32 up 17 days, 4:22 Uptime on bugsy: 13:49:32 up 23 days, 4:09 Uptime on stigmata: 13:49:33 up 427 days, 47 min Uptime on serpico: 13:49:33 up 22 days, 20:49 Uptime on trinity: 13:49:34 up 38 days, 2:03 Uptime on athenaeum: 13:49:34 up 21 days, 14:40 Uptime on lansky: 13:49:34 up 40 days, 10:27 Uptime on desperado: 13:49:34 up 40 days, 9:55 Uptime on ivanhoe: 13:49:35 up 634 days, 4:33 Uptime on bpp: 13:49:35 up 40 days, 9:49 Uptime on lilpusher: 13:49:36 up 40 days, 10:09 Uptime on bigbertha: 13:49:36 up 40 days, 10:06 Uptime on listserv: 13:49:37 up 79 days, 4:24 Uptime on swift: 13:49:38 up 96 days, 20:47

- those last two machines are SGI IRIX boxes...

-- W | It's not a bug - it's an undocumented feature. +-------------------------------------------------------------------- Ashley M. Kirchner mailto:ashley@pcraft.com . 303.442.6410 x130 IT Director / SysAdmin / Websmith . 800.441.3873 x130 Photo Craft Imaging . 3550 Arapahoe Ave. #6 http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.

Tim

10:30 p.m.

On Thu, 2007-09-20 at 16:53 +0000, Beartooth wrote:

...

Btw, I don't know if it's worth a whole nuther thread, but I've been finding it advised or necessary to reboot a *lot* more in the last year of three than before.

In some cases it's just a simple answer to a lot of people (both advice some give, or an action some always take). It isn't always necessary. Though some don't realise that, having had it ingrained in them through using Windows. Or they like to check that their systems will still boot after their latest changes (if you reboot some weeks later, you mightn't remember what you changed that could be a problem).

Having said that, things that alter really core behaviour may need a reboot to take effect. But, as far as I was aware, you could just issue the command to disable SELinux, and it's disabled. You'd also write in the disabling configuration changes, so that the next boot came up that way, too.

-- [tim@bigblack ~]$ uname -ipr 2.6.22.4-65.fc7 i686 i386 Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7. Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.

Arthur Pemberton

21 Sep 21 Sep

12:13 a.m.

On 9/20/07, Beartooth Beartooth@swva.net wrote:

...

    Btw, I don't know if it's worth a whole nuther thread, but I've
been finding it advised or necessary to reboot a *lot* more in the last year of three than before. And a lot fewer people vaunt their uptime in their .sigs.
    It reminds me, alas!, of certain operating systems than which any
other whatever is a lesser evil, and usually a vast improvement. We can't be sliding this direction by choice; can anyone tell a subtechnoid what's going on??

I am normally in irc://freenode/fedora and such advice is rare enough there that I cannot remember it occurring. I would wager a guess that you have received at best, oversimplified advice.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Beartooth

12:58 p.m.

On Fri, 21 Sep 2007 00:13:31 -0500, Arthur Pemberton wrote:

...

I am normally in irc://freenode/fedora and such advice is rare enough there that I cannot remember it occurring. I would wager a guess that you have received at best, oversimplified advice.

Well, irc is one of the things like games that I'm careful for personal reasons to make sure never gets installed, or gets removed at once; so I can't speak to that. But I'll take your word for it.

To the best of my recollection, I have two sources. One is READMEs, web boards, and sundry such venues for particular apps; the other summarizes my experience -- rebooting quite commonly helps when nothing else I try, including logging out and back in, is any help.

I doubt I run any apps that anyone here would consider unusual; but it may well be that, autodidact as I am, I run them in unusual ways. Or of course my impression could be off. <shrug>

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Arthur Pemberton

1:04 p.m.

On 9/21/07, Beartooth Beartooth@swva.net wrote:

...

On Fri, 21 Sep 2007 00:13:31 -0500, Arthur Pemberton wrote:

...
I am normally in irc://freenode/fedora and such advice is rare enough there that I cannot remember it occurring. I would wager a guess that you have received at best, oversimplified advice.
    Well, irc is one of the things like games that I'm careful for
personal reasons to make sure never gets installed, or gets removed at once; so I can't speak to that. But I'll take your word for it.
    To the best of my recollection, I have two sources. One is
READMEs, web boards, and sundry such venues for particular apps; the other summarizes my experience -- rebooting quite commonly helps when nothing else I try, including logging out and back in, is any help.
    I doubt I run any apps that anyone here would consider unusual;
but it may well be that, autodidact as I am, I run them in unusual ways. Or of course my impression could be off. <shrug>

Please let us know, if you recall any details.

No userland apps or modules should require a restart as far as I understand.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Beartooth

22 Sep 22 Sep

1:31 p.m.

On Fri, 21 Sep 2007 13:04:13 -0500, Arthur Pemberton wrote:

...

On 9/21/07, Beartooth Beartooth@swva.net wrote:

...
On Fri, 21 Sep 2007 00:13:31 -0500, Arthur Pemberton wrote:

...
I am normally in irc://freenode/fedora and such advice is rare enough there that I cannot remember it occurring. I would wager a guess that you have received at best, oversimplified advice.
    Well, irc is one of the things like games that I'm careful for
personal reasons to make sure never gets installed, or gets removed at once; so I can't speak to that. But I'll take your word for it.
    To the best of my recollection, I have two sources. One is
READMEs, web boards, and sundry such venues for particular apps; the other summarizes my experience -- rebooting quite commonly helps when nothing else I try, including logging out and back in, is any help.
    I doubt I run any apps that anyone here would consider unusual;
but it may well be that, autodidact as I am, I run them in unusual ways. Or of course my impression could be off. <shrug>
Please let us know, if you recall any details.

No userland apps or modules should require a restart as far as I understand.

For starters, there's one on this thread -- in a post from Gene Heskett dated Thursday (i.e., Sept 20) at 11:30. It may be there because he's explaining about doing the disable in Grub : he answers my question about "yum remove selinux", saying :

...

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

...

Append to it: selinux=0 and reboot.

I am watching for more.

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Matthew Saltzman

20 Sep 20 Sep

2 p.m.

On Thu, 2007-09-20 at 16:29 +0000, Beartooth wrote:

...

On Thu, 20 Sep 2007 21:31:51 +0530, Rahul Sundaram wrote:

...
It shouldn't cause any trouble if you set to permissive mode. Can you explain what problems you are having?

I've just recently deleted a bunch of its incomprehensible reportage from the machine I'm on at the moment; this has come in since (with my apologies for what c&p does to the formatting) :

SummarySELinux is preventing semodule (semanage_t) "getattr" to / (fs_t).Detailed DescriptionSELinux denied access requested by semodule. It is not expected that this access is required by semodule and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessYou can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: user_u:system_r:semanage_tTarget Context: system_u:object_r:fs_tTarget Objects: / [ filesystem ]Affected RPM Packages: filesystem-2.4.6-1.fc7 [target]Policy RPM: selinux- policy-2.6.4-38.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchallHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.22.4-65.fc7 #1 SMP Tue Aug 21 22:36:56 EDT 2007 i686 athlon Alert Count: 1First Seen: Wed 05 Sep 2007 09:37:21 AM EDTLast Seen: Wed 05 Sep 2007 09:37:21 AM EDTLocal ID: fb994b74-5944-49d4-836b- f9011476aec6Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm="semodule" dev=dm-0 name="/" pid=28412 scontext=user_u:system_r:semanage_t:s0 tclass=filesystem tcontext=system_u:object_r:fs_t:s0

Quite commmonly, along with all the stuff that would take me years of study (years I don't have) to understand, I get either a recommendation to run some command ending in "reboot," which is very tiresome to do, and also takes inordinate time. Or else it asks for a bug report, which I am not competent to write, nor do I have time for it.

It's not that hard--all the information you need is in the report above. And if you do report it, it will get fixed and save you and others grief in the future. Once you've done it once, it's not too terribly difficult or time consuming.

...

...
Run the following command as root to verify the mode

# getenforce

I get this, on all three machines that live on my desk :

[root@localhost ~]# getenforce Permissive [root@localhost ~]#

...
Can I just command "yum remove selinux"?

SELinux is not a single package. You can remove the policy files but the SELinux library is used by many core packages and cannot be removed easily. See previous discussions in this list in the archives for more details.

More details? I'm already drowning in details meaningless to me!

-- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

Andy Green

21 Sep 21 Sep

12:47 a.m.

Somebody in the thread at some point said:

...

On Thu, 20 Sep 2007 21:31:51 +0530, Rahul Sundaram wrote:

...
It shouldn't cause any trouble if you set to permissive mode. Can you explain what problems you are having?

I've just recently deleted a bunch of its incomprehensible reportage from the machine I'm on at the moment; this has come in since (with my apologies for what c&p does to the formatting) :

Just to be clear, that is what "permissive" does... it lets you know what selinux wouldn't've let through, but lets it through anyway. So these error messages represent a passive opinion from selinux about what it didn't like (but did nothing to prevent). So selinux is only to blame for filling your logs, not any other badness while in permissive.

IMO it is better to make selinux happy, if possible without causing a heart attack, than to disable it. Why not start with

# touch /.autorelabel

and a reboot. This will make sure your files have the right selinux label, the cause of many problems.

-Andy

Gene Heskett

1:19 a.m.

On Friday 21 September 2007, Andy Green wrote:

...

Somebody in the thread at some point said:

...
On Thu, 20 Sep 2007 21:31:51 +0530, Rahul Sundaram wrote:

...
It shouldn't cause any trouble if you set to permissive mode. Can you explain what problems you are having?

I've just recently deleted a bunch of its incomprehensible reportage from the machine I'm on at the moment; this has come in since (with my apologies for what c&p does to the formatting) :

Just to be clear, that is what "permissive" does... it lets you know what selinux wouldn't've let through, but lets it through anyway. So these error messages represent a passive opinion from selinux about what it didn't like (but did nothing to prevent). So selinux is only to blame for filling your logs, not any other badness while in permissive.

IMO it is better to make selinux happy, if possible without causing a heart attack, than to disable it. Why not start with

# touch /.autorelabel

and a reboot. This will make sure your files have the right selinux label, the cause of many problems.

-Andy

With all due respect Andy, I probably did that 6 or 7 times. Not once did it actually fix a problem.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Never explain. Your friends do not need it and your enemies will never believe you anyway. -- Elbert Hubbard

Andy Green

2:59 a.m.

Somebody in the thread at some point said:

...

...
# touch /.autorelabel

and a reboot. This will make sure your files have the right selinux label, the cause of many problems.

...

With all due respect Andy, I probably did that 6 or 7 times. Not once did it actually fix a problem.

Well that will only fix "a problem" whose cause is a simple mislabelling or lack of the selinux label. That has happened to me in the past upgrading machines with old Fedora versions or ones with filesystems that had previously been used with selinux=0. You can also make the kind of problem this will fix by copying files, say from /var/www/html to /home and then mv-ing them back. If your problem is different or more subtle then naturally it won't help.

Maybe I have been lucky, but I have been able to figure out how to get around whatever selinux has complained about to me recently. Only once did it need a local policy, to get gitweb working.

So because that has been my experience, which I can see has been different to yours I accept, I am more positive about trying to get it working.

-Andy

Gene Heskett

7:15 p.m.

On Friday 21 September 2007, Andy Green wrote:

...

Somebody in the thread at some point said:

...
...
# touch /.autorelabel

and a reboot. This will make sure your files have the right selinux label, the cause of many problems.

With all due respect Andy, I probably did that 6 or 7 times. Not once did it actually fix a problem.

Well that will only fix "a problem" whose cause is a simple mislabelling or lack of the selinux label. That has happened to me in the past upgrading machines with old Fedora versions or ones with filesystems that had previously been used with selinux=0. You can also make the kind of problem this will fix by copying files, say from /var/www/html to /home and then mv-ing them back. If your problem is different or more subtle then naturally it won't help.

Maybe I have been lucky, but I have been able to figure out how to get around whatever selinux has complained about to me recently. Only once did it need a local policy, to get gitweb working.

So because that has been my experience, which I can see has been different to yours I accept, I am more positive about trying to get it working.

-Andy

Just for grins, Andy, I fired up my lappy which has been running with selinix=0 since the F7 install, did the touch /.autorelabel, then let it update to the latest with smart. That will install a newer kernel which I haven't built an ndiswrapper for just yet, but will reboot and do that. It will be interesting to see if I still have a network connection through my bcm4318 radio when its all done. I'll remove the grub option and set it to permissive before I do the final reboot.

Ok, an hour later its all done, rebooted to permissive, relabeled (took about half an hour right there) ndiswrapper-1.48 installed. And by golly its still working, kdenetwork manager says the connection speed sucks, but I had to go get the newest flash for seamonkey and that came in only about 10k slower than my dsl connection. The log is showing me a bunch of what I think are bcm4318 related messages that look like stack traces, but it is running despite that. The messages are from:

b43-phy0 ERROR: LO control pair validation failed (I: 111, Q: 111, used 1, calib: 0, initing: 0)

And seemingly generated when b43 attempts to set the local oscillator. Or is that b43's way of bitching about the radio channel? DamnifIknow.

Anybody got a clue to lend me? Latest F7 kernel but I saw it on the previous one before I rebooted to the new one too.

I left this message sitting on screen, and went to do some shopping for eats, then went to the shop to cut the last two mortises in a side rail for a cabinet, and when I came back in just now, the last such messages showing in the messages tail were slightly different, but still generated a stack trace, naming rfatt=6, bbatt=5, and was at 15:42 pm, its now 20:01. Self repairing?

So, ATM I have not run into an selinux problem while running in permissive but live mode.

Progress at making it more 'user friendly'? Perhaps. I'll leave it setup as now & see how I fare trying to do my usual stuffs.

Maybe it will actually be usable when I install F8 on this box.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 10.0 times 0.1 is hardly ever 1.0.

Andy Green

23 Sep 23 Sep

12:46 a.m.

Somebody in the thread at some point said:

...

b43-phy0 ERROR: LO control pair validation failed (I: 111, Q: 111, used 1, calib: 0, initing: 0)

And seemingly generated when b43 attempts to set the local oscillator. Or is that b43's way of bitching about the radio channel? DamnifIknow.

I guess LO really is Local Oscillator in this case. I would definitely throw out ndiswrapper until I really really had no choice. b43 is still getting worked on pretty hard, it is also sensitive to the version of firmware you are using in /lib/firmware.

...

Anybody got a clue to lend me? Latest F7 kernel but I saw it on the previous one before I rebooted to the new one too.

I left this message sitting on screen, and went to do some shopping for eats, then went to the shop to cut the last two mortises in a side rail for a cabinet, and when I came back in just now, the last such messages showing in the messages tail were slightly different, but still generated a stack trace, naming rfatt=6, bbatt=5, and was at 15:42 pm, its now 20:01. Self repairing?

I think some of the stack backtraces in this case can be for debugging, but I don't know.

...

So, ATM I have not run into an selinux problem while running in permissive but live mode.

Great.

...

Progress at making it more 'user friendly'? Perhaps. I'll leave it setup as now & see how I fare trying to do my usual stuffs.

Well the best thing selinux can do is be "user invisible", but I'm glad that you also found it has gotten better enough since you last tried it that you can consider to see how it goes.

-Andy

Beartooth

21 Sep 21 Sep

10:18 a.m.

On Fri, 21 Sep 2007 06:47:12 +0100, Andy Green wrote:

...

Just to be clear, that is what "permissive" does... it lets you know what selinux wouldn't've let through, but lets it through anyway. So these error messages represent a passive opinion from selinux about what it didn't like (but did nothing to prevent). So selinux is only to blame for filling your logs, not any other badness while in permissive.

In other words, what it tells me in these messages is false?? And the distractions it creates to draw attention to itself could be proxied out, if I knew how??

The messages in the display when I click on that big yellow star are all of the form "SELinux *has* blocked ..." or "... *has* denied ... " or the like -- indicative mood.

...

IMO it is better to make selinux happy, if possible without causing a heart attack, than to disable it.

Such has indeed been my practice heretofore -- and I'm getting heartily sick of it.

...

Why not start with

# touch /.autorelabel

and a reboot. This will make sure your files have the right selinux label, the cause of many problems.

Like Gene, I have done that, over and over; I haven't counted, but it must be at *least* half a dozen times per machine.

It is usually anything but convenient to shut all the apps on all the workspaces down, just because some nanny I don't need has yet another hissy fit. And when I do do it, it takes forever and a month to reboot.

It may well be that NSA and those of you with big production sites to administer do need all this. You certainly (and I hope to God NSA, too, despite being a gummint bureaucracy) understand it far better.

To start with, surely, you can tell by looking what is serious and what isn't -- i.e., what you can safely ignore till you get around to it, if ever.

My half dozen little machines, all behind at least one router, physically inaccessible to anyone but my wife and me, running every *other* defense I can find and manage, and with nothing in the way of wealth, power, or prominence to attract evildoers, ought to be a somewhat different kettle of fish.

No doubt the crackers out there have bots sniffing at every machine they can find in existence. But, unless I've completely misunderstood everything I've read on news.grc.com over the years, if such a bot suggests my little operation to its obnoxious owner, s/he will realize at first glance that nothing here is worth the trouble it would take to conquer, with or without SELinux even installed.

Suggestion : persuade the SELinux developers, if you can, to go take lessons from the ZoneAlarm people, paying heavily enough to get eager co-operation. ZA is by no means perfect -- it too can be obscure -- but on any scale of user-friendliness, it's orders of magnitude (plural!) ahead of the SELinux messages.

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Arthur Pemberton

10:43 a.m.

On 9/21/07, Beartooth Beartooth@swva.net wrote:

...

    Suggestion : persuade the SELinux developers, if you can, to go
take lessons from the ZoneAlarm people, paying heavily enough to get eager co-operation. ZA is by no means perfect -- it too can be obscure -- but on any scale of user-friendliness, it's orders of magnitude (plural!) ahead of the SELinux messages.

The SELinux devs have created apps which all but automate fixing of most SELinux problems for you. And, they have made it really easy to turn off. So I don't know more you want other than more and better rules, and possible a GUI rule builder.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Rahul Sundaram

10:45 a.m.

Arthur Pemberton wrote:

...

On 9/21/07, Beartooth Beartooth@swva.net wrote:

...
    Suggestion : persuade the SELinux developers, if you can, to go
take lessons from the ZoneAlarm people, paying heavily enough to get eager co-operation. ZA is by no means perfect -- it too can be obscure -- but on any scale of user-friendliness, it's orders of magnitude (plural!) ahead of the SELinux messages.
The SELinux devs have created apps which all but automate fixing of most SELinux problems for you. And, they have made it really easy to turn off. So I don't know more you want other than more and better rules, and possible a GUI rule builder.

There is already one FYI

See http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-building-a-...

Rahul

Beartooth

22 Sep 22 Sep

1 p.m.

On Fri, 21 Sep 2007 21:15:52 +0530, Rahul Sundaram wrote:

...

Arthur Pemberton wrote:

[....]

...

...
The SELinux devs have created apps which all but automate fixing of most SELinux problems for you. And, they have made it really easy to turn off. So I don't know more you want other than more and better rules, and possible a GUI rule builder.

There is already one FYI

See http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-

building-a-new-selinux-policy-module/

And thereby hangs an old sad tale. I looked at that -- and found it utterly incomprehensible.

It seems to inhere in the human condition that those who achieve extreme command of any field lose in the process all recollection of what it's like for the uninitiated : one comes to think "How could it be any simpler?? Surely *everyone* knows XWQKZ ..."

Yes, I've been there and done that, too, though in fields unrelated to computing and the Net.

<sigh>

Maybe the new GUI will jump the gap; or the one rebuilt from it after enough feedback from this list.

Fwiw, I am now persuaded to go on tolerating SELinux for another Fedora release or two, on general principles -- but I'll also be very curious to see what if anything happens to the machine with it disabled.

Thanks again for all the discussion! If there are any finer groups of people online than those who build linux, especially Fedora, they're mighty few. Mighty few. Strength to all your arms!

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Arthur Pemberton

8:03 p.m.

On 9/22/07, Beartooth Beartooth@swva.net wrote:

...

On Fri, 21 Sep 2007 21:15:52 +0530, Rahul Sundaram wrote:

...
Arthur Pemberton wrote:

[....]

...
...
The SELinux devs have created apps which all but automate fixing of most SELinux problems for you. And, they have made it really easy to turn off. So I don't know more you want other than more and better rules, and possible a GUI rule builder.

There is already one FYI

See http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-

building-a-new-selinux-policy-module/
    And thereby hangs an old sad tale. I looked at that -- and found
it utterly incomprehensible.

The GUI linked to is for _building_ rules. Very few people need to actually build rules.

The setroubleshoot tool generally gives the exact command one needs to fix what ever problem was found.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Tim

23 Sep 23 Sep

1 a.m.

On Sat, 2007-09-22 at 18:00 +0000, Beartooth wrote:

...

And thereby hangs an old sad tale. I looked at that -- and found it utterly incomprehensible.

I think the naming of the contexts, themselves, were a really bad incomprehensible thing.

Looking in my home space, things have: user_u:object_r:user_home_t

What's a user_u, or object_r, or user_home_t?

Or a PNG file in my webserver directory: user_u:object_r:httpd_sys_content_t

They're not at all intuitive. What's a "u," "r," or "t"? I've no choice but to read a manual to work that out, I couldn't even guess at it. But a quick look through a few of the SELinux manuals doesn't explain what any of it means. And why would a PNG file be any sort of system content? That sounds more like something you'd assign to a webserver CGI file.

If we had logically sensible context names like "system," "application-executable," "application-non-executable," "users-personal," "serveable-local-only," "serveable-public," "serveable-web," "serveable-ftp," "serveable-http+ftp," etc., we'd have a fighting chance at understanding what they meant and applying the right ones.

-- [tim@bigblack ~]$ uname -ipr 2.6.22.5-76.fc7 i686 i386 Using FC 4, 5, 6 & 7, plus CentOS 5. Today, it's FC7. Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists.

Arthur Pemberton

1:11 a.m.

On 9/23/07, Tim ignored_mailbox@yahoo.com.au wrote:

...

On Sat, 2007-09-22 at 18:00 +0000, Beartooth wrote:

...
And thereby hangs an old sad tale. I looked at that -- and found it utterly incomprehensible.

I think the naming of the contexts, themselves, were a really bad incomprehensible thing.

Looking in my home space, things have: user_u:object_r:user_home_t

What's a user_u, or object_r, or user_home_t?

Or a PNG file in my webserver directory: user_u:object_r:httpd_sys_content_t

They're not at all intuitive. What's a "u," "r," or "t"? I've no choice but to read a manual to work that out, I couldn't even guess at it. But a quick look through a few of the SELinux manuals doesn't explain what any of it means.

It takes less that a minute to find out 'man chcon'' : http://linux.die.net/man/1/chcon

u -> user r -> role t -> type

Manual modification of the security contexts aren't really expected of most people.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Tim

1:59 a.m.

On Sun, 2007-09-23 at 01:11 -0500, Arthur Pemberton wrote:

...

It takes less that a minute to find out 'man chcon'' : http://linux.die.net/man/1/chcon

chcon wasn't referred to in the list of see also man files at the bottom of the selinux man file. More hunting would have been required to know about that command. It's just another part of the obscureness of it. At the very least, I'd expect man selinux to get me started with the things I needed to know.

...

u -> user r -> role t -> type

Manual modification of the security contexts aren't really expected of most people.

You need to know how to understand what's there when you're trying to work out why you can't serve something, etc. And they're still not particularly coherent with the example I gave.

...

...
...
Or a PNG file in my webserver directory: user_u:object_r:httpd_sys_content_t

That PNG is user user, object role, HTTP system content type? WTF! What the hell is an object role, and how is a PNG file a system anything?

Arthur Pemberton

2:24 a.m.

On 9/23/07, Tim ignored_mailbox@yahoo.com.au wrote:

...

On Sun, 2007-09-23 at 01:11 -0500, Arthur Pemberton wrote:

...
It takes less that a minute to find out 'man chcon'' : http://linux.die.net/man/1/chcon

chcon wasn't referred to in the list of see also man files at the bottom of the selinux man file. More hunting would have been required to know about that command. It's just another part of the obscureness of it. At the very least, I'd expect man selinux to get me started with the things I needed to know.

Fair enough. But chcon is the tool one uses to manually change the context. Considering one only needs to know what the contexts mean if they're going to manually change them, then one should have come accross chcon.

The Selinux tutorial can be scanned in about 10-15 mins for those who actually need to change things - most people don't.

...

...
u -> user r -> role t -> type

Manual modification of the security contexts aren't really expected of most people.

You need to know how to understand what's there when you're trying to work out why you can't serve something, etc. And they're still not particularly coherent with the example I gave.

Use Case * Tim wants to use Fedora to play around with Apache * Tim installs Fedora + Apache with Selinux in targeted mode * Tim is up and running with the default Fedora-Apache test page on :80 * Tim copies a file from /home/tim to /var/log/www (lets say with nautilus) * When file is dropped into /var/www/html, restorecond automatically changes the files context to the minimal context required for http to access a file * For some reason, restorecond didn't do the job, so apache can't read Tim added file * Tim gets HTTP errors at http://localhost/test.html indicating that the file can't be accessed * Tim check apache's logs for information on while the file isn't being served, and finds that Apache itself can't read the file * So Tim check /var/log/messages for information * Tim had decided not to install setroubleshoot upon original installation of Fedora * So Tim finds quite verbose avc_denied messages which he doesn't understand, and would prefer not to learn to understand * So Tim installs setroubleshoot via his method of choice * With setrobuleshoot now runnings, Tim recreates the event. and setroubleshoot prints a message to /var/log/message asking Tim to run a specific command for information on the SELinux denial, and how to fix it. * Tim copies and paste the command into a terminal and hits RETURN * Tim is given a brief break down on why SELinux denied this particular action * Tim is also given the exact command necessary to fix the problem which he copies and pastes into a terminal and executes * Tim attempts http://localhost/test.html again, and it works

( I'm not sure what circumstances would cause the file to not be auto relabeled )

...

...
...
...
Or a PNG file in my webserver directory: user_u:object_r:httpd_sys_content_t

That PNG is user user, object role, HTTP system content type? WTF! What the hell is an object role, and how is a PNG file a system anything?

A content item accessible to the httpd system

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Tim

6:06 a.m.

On Sun, 2007-09-23 at 02:24 -0500, Arthur Pemberton wrote:

...

With setrobuleshoot now runnings, Tim recreates the event. and

setroubleshoot prints a message to /var/log/message asking Tim to run a specific command for information on the SELinux denial, and how to fix it.

Tim copies and paste the command into a terminal and hits RETURN

Tim is given a brief break down on why SELinux denied this

particular action

Tim is also given the exact command necessary to fix the problem

which he copies and pastes into a terminal and executes

Tim attempts http://localhost/test.html again, and it works

The problem with the troubleshooter, is that it still spews out some bizarre information that you have to take on faith. There are a lot of people who'll be presented with a command to fix the problem, which they'll do without any due consideration whether that thing should have been denied. Just the same as Windows users who just allow everything the firewall asks them about.

Fair enough if you're trying to webserve a file, it denies it, and you follow the information. You know you want to allow that, it's something that you're in the middle of doing. But the other warnings it throws up about the things happening in the background sure leave a lot to be desired. You don't know if you're persuing a bug in SELinux, or what SELinux is warning you about. It's full of jargon.

David

6:14 a.m.

on 9/23/2007 7:06 AM, Tim wrote:

...

On Sun, 2007-09-23 at 02:24 -0500, Arthur Pemberton wrote:

...

With setrobuleshoot now runnings, Tim recreates the event. and

setroubleshoot prints a message to /var/log/message asking Tim to run a specific command for information on the SELinux denial, and how to fix it.

Tim copies and paste the command into a terminal and hits RETURN

Tim is given a brief break down on why SELinux denied this

particular action

Tim is also given the exact command necessary to fix the problem

which he copies and pastes into a terminal and executes

Tim attempts http://localhost/test.html again, and it works

The problem with the troubleshooter, is that it still spews out some bizarre information that you have to take on faith. There are a lot of people who'll be presented with a command to fix the problem, which they'll do without any due consideration whether that thing should have been denied. Just the same as Windows users who just allow everything the firewall asks them about.

Fair enough if you're trying to webserve a file, it denies it, and you follow the information. You know you want to allow that, it's something that you're in the middle of doing. But the other warnings it throws up about the things happening in the background sure leave a lot to be desired. You don't know if you're persuing a bug in SELinux, or what SELinux is warning you about. It's full of jargon.

Or if the .png file that SELinux is concerned about here is really an executable, 'bad', file that is going to compromise your system. ;-)

-- David

Arthur Pemberton

2:26 a.m.

On 9/23/07, Tim ignored_mailbox@yahoo.com.au wrote:

...

That PNG is user user, object role, HTTP system content type? WTF! What the hell is an object role, and how is a PNG file a system anything?

1) check man selinux 2) get pointed to man httpd_selinux 3) get information

httpd_sys_content_t - Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Tim

5:58 a.m.

Tim:

...

...
That PNG is user user, object role, HTTP system content type? WTF! What the hell is an object role, and how is a PNG file a system anything?

Arthur Pemberton:

...

check man selinux

get pointed to man httpd_selinux

Which I have looked at. I have a background in electronics engineering, and am familiar with reading highly technical data, but this documentation takes the cake.

...

get information

httpd_sys_content_t - Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon

I still say that calling a PNG data file as some *SYSTEM* content to do with HTTPD is a bizare description for it. The SELinux contexts are just plain wierd. A program or some library for the web server is what I'd call a *system* file for the HTTP daemon.

Beartooth

11:17 a.m.

On Sun, 23 Sep 2007 02:26:47 -0500, Arthur Pemberton wrote:

...

On 9/23/07, Tim ignored_mailbox@yahoo.com.au wrote:

...
That PNG is user user, object role, HTTP system content type? WTF! What the hell is an object role, and how is a PNG file a system anything?

check man selinux

God give me strength.

Type "man:selinux" into Konqueror (in order to get it into a format which is even legible; man anything on a terminal either shatters, or has to be in a font so small that not even a magnifying glass helps -- typical ...)

You get a choice of plain "man selinux" or fifteen (count 'em -- fifteen) other man pages. None of them contains "httpd," -- in case I know a fraction of what Tim does, and can guess I want that. So I go ahead and try to actually slog through the plain command's page.

The first thing I see is a link to the selinux page at NSA. I click on it -- hoping to tell at a glance whether to read it first, or leave it for if&when. I get no pointer to anything, but the fanciest "not found" message in known space.

Being a hardened sinner, I waste three minutes studying that, and notice that the link ends a sentence. Sure enough. clicking is picking up the period -- and the NSA page (the ultimate electronic bureaucrat?) doesn't think to try ignoring the period.

So I c&p the link into another tab, delete the period manually, and it links. GoddlemityDAM!

Turns out selinux is a whole nuther branch of computer science. (Makes sense, actually : NoSuchAgency if anybody oughtta have such a thing. I'm not NSA.)

So I leave that tab, take a deep breath, and resume trying to read the man page for plain selinux.

It proves amazingly well written for gummint work. (There is a typo : for 'context' singular in the section on File Labeling read 'contexts' plural.) Please pass my extreme praise to Mr. Walsh; afaik, only the Copyright Office in all of gdgummint writes as well.

It also says in so many words : "The best way to relabel the file system is to create the flag file /.autorelabel and *reboot*" [My emphasis; no wonder that instruction is in the error messages in the trouble shooter.]

...

get pointed to man httpd_selinux

Well, you can call it that; the question is which is to be master, as Lewis Carroll says so well. What I see (at the very bottom) is a completely uncommented list of fifteen links, one of which is "httpd_selinux(8)" (That means they're not the same fifteen that Konqueror found, btw: I triple-checked, and it does not offer me anything containing "httpd" among its fifteen. Konqueror won't let me c&p its fifteen.)

I suppose someone whose focussed attention was on apache would indeed jump on that first. Since I don't run any server I can help, nor even have a web page, I'll leave it there.

...

get information

httpd_sys_content_t - Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Res

3:41 a.m.

On Sun, 23 Sep 2007, Tim wrote:

...

On Sun, 2007-09-23 at 01:11 -0500, Arthur Pemberton wrote:

...
It takes less that a minute to find out 'man chcon'' : http://linux.die.net/man/1/chcon

chcon wasn't referred to in the list of see also man files at the bottom of the selinux man file. More hunting would have been required to know about that command. It's just another part of the obscureness of it. At the very least, I'd expect man selinux to get me started with the things I needed to know.

to expect that Tim, would be like expecting m$ to expect you to know what ERROR X88865943489L4354 is :P

-- Cheers Res

Gene Heskett

5 a.m.

On Sunday 23 September 2007, Arthur Pemberton wrote:

...

On 9/23/07, Tim ignored_mailbox@yahoo.com.au wrote:

...
On Sat, 2007-09-22 at 18:00 +0000, Beartooth wrote:

...
And thereby hangs an old sad tale. I looked at that -- and found it utterly incomprehensible.

I think the naming of the contexts, themselves, were a really bad incomprehensible thing.

Looking in my home space, things have: user_u:object_r:user_home_t

What's a user_u, or object_r, or user_home_t?

Or a PNG file in my webserver directory: user_u:object_r:httpd_sys_content_t

They're not at all intuitive. What's a "u," "r," or "t"? I've no choice but to read a manual to work that out, I couldn't even guess at it. But a quick look through a few of the SELinux manuals doesn't explain what any of it means.

It takes less that a minute to find out 'man chcon'' : http://linux.die.net/man/1/chcon

True, but how long does it take to find out that the man page you should be reading is a name from some dialect of swahili called chcon?

...

u -> user r -> role t -> type

Manual modification of the security contexts aren't really expected of most people.

BS. If we, the installers, don't know what a file does, maybe. But if we install something to do a job, such as heyu, then we are generally smart enough to adjust the perms so it can work as intended. We just need to know how and what to do rather than playing the 10,000 monkeys writing Hamlet game, only to find we got the Barber of Seville. Aka now its really fscked up.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) One planet is all you get.

Beartooth

11:11 a.m.

On Sun, 23 Sep 2007 01:11:49 -0500, Arthur Pemberton wrote:

...

It takes less that a minute to find out 'man chcon'' : http://linux.die.net/man/1/chcon

u -> user r -> role t -> type

Manual modification of the security contexts aren't really expected of most people.

With all due respect (which, yes, I know to be vast), the passage above is almost a parade example of the problem. Only the last sentence conveys any meaning whatever to me.

Item : I have reset SELinux on the testbed machine to permissive, just to be able to c&p error messages (another item). After all my years of running linux, I can neither guess where chcon came into this, nor make head or tail of what I see when some guru tells me (no matter how politely) to Read The Fine Manual -- not even when I already have.

The manual is written for the pros; it enables someone who has already mastered the topic of any page to check on any disremembered details. But its very succinctness (which the presumption of mastery affords) is as a cast iron wall to the uninitiated. Every line assumes not just mastery of its own topic, but of a thousand *other* man pages.

Anyone uninitiated, confronted with almost any man page, either feels like the protagonist of Kafka's Trial, or doesn't see the problem.

I doubt I can make sense of 1/79 of the man pages I read -- and even those are only the ones for things I've managed to do over and over, like scp.

Item: I remembered in the night where I've been seeing admonitions to reboot so often -- in the most frequent error message (most frequent here, anyway) from the troubleshooter. It tells me to touch something *and* *reboot*.

More relevant questions might be:

1) Does everyone need NSA-level security and the accompanying issues?

2) How many more years and millions will it take to adapt the decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

3) How much of #2 do you want to do yourself?

-- Les Mikesell lesmikesell@gmail.com -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list --------------------------------- Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.

Ric Moore

26 Sep 26 Sep

9:13 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 2007-09-25 at 06:15 -0700, Paul Shaffer wrote:

...

I am absolutely certain those unwilling to change and adapt will receive the many years of due frustration they so fervently beg for.

More to the point, in answer to your question, I'm over it - long ago. So I guess the answer is: Not applicable.

Les Mikesell lesmikesell@gmail.com wrote: Paul Shaffer wrote: > The whole premise of this thead is just absolutely ridiculous. A naive user has an issue of some sort, immediately throws the baby out with the bath and then every other uninformed Linux using imbecile on this list joins in the stupidity. > > Does anybody here really believe the NSA spent how many years (?) and untold millions of dollars developing the technology for no good reason? Amazing, just amazing. Shocked? Maybe. Disappointed? Yes. Surprised? No.
    More relevant questions might be:

    1) Does everyone need NSA-level security and the accompanying
    issues?

    2) How many more years and millions will it take to adapt the 
    decades-worth of tradtional unix tools and applications that
    Linux users 
    take for granted to a wildly different security model?

    3) How much of #2 do you want to do yourself?

Here's an example of "glittering generalities". Paul, you seem to disregard to list's own format of bottom posting when replying, rather than top posting. Yet, you wrote of: "those unwilling to change and adapt will receive the many years of due frustration they so fervently beg for." with the emphasis on your "certainty".

hrmmmm.... do I disregard such an argument out of hand, as having no substance, when the poster seems unwilling to follow conventions printed in the list rules of conduct, while blaming some for the same sort of lack of respect for others? Can't have it both ways. Not always, Ric

Andrew Kelly

25 Sep 25 Sep

8:19 a.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 2007-09-25 at 08:06 -0500, Les Mikesell wrote:

...

Paul Shaffer wrote:

...
The whole premise of this thead is just absolutely ridiculous. A naive user has an issue of some sort, immediately throws the baby out with the bath and then every other uninformed Linux using imbecile on this list joins in the stupidity.

Does anybody here really believe the NSA spent how many years (?) and untold millions of dollars developing the technology for no good reason? Amazing, just amazing. Shocked? Maybe. Disappointed? Yes. Surprised? No.

More relevant questions might be:

Does everyone need NSA-level security and the accompanying issues?

How many more years and millions will it take to adapt the

decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

How much of #2 do you want to do yourself?

[highjack]

4) Why should a body like the NSA have any influence whatsoever upon my personal computing experience?

5) Why does stuff like this so often devolve into name-calling?

potat0

9:28 a.m.

New subject: How best (BUT WHY) get rid of SELinux?

A few valid points are made here among the disparaging remarks that warrant comment.

1) My personal opinion: Judging the NSA's appropriation of funds to develop secure computing is not a wasteful cause. (...in good humor... What are you a Democrat? {sorry, I couldn't resist})

2) Who would need this? I operate in the forensic world and I can tell you that network security should have the highest priority. This applies specifically for organizations with personal data (ssn, dob, etc), HIPAA requirements, financial particulars including credit card numbers, and vet and military records. Everyday you can read about breach after breach in the journal.

I also recommend (and employ) bastille, encrypted volumes and ipfilters on my firewall/router. Paranoid? I don't think so but I do place value on my and my client's data.

It was my impression that this began as a result of an issue with SE Linux. If someone has an issue, please post & I'll be happy to assist.

-- This is an email sent via The Fedora Community Portal https://fcp.surfsite.org https://fcp.surfsite.org/modules/newbb/viewtopic.php?post_id=204621&topi... If you think, this is spam, please report this to webmaster@fcp.surfsite.org and/or blame rshane@basexvi.com.

Beartooth

12:08 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 25 Sep 2007 16:28:52 +0200, GNUGravity wrote:

...

A few valid points are made here among the disparaging remarks that warrant comment.

Speaking as the OP, I thank you for those comments; imnsho, this amazing thread has generated a *lot* more light than heat, and I thank all the other posters also -- again -- including those who are a/o appear to be contradicting each other. (Fewer than it would appear, I believe.)

...

It was my impression that this began as a result of an issue with SE Linux. If someone has an issue, please post & I'll be happy to assist.

It most certainly did; but I think the assistance has already sufficed for the present -- though I thank you for the offer.

As a not quite clueless user, I knew better than to try to handle a machine with SELinux set to enforcing; but the installer advises emphatically, with no explanation whatsoever, against setting it to disabled. (I've been doing one or the other ever since it was first incorporated into Fedora.)

With F7, and not with previous releases, I've been getting a lot of incomprehensible grief, perhaps because I enabled the troubleshooter.

Not only did all those messages (which, as nobody had told me, are apparently *false* in permissive) mean nothing to anyone at my level, the ones that told me what to do caused large wastes of time and effort, without seeming to do any good.

I grew irritated.

I also figured there must be lots of others in the same boat.

So I posted here with the most eye-catching subject line I could come up with, after several days mulling one. That line has succeeded, at least in that purpose, far beyond my wildest dreams.

And, for the record, I have read every last one of the posts at least three times (many far more) -- simply because I want my newsreader (Pan 0.132, pointed at gmane.linux.redhat.fedora.general, which reflects fedora-list@redhat.com) to be up to date on three machines, on any and all of which I check for new posts often.

Nearly all the comments have been helpful, and the apparently contradictory ones less contradictory (to my untutored mind at least) than meets the eye. I'm not the only one here wording things in ways meant to catch eyes ...

And to get to your implied question, here's the issue put yet another way. (Rahul et al. please skip; I owe you big time already.)

My distinct impression was, when I first posted, that the game was not worth the candle : SELinux was making far more trouble for me and any other naive user, I thought, than it could possibly be worth *to* *anyone* *in* *my* *circumstances*, which I'm sure I share with many. No Such Agency is inherently exposed to opponents who couldn't begin to be bothered with the likes of me.

I knew, of course, that that assertion would bring denials, and wanted to examine them. Maybe they would convince me; I was and am willing.

I also had a sneakin' hunch that, if my assertion also brought corroboration, I (or any other naive user) could only make things worse by trying anything like rpm -e or yum remove. (It is indeed a comfort not to be mistaken at all points, as Gandalf tells Gimli.) I did get told, very plainly and with plenty of detail, what I *could* do, and how.

For the record, this thread has served those original purposes abundantly, pressed down and flowing over. Again, I thank you all.

And fwiw, I have put SELinux into disabled mode on one machine; if that one blows up in my face, I will report here, and try to provide enough detail for the Alpha Plus Technoids to judge whether the lack of SELinux was to blame.

The prospect of F8, which I plan to install starting within a week after its release, seems to me propitious enough to be worth a good try. And if I do disable on all machines, despite the promised improvements, I will surely try at least once more, when F9 comes out.

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Bruno Wolff III

11:14 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, Sep 25, 2007 at 16:28:52 +0200, GNUGravity no-reply-gw@fcp.surfsite.org wrote:

...

Who would need this? I operate in the forensic world and I can tell you that network security should have the highest priority. This applies specifically for organizations with personal data (ssn, dob, etc), HIPAA requirements, financial particulars including credit card numbers, and vet and military records. Everyday you can read about breach after breach in the journal.

They are working on labelling of packets based on ipsec information that should allow trust relationships between computers enforced by SELinux.

Ric Moore

26 Sep 26 Sep

11:12 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 2007-09-25 at 23:14 -0500, Bruno Wolff III wrote:

...

On Tue, Sep 25, 2007 at 16:28:52 +0200, GNUGravity no-reply-gw@fcp.surfsite.org wrote:

...

Who would need this? I operate in the forensic world and I can tell you that network security should have the highest priority. This applies specifically for organizations with personal data (ssn, dob, etc), HIPAA requirements, financial particulars including credit card numbers, and vet and military records. Everyday you can read about breach after breach in the journal.

They are working on labelling of packets based on ipsec information that should allow trust relationships between computers enforced by SELinux.

NOW you've got my attention. I actually need something just like that. As a matter of fact, if you could REALLY lock down the front porch, restricting service to just your subnets, and a local DNS server, you wouldn't need the guards inside to be set strict? As much? Tell me about this... inquiring minds want to know. What's the real deal? Ric

Bruno Wolff III

28 Sep 28 Sep

12:43 a.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Thu, Sep 27, 2007 at 00:12:12 -0400, Ric Moore wayward4now@gmail.com wrote:

...

NOW you've got my attention. I actually need something just like that. As a matter of fact, if you could REALLY lock down the front porch, restricting service to just your subnets, and a local DNS server, you wouldn't need the guards inside to be set strict? As much? Tell me about this... inquiring minds want to know. What's the real deal? Ric

I have just seen discussions for patches dealing with this on the selinux list. I don't know what exactly the final plan is supposed to be. I believe you are supposed to be able to attach context to packets based on host and port information. This allows you to at least label packets based on address and port information reliably (as much as you can trust the ipsec signatures). I don't know if the sender of a packet will be able to attach context to packets that the recipient can use.

Jonathan Underwood

25 Sep 25 Sep

12:33 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On 25/09/2007, Les Mikesell lesmikesell@gmail.com wrote:

...

How many more years and millions will it take to adapt the

decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

This work has been done. What Unix tools are you using which aren't working with SElinux?

Les Mikesell

5:28 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

Jonathan Underwood wrote:

...

On 25/09/2007, Les Mikesell lesmikesell@gmail.com wrote:

...

How many more years and millions will it take to adapt the

decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

This work has been done. What Unix tools are you using which aren't working with SElinux?

I have an assortment of suid perl scripts that run under apache's cgi interface. I didn't expect them to work. Will they? What about MimeDefang, running as a sendmail milter and connecting via local sockets to an assortment of mail scanning processes that may each be running under their own uid. I've seen issues posted about the sockets amd SELinux. Have they been solved?

-- Les Mikesell lesmikesell@gmail.com

Arthur Pemberton

6:21 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On 9/25/07, Les Mikesell lesmikesell@gmail.com wrote:

...

Jonathan Underwood wrote:

...
On 25/09/2007, Les Mikesell lesmikesell@gmail.com wrote:

...

How many more years and millions will it take to adapt the

decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

This work has been done. What Unix tools are you using which aren't working with SElinux?

I have an assortment of suid perl scripts that run under apache's cgi interface. I didn't expect them to work. Will they? What about MimeDefang, running as a sendmail milter and connecting via local sockets to an assortment of mail scanning processes that may each be running under their own uid. I've seen issues posted about the sockets amd SELinux. Have they been solved?

unless your perl scripts are making changes directly to the fileserver, they should work. If not, you may need to add the required contexts, without knowing more about your situation, i would guess that they would work

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Jonathan Underwood

6:34 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On 25/09/2007, Les Mikesell lesmikesell@gmail.com wrote:

...

Jonathan Underwood wrote:

...
On 25/09/2007, Les Mikesell lesmikesell@gmail.com wrote:

...

How many more years and millions will it take to adapt the

decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

This work has been done. What Unix tools are you using which aren't working with SElinux?

I have an assortment of suid perl scripts that run under apache's cgi interface. I didn't expect them to work. Will they?

No disrespect, but your personal perl scripts don't really count as "traditional unix tools". Write a policy for them, and all will be fine.

...

What about MimeDefang, running as a sendmail milter and connecting via local sockets to an assortment of mail scanning processes that may each be running under their own uid. I've seen issues posted about the sockets amd SELinux. Have they been solved?

I believe so. Again tho, things will work with correctly written policy modules. Basically your complaint seems to be that you don't want to learn to use the tools to write the policy modules you need. Everything has a cost, and a benefit... it's a personal decision as to which outweighs the other.

Les Mikesell

9:40 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

Jonathan Underwood wrote:

...

...
...
On 25/09/2007, Les Mikesell lesmikesell@gmail.com wrote:

...

How many more years and millions will it take to adapt the

decades-worth of tradtional unix tools and applications that Linux users take for granted to a wildly different security model?

This work has been done. What Unix tools are you using which aren't working with SElinux?

I have an assortment of suid perl scripts that run under apache's cgi interface. I didn't expect them to work. Will they?

No disrespect, but your personal perl scripts don't really count as "traditional unix tools". Write a policy for them, and all will be fine.

Saying that everything done individually has to be re-done is a long way from your statement that the work was already done...

...

...
What about MimeDefang, running as a sendmail milter and connecting via local sockets to an assortment of mail scanning processes that may each be running under their own uid. I've seen issues posted about the sockets amd SELinux. Have they been solved?

I believe so. Again tho, things will work with correctly written policy modules. Basically your complaint seems to be that you don't want to learn to use the tools to write the policy modules you need.

My complaint is that unix already had a security model, one whose simplicity was a great improvement over the prior much more complex systems such as multics and reversing that simplicity is heading the wrong direction.

...

Everything has a cost, and a benefit... it's a personal decision as to which outweighs the other.

SELinux gives an extra layer of security, but only comes into play when you've already screwed up the simple system, admittedly made easier by languages that encourage buffer overflows, executable stacks, and predictable stack frames. I'd just rather see the effort going toward fixing the simple problems instead of ignoring them and hoping, for no particular reason, to get the more complex scheme right.

-- Les Mikesell lesmikesell@gmail.com

Gene Heskett

9:15 a.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tuesday 25 September 2007, Paul Shaffer wrote:

...

The whole premise of this thead is just absolutely ridiculous. A naive user has an issue of some sort, immediately throws the baby out with the bath and then every other uninformed Linux using imbecile on this list joins in the stupidity.

Yeah, well I'm one of those idijits you're referring to. I have a problem, so since its a redhat/fedora problem AFAIK, I bring it here, and get told to take my problems down the hall to selinux_101's list.

I do, get told the boilerplate answer to touch /.autorelabel and reboot. I do so, several times. I disable it in etc/sysconfig control file, doesn't help. No log now, but it doesn't help, I still cannot use any usb or serial ports on the machine except the mouse & keyboard. Finally, Stephen Smalley says to add 'selinux=0' to the kernel line in grub. Bingo, everything works.

I update from FC2 to FC6, same basic problem in that the machine can't do its job(s) although I can print from FC6 which the FC2 version denied, so once again that option gets added to my grub.conf. And everything Just Works(TM).

Now, I'm mature enough (73 in a week) to know that the only way to shake out the bugs is to run it, which is nice for those who have the luxury of saying "hey, that didn't work", and possibly the programming smarts to dig into it and figure it out, or a way around it. But I still have to talk to the hardware to get the job done & that's where it was killing me.

I found a couple of days ago that it may actually be usable in F7 on my laptop, which since I'm home, isn't getting a lot of use. So progress it would appear is being made. OTOH, I haven't plugged in the Maxtor OneTouch III usb drive to see if I can make a backup either.

I don't think the descriptive name calling is all that intelligent either and I've been subjected to quite a bit of it, both because I do all this as root including running x, and selinux is disabled. So what, I'm behind an x86 box running dd-wrt. But I'm the only one who uses this machine, even the missus can't seem to get the hang of running a mouse to read her email and she is a retired school teacher (music).

Contrary to the likes of Craig White for instance, who has been pretty abusive at times while also occasionally being helpfull, there are two (or more) sides to the story. Just don't expect me to suffer in total silence. My 'field of expertise' so to speak, is electronics, and I might have fixed the first tv your great grandfather had in 1947 when it quit. I write bash scripts these days, but if any of you came up to x86 boxes via the motorola route, coco's and amiga's, its entirely possible you may have run code I wrote all those years ago. But that's background info and no big deal today.

...

Does anybody here really believe the NSA spent how many years (?) and untold millions of dollars developing the technology for no good reason? Amazing, just amazing. Shocked? Maybe. Disappointed? Yes. Surprised? No.

They may well have. Possibly something of value for my tax dollar. But until it was foisted off on us without enough docs to wrap an aspirin tablet up, actual, in the real world usability was apparently never a consideration. Now, with all the hoorah, yelling and screaming, (you would think we're breeding elephants or something here) that aspect of it is finally being addressed, which is a good thing I guess. As far as the docs are concerned, it tends to pi$$ me off a little when those docs are A) locked up in a book, and B) the book is a special order item at my nearest Borders, 35 miles up the interstate from me, and C) no doubt costs money. I don't get up there more than 3 or 4 times a year.

TANSTAAFL...

But, until it actually saves my butt, I will continue to contend that it is a solution in search of a problem 99% of us (with sense enough to setup a firewall/gateway separate from the work boxes) don't have.

[...]

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) I never pray before meals -- my mom's a good cook.

Bruno Wolff III

9:58 a.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, Sep 25, 2007 at 10:15:31 -0400, Gene Heskett gene.heskett@verizon.net wrote:

...

They may well have. Possibly something of value for my tax dollar. But until it was foisted off on us without enough docs to wrap an aspirin tablet up, actual, in the real world usability was apparently never a consideration. Now, with all the hoorah, yelling and screaming, (you would think we're breeding elephants or something here) that aspect of it is finally being addressed, which is a good thing I guess. As far as the docs are concerned, it tends to pi$$ me off a little when those docs are A) locked up in a book, and B) the book is a special order item at my nearest Borders, 35 miles up the interstate from me, and C) no doubt costs money. I don't get up there more than 3 or 4 times a year.

And the tools are currently changing at a rate where a book is almost certainly out of date when dealing with the details of managing SELinux or writing policies. They probably could be used to get an overview, but you can get that online.

Rick Sewill

1:05 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 2007-09-25 at 10:15 -0400, Gene Heskett wrote:

...

On Tuesday 25 September 2007, Paul Shaffer wrote:

...
The whole premise of this thead is just absolutely ridiculous. A naive user has an issue of some sort, immediately throws the baby out with the bath and then every other uninformed Linux using imbecile on this list joins in the stupidity.

Yeah, well I'm one of those idijits you're referring to. I have a problem, so since its a redhat/fedora problem AFAIK, I bring it here, and get told to take my problems down the hall to selinux_101's list.

I do, get told the boilerplate answer to touch /.autorelabel and reboot. I do so, several times. I disable it in etc/sysconfig control file, doesn't help. No log now, but it doesn't help, I still cannot use any usb or serial ports on the machine except the mouse & keyboard. Finally, Stephen Smalley says to add 'selinux=0' to the kernel line in grub. Bingo, everything works.

I remember being called a Castrato by one person the last time a discussion of SeLinux dominated this list. I do not remember the identity of that person after putting that person's email address on a discard filter.

Nobody on this mailing list is an idiot. We do not have Redmond hand-holding us. We need to know more, about hardware and software, than the Mom and Pop Window's user.

Please people. Do not go this route of fighting about SELinux again.

If there is a technical question on how to do something in SeLinux, let's help find an answer.

If the question is, how do I remove or disable SELinux, let's help find the answer.

If the question is, how do I still use SELinux and do something SELinux wants to block, let's help find the answer.

If one has a good or bad experience with SELinux, please share the experience in a calm way you would do when talking around the table, with friends. Please do not become vitriolic or attack others. Please do not insist upon having the last word. Pleaes be considerate of others.

It would be sad if my discard filter had to grow. It would be sad if I found myself on a discard filter.

This list is a way for us to help each other, to ask and answer questions, to share experiences.

We share a common desire to run Fedora Linux software, or we would not be part of this mailing list.

Peace.

Res

5:21 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 25 Sep 2007, Paul Shaffer wrote:

...

The whole premise of this thead is just absolutely ridiculous. A naive user has an issue of some sort, immediately throws the baby out with the bath and then every other uninformed Linux using imbecile on this list joins in the stupidity.

Does anybody here really believe the NSA spent how many years (?) and untold millions of dollars developing the technology for no good reason? Amazing, just amazing. Shocked? Maybe. Disappointed? Yes. Surprised? No.

GNUGravity no-reply-gw@fcp.surfsite.org wrote: ...interesting...

I am rather shocked to see such an advanced community not reaping the benefits of SE Linux on Fedora/Red Hat. It's the reason I hesitate to use other distributions for mission critical applications within my organization.

With that said, I concede that it does require configuration. What works well for me is to suspend the SELinux service, perform the configuration, test and apply the config and then turn SELinux back on. From there, open the ports and configure as needed. There is an excellent O'Reilly book "SELinux NSA's Open Source Security Enhanced Linux" that will assist in explaining configuration options and debugging. There's always this forum and FedoraForums for assistance.

I value both my and my client's data. To me, it's worth the time and effort taken to implement security measures. I don't recommend turning it off and specifically not for organizational use. If you want to kill it on your desktop, that's up to you.

Best of luck to all ;)

get your hand of it,. some of us baby out teh windows throwing idiots have been doing this probably longer than you have been conceived.

I, like thousands of other network managers would rather have their servers ONLINE working without dramas for paying customers, then to have to take the things offline constantly to mess around with somthing which is a nuisance and interferes with our paying customers services, if they want to install a new program on a shared or dedicated host server at 4am to minimise downtime to their clients, they should be able to do it knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them, some of these are ticket services for major events and so on, it makes them think twice about renewing, because they see it as a problem they have experienced and think "is this going to happen everytime I make major changes".. etc etc

Craig White

5:26 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Wed, 2007-09-26 at 08:21 +1000, Res wrote:

...

knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them,

---- nice - thanks for the visual metaphor - good thing you won't be confused with someone with an objective point of view.

-- Craig White craig@tobyhouse.com

Gene Heskett

11:02 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tuesday 25 September 2007, Craig White wrote:

...

On Wed, 2007-09-26 at 08:21 +1000, Res wrote:

...
knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them,

nice - thanks for the visual metaphor - good thing you won't be confused with someone with an objective point of view.

Stuff it Craig. Just because he doesn't have a view that co-incides with yours, doesn't mean he doesn't have a right to say it.

Its a similar situation to what I ran into Sunday morning, with a fuse designed to blow should a time delay relay's delay get excessively long. It did, and that was the last fuse, so now I'm killing time till the next time I can take it down. A week lost.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) It takes a special kind of courage to face what we all have to face.

Craig White

11:53 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Wed, 2007-09-26 at 00:02 -0400, Gene Heskett wrote:

...

On Tuesday 25 September 2007, Craig White wrote:

...
On Wed, 2007-09-26 at 08:21 +1000, Res wrote:

...
knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them,

nice - thanks for the visual metaphor - good thing you won't be confused with someone with an objective point of view.

Stuff it Craig. Just because he doesn't have a view that co-incides with yours, doesn't mean he doesn't have a right to say it.

---- stuff it?

The metaphor employed by Res simply is not appropriate for the list. His point of view is/was/has been a non sequitur...and the reference to repetitive anal insertion is at best stupid.

Should anyone infer something from your defense of his anal insertion references?

Arthur Pemberton

26 Sep 26 Sep

midnight

New subject: How best (BUT WHY) get rid of SELinux?

On 9/25/07, Craig White craigwhite@azapple.com wrote:

...

On Wed, 2007-09-26 at 00:02 -0400, Gene Heskett wrote:

...
On Tuesday 25 September 2007, Craig White wrote:

...
On Wed, 2007-09-26 at 08:21 +1000, Res wrote:

...
knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them,

nice - thanks for the visual metaphor - good thing you won't be confused with someone with an objective point of view.

Stuff it Craig. Just because he doesn't have a view that co-incides with yours, doesn't mean he doesn't have a right to say it.

stuff it?

The metaphor employed by Res simply is not appropriate for the list. His point of view is/was/has been a non sequitur...and the reference to repetitive anal insertion is at best stupid.

Should anyone infer something from your defense of his anal insertion references?

dude give up. do what i did, block the appropriate individuals at the email client level and move on.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Gene Heskett

12:38 a.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Wednesday 26 September 2007, Craig White wrote:

...

On Wed, 2007-09-26 at 00:02 -0400, Gene Heskett wrote:

...
On Tuesday 25 September 2007, Craig White wrote:

...
On Wed, 2007-09-26 at 08:21 +1000, Res wrote:

...
knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them,

nice - thanks for the visual metaphor - good thing you won't be confused with someone with an objective point of view.

Stuff it Craig. Just because he doesn't have a view that co-incides with yours, doesn't mean he doesn't have a right to say it.

stuff it?

The metaphor employed by Res simply is not appropriate for the list. His point of view is/was/has been a non sequitur...and the reference to repetitive anal insertion is at best stupid.

Should anyone infer something from your defense of his anal insertion references?

That is not worth an answer, it was a figure of speech YOU chose to concentrate on.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Lady Luck brings added income today. Lady friend takes it away tonight.

Paul Shaffer

25 Sep 25 Sep

5:54 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

Sounds like maybe you're not up to the task, despite those years of experience you brag about.

Res res@ausics.net wrote: ...some of these are ticket services for major events and so on, it makes them think twice about renewing, because they see it as a problem they have experienced and think "is this going to happen everytime I make major changes".. etc etc

--------------------------------- Need a vacation? Get great deals to amazing places on Yahoo! Travel.

Arthur Pemberton

6:18 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On 9/25/07, Res res@ausics.net wrote:

...

get your hand of it,. some of us baby out teh windows throwing idiots have been doing this probably longer than you have been conceived.

obviously you see some point in that statement of yours, i don't - since when does "doing something for a long time" automatically translate into "doing something well"?

...

I, like thousands of other network managers would rather have their servers ONLINE working without dramas for paying customers, then to have to take the things offline constantly to mess around with somthing which is a nuisance and interferes with our paying customers services

what does that sentiment have to do with this thread?

...

if they want to install a new program on a shared or dedicated host server at 4am to minimise downtime to their clients, they should be able to do it knowing when they are done it works, not have to contact the NOC at 5AM because selinux has fucked them up the ass and they are stressing their clients cant interact with them, some of these are ticket services for major events and so on, it makes them think twice about renewing, because they see it as a problem they have experienced and think "is this going to happen everytime I make major changes".. etc etc

you know, the more you talk, the less sense you make. What does any of this have to do with SELinux, unless you decided to put SELinux in strict mode, it won't interfere with whatever custom apps your supposed clients want to install. Seriously, if you're going to contribute to this thread do so, you're just spreading FUD as it is.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Res

11:01 p.m.

New subject: How best (BUT WHY) get rid of SELinux?

On Tue, 25 Sep 2007, Arthur Pemberton wrote:

...

obviously you see some point in that statement of yours, i don't - since when does "doing something for a long time" automatically translate into "doing something well"?

The fact that my customers have no downtime says it all, adn tehy mean a damn sight more to me than some wanker on a mailing lsit.

...

what does that sentiment have to do with this thread?

about as much as some of your posts, and, i had not realised they replaced Bill N @ RH with you has the senior moderator, oh my bad, you too can go play with yourself

-- Cheers Res

Arthur Pemberton

24 Sep 24 Sep

12:06 p.m.

On 9/24/07, Beartooth Beartooth@swva.net wrote:

...

On Sun, 23 Sep 2007 17:06:11 -0500, Arthur Pemberton wrote:

...
On 9/23/07, Rahul Sundaram sundaram@fedoraproject.org wrote:

...
Beartooth wrote:

...
  Hmmm ... So if I disable it, I better leave it disabled till
  the
next release of Fedora?
Before you enable it again, you can make it relabel everything according to the default policy by following the steps outlined in the SELinux FAQ at http;//docs.fedoraproject.org. Otherwise labels for files created when SELinux was disabled would be incorrect and likely to cause problems.
I don't think anyone complaining here has read the docs, but still, this link may also help: http://fedoraproject.org/wiki/SELinux
    Well, I tried both again -- and they're still geek to me. I feel
like a kid doing well in high school geometry who has picked up a third- year college calculus text, and found himself being told to derive all the formulae in Peirce's Tables. Yaaa, shuuure ...
    Sorry about that.

    And just to repeat, I hope the example makes clear that I have no
doubt the explanations are correct. And with a degree in mathematics, I'm not afraid of subtlety nor complexity per se; it's just that I'm not going to live enough longer to learn all you have to know to read such documents, however excellent they be on their own level.

It's quite possible that some of us are simply incapable of seeing the complexity in SElinux. Since I first came across it (in FC2), I believe that I have spent less than an hour actually reading through its docs (tutorials,FAQs, MANs).

On the other hand, I find Calculus 3 to be quite challenging.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

3:06 p.m.

Arthur Pemberton wrote:

...

I don't think anyone complaining here has read the docs, but still, this link may also help: http://fedoraproject.org/wiki/SELinux

My opinions were formed by reading the documentation available at nsa.gov concerning the goals of and means used by SELinux. Neither the goals nor the means, as described by the originator of SELinux, do I consider to be of value for my particular situation. Since SELinux is not "small", and it has a pervasive effect upon applications (the docu you point to mentions approximately 50 apps required change, not to mention the kernel and libraries) it is not something which I wish to install, let alone run. Having SELinux is sure to introduce defects.

However, since you seem to feel that Fedora's description might be more appealing for some reason, I went to the link you suggest, and read everything under "Understanding SELinux". After doing that, I find myself completely unmoved in my position. In fact, the description I found there was less informative than NSA's website.

Incidentally, the documentation you suggest reading states both that most apps can remain "SELinux unaware" and let the policy makers handle everything, and that "leaving apps SELinux unaware" may lead to confusing the app and user both, since all access rights may be correct, but the app simply gets "access denied".

My understanding and opinion of SELinux' goals and means are both unchanged.

If I had a huge installation of highly sensitive information and needed to be able to tell my bosses that I was doing everything I could to protect it, regardless of how really useful or effective the techniques used would be, then I'd install and run SELinux. We used to say "no one ever got fired for buying IBM".

For my machine, which has exactly one real user, and no sensitive information on it at all (only private information), I believe that the disadvantages far outweigh the advantages. There are exactly three users which can actually log on to my machine:

root me bird

That last one is a user I created recently, and which runs only in a chroot jail. I created it specifically for experimenting with chroot.

It appears to me that RH is courting large corporate or government users where political considerations and the ability to dodge responsibility are important, rather than stand-alone small desktop systems with single or just a very few actual users.

That's fine.

It does mean that RH products and their derivatives are not appealing to me.

I think it would be better if they had the option simply not to install.

I don't understand any rancor on any side of this issue.

Mike

Arthur Pemberton

3:52 p.m.

On 9/24/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

It does mean that RH products and their derivatives are not appealing to me.

I think it would be better if they had the option simply not to install.

They may not have the option, but you certainly do.

As an aside, feel free to deep into the code and make SELinux more modular if you would like to not install, or petition for the provision of non SELinux kernels, but please don't ask to have it removed.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

5:17 p.m.

Arthur Pemberton wrote:

...

On 9/24/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
It does mean that RH products and their derivatives are not appealing to me.

I think it would be better if they had the option simply not to install.

They may not have the option, but you certainly do.

Yep.

...

As an aside, feel free to deep into the code and make SELinux more modular if you would like to not install, or petition for the provision of non SELinux kernels,

This I have and do, and so far am getting lambasted for it. (Well, not the "dig into the source and change it".) However, it involves much more than just the kernel.

...

but please don't ask to have it removed.

I didn't, I haven't, I won't.

Mike

Alan Cox

4:08 p.m.

...

that the disadvantages far outweigh the advantages. There are exactly three users which can actually log on to my machine:

You hope...

...

It appears to me that RH is courting large corporate or government users where political considerations and the ability to dodge responsibility are important, rather than stand-alone small desktop systems with single or just a very few actual users.

SELinux is useful in both cases. Large corporations may well use custom rules to protect critical data or enforce policies (eg 'no you can't run anything you download').

In the general case its there to protect all systems and users by doing its best to divide up the different aspects of a machine and make it very hard to use one part of the system to break another and build a chain of steps ending in compromise. The number of official users of a box is really irrelevant, and to a large extent so is the data on it. A compromised box gets used for spamming, attacking other hosts and more. Insecure systems are antisocial regardless of whether their owner is inconvenienced.

I don't doubt plenty of people on this who don't run SELinux do run a tight ship, do check for compromises and don't run leave compromised machines on the net. There are however plenty of people who are sloppy, or simply don't have the skill needed to run the box properly - and thats one good reason for defaulting firewalls and selinux on - to ship a default level of security appropriate to external risk. Allowing users to turn off security is generally better than assuming they will read the manual and turn it on.

...

I think it would be better if they had the option simply not to install.

Its a bit like asking for a car to come with automatic or manual transmission. It isn't a last minute extra you fit like a headrest its intrinsic to the very build of the system.

There are sound engineering reasons why "rpm -e selinux" isn't doable (or believe me we'd have done it that way!)

Alan

Mike McCarty

5:22 p.m.

Alan Cox wrote:

...

...
that the disadvantages far outweigh the advantages. There are exactly three users which can actually log on to my machine:

You hope...

:-)

...

...
It appears to me that RH is courting large corporate or government users where political considerations and the ability to dodge responsibility are important, rather than stand-alone small desktop systems with single or just a very few actual users.

SELinux is useful in both cases. Large corporations may well use custom rules to protect critical data or enforce policies (eg 'no you can't run anything you download').

This is a subjective, not objective, assessment.

...

In the general case its there to protect all systems and users by doing

I'm aware of the intent.

[snip]

...

default level of security appropriate to external risk. Allowing users to turn off security is generally better than assuming they will read the manual and turn it on.

We agree there.

...

...
I think it would be better if they had the option simply not to install.

Its a bit like asking for a car to come with automatic or manual transmission. It isn't a last minute extra you fit like a headrest its intrinsic to the very build of the system.

I guess you missed my comment (easy to do in this thread) that HAD IT BEEN DONE RIGHT at the start, it would be much easier than trying to retrofit now.

...

There are sound engineering reasons why "rpm -e selinux" isn't doable (or believe me we'd have done it that way!)

Yes, that is not easily doable. But that's not the same as "don't install on my otherwise blank disc".

By your own count, there are something like 50 apps which are SELinux aware, along with some libraries, and the kernel. These would need different versions, one SELinux, one not.

Mike

Alan Cox

5:33 p.m.

...

...
Its a bit like asking for a car to come with automatic or manual transmission. It isn't a last minute extra you fit like a headrest its intrinsic to the very build of the system.

I guess you missed my comment (easy to do in this thread) that HAD IT BEEN DONE RIGHT at the start, it would be much easier than trying to retrofit now.

It was done right from the beginning at least unless you mean Linus should have adopted a non-Unix MAC type security model from 0.01 ?

Security models are not add-ons. They require the underlying design is properly compartmentalised and divided. You cannot make a system with an insecure design secure by adding things (just ask Microsoft).

...

By your own count, there are something like 50 apps which are SELinux aware, along with some libraries, and the kernel. These would need different versions, one SELinux, one not

Why ? The few code paths executed in the selinux=0 boot case are not interesting and do no harm.

Alan

Tim

23 Sep 23 Sep

9:55 p.m.

On Sun, 2007-09-23 at 14:56 -0400, David Boles wrote:

...

everyone told you correctly that disabled really does mean that. Several mentioned something about 'disabled' that I have not seen you address. SELinux in not like a lamp. On (enabled/enforcing) and Permissive (enabled/reports only) keep the SELinux 'system' active and 'up to date' with the permissions. Disables (off) does not. So turning it off for a time and then turning it back on will most likely cause problems, from what I understand.

I'm fairly sure I've seen that mentioned in this thread, somewhere along the line. However, doing a relabel ought to put things to rights, if one wanted to start using SELinux after your system had been used with it turned off.

Tim

21 Sep 21 Sep

11:41 p.m.

On Fri, 2007-09-21 at 05:44 -0600, Karl Larsen wrote:

...

This whole thing reads to me that SELinux is the linux version of 
Norton or Avguard to Windows. It will capture and keep the offending file from doing it's worst.
My friends with Windows cuss both software because it makes a mess
out of doing normal things like installing new software.

Unless there's a serious fault, SELinux doesn't prevent you from installing software, nor prevent things from working properly. It does prevent things from working abnormally. And doesn't get in the way in the normal run of things.

I can't say the same for protective software on Windows. It frequently does break the normal behaviour of the system.

...

So I decided to turn off SELinux even though it was not the thing
to do according to the loader. I am glad I did so. I don't need the Norton problem on my F7.

Interpretation of the above: I know nothing about this, therefore I will denigrate and ignore it.

Ralf Corsepius

22 Sep 22 Sep

12:27 a.m.

On Sat, 2007-09-22 at 14:11 +0930, Tim wrote:

...

On Fri, 2007-09-21 at 05:44 -0600, Karl Larsen wrote:

...
This whole thing reads to me that SELinux is the linux version of 
Norton or Avguard to Windows. It will capture and keep the offending file from doing it's worst.
My friends with Windows cuss both software because it makes a mess
out of doing normal things like installing new software.
Unless there's a serious fault, SELinux doesn't prevent you from installing software, nor prevent things from working properly.

Why do you think this thread exists? Because SELinux on Fedora does prevent things from working properly!

Why do you think the SELinux-policy packages in Fedora get updated such kind of frequently? A nice amount of these simply are fixes to broken rules.

Ralf

Tim

1:07 a.m.

Tim:

...

...
Unless there's a serious fault, SELinux doesn't prevent you from installing software, nor prevent things from working properly.

Ralf Corsepius:

...

Why do you think this thread exists? Because SELinux on Fedora does prevent things from working properly!

Mostly because of about two or three people griping that their kitten is not a pony.

*Usually* I find it doesn't prevent things from working properly, and the occasions that rarely happens, a fix is the solution, and fairly rapidly, too.

It does often prevent some things from working improperly (a little fact that some choose to ignore).

...

Why do you think the SELinux-policy packages in Fedora get updated such kind of frequently? A nice amount of these simply are fixes to broken rules.

But yes, there are snags from time to time, and they do get fixed. And that's a much better solution than just throwing the whole kit and kaboodle away, as some would advocate.

Ralf Corsepius

2:01 a.m.

On Sat, 2007-09-22 at 15:37 +0930, Tim wrote:

...

Ralf Corsepius:

...

...
Why do you think the SELinux-policy packages in Fedora get updated such kind of frequently? A nice amount of these simply are fixes to broken rules.

But yes, there are snags from time to time, and they do get fixed. And that's a much better solution than just throwing the whole kit and kaboodle away, as some would advocate.

I can fully relate to people who feel sufficiently annoyed to throw it away after having been nagged by 7 Fedora releases and things not having reached the amount of usability they would like to see.

Their preference, their decision, their responsibility - Where's the problem? I don't see any.

Ralf

Chris Jones

2:11 a.m.

...

Mostly because of about two or three people griping that their kitten is not a pony.

Its also worth noting that those people appear to be basing their opinions on extremely elderly fedora core releases. If they only experience is with SELinux as on FC(1/2), then I'm not surprised they are moaning. It did cause a few problems back then and was difficult to use, since all the user friendly admin tools have come along afterwards (I think there is a case to argue it was not quite mature enough when first introduced). But now, it seems quite a slick product.

Chris

Mike McCarty

24 Sep 24 Sep

3:23 p.m.

Chris Jones wrote:

...

...
Mostly because of about two or three people griping that their kitten is not a pony.

Its also worth noting that those people appear to be basing their opinions on extremely elderly fedora core releases. If they only experience is with SELinux as on FC(1/2), then I'm not surprised they are moaning. It did cause

I suppose you refer to me. I based my opinion of SELinux on reading the NSA's website describing the goals of and means used in SELinux. Since I don't find either the goals nor the means appealing, I prefer not to install it.

[snip]

...

argue it was not quite mature enough when first introduced). But now, it seems quite a slick product.

It's just "slick".

Mike

Bruno Wolff III

22 Sep 22 Sep

1:15 a.m.

On Fri, Sep 21, 2007 at 05:44:20 -0600, Karl Larsen k5di@zianet.com wrote:

...

This whole thing reads to me that SELinux is the linux version of Norton or Avguard to Windows. It will capture and keep the offending file from doing it's worst.

SELinux does not work like an anti virus program.

...

My friends with Windows cuss both software because it makes a mess out of doing normal things like installing new software.

SELinux in targeted mode won't cause many problems for installing software as the new stuff is probably going to be running as unconfined unless the software comes with its own SELinux policy, in which case it will also likely work.

...

There are very few Linux users. There are millions of Windows users. A guy writing a virus will write it for Windows every time! Now days they are spending time in prison.

Very few virus writers have gone to prison. Writing malware is one of the safer criminal activities.

Mike McCarty

24 Sep 24 Sep

3:25 p.m.

Bruno Wolff III wrote:

...

On Fri, Sep 21, 2007 at 05:44:20 -0600, Karl Larsen k5di@zianet.com wrote:

...
This whole thing reads to me that SELinux is the linux version of Norton or Avguard to Windows. It will capture and keep the offending file from doing it's worst.

SELinux does not work like an anti virus program.

It works very much like FluShot+ for MSDOS did.

[snip]

I wouldn't know.

Mike

Rahul Sundaram

4 p.m.

Mike McCarty wrote:

...

Bruno Wolff III wrote:

...
On Fri, Sep 21, 2007 at 05:44:20 -0600, Karl Larsen k5di@zianet.com wrote:

...
This whole thing reads to me that SELinux is the linux version of Norton or Avguard to Windows. It will capture and keep the offending file from doing it's worst.

SELinux does not work like an anti virus program.

It works very much like FluShot+ for MSDOS did.

An antivirus program of any sort has pretty much nothing in common with Mandatory Access Control. I am not sure what sort of relationship you see in between them.

Rahul

Alan M. Evans

4:24 p.m.

On Tue, 2007-09-25 at 02:30 +0530, Rahul Sundaram wrote:

...

Mike McCarty wrote:

...
Bruno Wolff III wrote:

...
SELinux does not work like an anti virus program.

It works very much like FluShot+ for MSDOS did.

An antivirus program of any sort has pretty much nothing in common with Mandatory Access Control. I am not sure what sort of relationship you see in between them.

If memory serves, Flu-shot+, attempted to prevent virus replication by redirecting system interrupts that would allow such. So I can sort of see how someone might draw a parallel in a narrow-minded sense. After that, however, the two diverge a lot conceptually.

Mike McCarty

5:35 p.m.

Alan M. Evans wrote:

...

On Tue, 2007-09-25 at 02:30 +0530, Rahul Sundaram wrote:

...
Mike McCarty wrote:

...
Bruno Wolff III wrote:

...
SELinux does not work like an anti virus program.

It works very much like FluShot+ for MSDOS did.

An antivirus program of any sort has pretty much nothing in common with Mandatory Access Control. I am not sure what sort of relationship you see in between them.

If memory serves, Flu-shot+, attempted to prevent virus replication by redirecting system interrupts that would allow such. So I can sort of see how someone might draw a parallel in a narrow-minded sense. After that, however, the two diverge a lot conceptually.

Yes. The mechanics were similar to those of SELinux, but that's all. FluShot+ watched for "dangerous" activities, and would deny access. I don't see any particular correspondence between anti-viral software and SELinux generally, except in a very vague "prevent unauthorized access" sense. It's the mechanics of the working which is analogous.

Mike

Mike McCarty

5:32 p.m.

Rahul Sundaram wrote:

...

Mike McCarty wrote:

...
Bruno Wolff III wrote:

...
On Fri, Sep 21, 2007 at 05:44:20 -0600, Karl Larsen k5di@zianet.com wrote:

...
This whole thing reads to me that SELinux is the linux version of Norton or Avguard to Windows. It will capture and keep the offending file from doing it's worst.

SELinux does not work like an anti virus program.

It works very much like FluShot+ for MSDOS did.

An antivirus program of any sort has pretty much nothing in common with Mandatory Access Control. I am not sure what sort of relationship you see in between them.

FluShot+ hooked the INT 21 vector[*], and watched for certain kinds of accesses. When it detected certain accesses, it looked for permissions associated with the given application. If an application attempted an access to a file, and the file had certain "attributes" (like .EXE, .BAT, .COM extension, for example) and the application was not registered for that class of action, then the access was denied.

Open with write to a file which was considered executable by anything other than registered apps was denied. One registered his linkers. Also, attempts to use the direct access calls in the kernel or BIOS resulted in denial, like an attempt to write directly to disc. This is by no means a comprehensive list; I'm simply trying to show the analogy.

There were quite a few rules which could be set up. The system as shipped was rather restrictive, and as one encountered problems, one added more relaxations/exemptions to the rules until such time as one could use one's system more-or-less normally without constantly being warned and/or asked whether to override a rule when a denial was in progress.

[*] Used for all system calls, like open() etc. I don't know how familiar you may be with MSDOS usage. If you are already aware, then just ignore this.

Mike

Bruno Wolff III

21 Sep 21 Sep

12:03 p.m.

On Fri, Sep 21, 2007 at 02:09:18 -0500, Arthur Pemberton pemboa@gmail.com wrote:

...

On 9/21/07, Bruno Wolff III bruno@wolff.to wrote:

...
Notably if you disable SELinux, files will no longer be properly labelled when they are created. So that if you later try to turn it back on, you will need to do a complete relabel.

Even then, doesn't restorecond automatically pickup the mislabeling eventually?

No. restorecond only handles a couple of special files. Typically it is used for stuff in a directory which contains files with multiple domains (different files have different domains not more than one per file) that might be edited and pick up the wrong domain.

On my system the files checked (as found in /etc/restorecond.conf) are: /etc/resolv.conf /etc/samba/secrets.tdb /etc/mtab /var/run/utmp /var/log/wtmp ~/public_html ~/.mozilla/plugins/libflashplayer.so

Matthew Miller

20 Sep 20 Sep

11:04 a.m.

On Thu, Sep 20, 2007 at 03:47:48PM +0000, Beartooth wrote:

...

I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, you can't. You can remove some of the support daemons, but you can't remove the libraries because everything is linked against it.

You can put "selinux=0" on the kernel command line in grub.conf, though. That'll make it be disabled completely.

-- Matthew Miller mattdm@mattdm.org http://mattdm.org/ Boston University Linux ------> http://linux.bu.edu/

Beartooth

11:14 a.m.

On Thu, 20 Sep 2007 12:04:02 -0400, Matthew Miller wrote:

...

On Thu, Sep 20, 2007 at 03:47:48PM +0000, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, you can't. You can remove some of the support daemons, but you can't remove the libraries because everything is linked against it.

You can put "selinux=0" on the kernel command line in grub.conf, though. That'll make it be disabled completely.

Hmmm... I *think* I see what "kernel command line" means ...

On one machine, I have this :

[root@localhost ~]# cat /etc/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this #file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00 # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Fedora (2.6.22.5-76.fc7) root (hd0,0) kernel /vmlinuz-2.6.22.5-76.fc7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.22.5-76.fc7.img title Fedora (2.6.22.4-65.fc7) root (hd0,0) kernel /vmlinuz-2.6.22.4-65.fc7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.22.4-65.fc7.img [root@localhost ~]#

So, iiuc, you're saying to leave a space after 'quiet' both times, and then add "selinux=0" after that space? Right?

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Rahul Sundaram

11:14 a.m.

Beartooth wrote:

...

Hmmm... I *think* I see what "kernel command line" means ...

On one machine, I have this :

[root@localhost ~]# cat /etc/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this #file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00 # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Fedora (2.6.22.5-76.fc7) root (hd0,0) kernel /vmlinuz-2.6.22.5-76.fc7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.22.5-76.fc7.img title Fedora (2.6.22.4-65.fc7) root (hd0,0) kernel /vmlinuz-2.6.22.4-65.fc7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.22.4-65.fc7.img [root@localhost ~]#

So, iiuc, you're saying to leave a space after 'quiet' both times, and then add "selinux=0" after that space? Right?

Correct but if you have it disabled in /etc/sysconfig/selinux, that's just the same.

See the SELinux FAQ in http://docs.fedoraproject.org.

Rahul

Beartooth

11:45 a.m.

On Thu, 20 Sep 2007 21:44:37 +0530, Rahul Sundaram wrote:

...

...
So, iiuc, you're saying to leave a space after 'quiet' both times, and then add "selinux=0" after that space? Right?

Correct but if you have it disabled in /etc/sysconfig/selinux, that's just the same.

Aha! I knew there had to be some sort of such file somewhere. Many thanks! I changed 'permissive' to 'disabled' on my #3 machine, and am betting I'll never notice a difference. If so, I'll move up in time to #2, and then to #1.

...

See the SELinux FAQ in http://docs.fedoraproject.org.

Well, that's some improvement; I had been breaking my teeth & fingernails against the latest I had found, which was for FC5 -- knowing it was likely out of date ...

The GUI at System > Admin > SELinux Management reminds me of the early CD-burning software : great for Alpha Plus Technoids, no doubt, but hopelessly opaque to ordinary users.

(After nearly ten years' use, I can still barely claim to be not quite clueless. My life won't last long enough to work my way through all the undifferentiated detail in such places, even if I did nothing else for the rest of it.)

The various sound and media apps have come great lengths in recent years, by first choosing practical defaults, and then regimenting detail according to relative importance. Here's hoping the security gurux do equally well!

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Rahul Sundaram

11:54 a.m.

Beartooth wrote:

...

...
See the SELinux FAQ in http://docs.fedoraproject.org.

Well, that's some improvement; I had been breaking my teeth & fingernails against the latest I had found, which was for FC5 -- knowing it was likely out of date ...

Most of the answers still apply.

...

The GUI at System > Admin > SELinux Management reminds me of the early CD-burning software : great for Alpha Plus Technoids, no doubt, but hopelessly opaque to ordinary users.

Mostly, yeah. This is a very new tool. Will take sometime to mature.

Rahul

Gene Heskett

10:32 p.m.

On Thursday 20 September 2007, Beartooth wrote:

...

On Thu, 20 Sep 2007 12:04:02 -0400, Matthew Miller wrote:

...
On Thu, Sep 20, 2007 at 03:47:48PM +0000, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, you can't. You can remove some of the support daemons, but you can't remove the libraries because everything is linked against it.

You can put "selinux=0" on the kernel command line in grub.conf, though. That'll make it be disabled completely.

Hmmm... I *think* I see what "kernel command line" means ...

On one machine, I have this :

[root@localhost ~]# cat /etc/grub.conf # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this #file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00 # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Fedora (2.6.22.5-76.fc7) root (hd0,0) kernel /vmlinuz-2.6.22.5-76.fc7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.22.5-76.fc7.img title Fedora (2.6.22.4-65.fc7) root (hd0,0) kernel /vmlinuz-2.6.22.4-65.fc7 ro root=/dev/VolGroup00/LogVol00 rhgb quiet initrd /initrd-2.6.22.4-65.fc7.img [root@localhost ~]#

So, iiuc, you're saying to leave a space after 'quiet' both times, and then add "selinux=0" after that space? Right?

Right.

...

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) These screamingly hilarious gogs ensure owners of X Ray Gogs to be the life of any party. -- X-Ray Gogs Instructions

Mike McCarty

3:37 p.m.

Matthew Miller wrote:

...

On Thu, Sep 20, 2007 at 03:47:48PM +0000, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, you can't. You can remove some of the support daemons, but you can't remove the libraries because everything is linked against it.

You can put "selinux=0" on the kernel command line in grub.conf, though. That'll make it be disabled completely.

Define "disabled completely" Any defects in the libraries are still present on the machine. Some of the vulnerabilities SELinux introduces are still present.

Mike

Arthur Pemberton

11:38 a.m.

On 9/20/07, Beartooth Beartooth@swva.net wrote:

...

    I keep it set to -- supposedly -- NON-enforcing, because of the
warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

system-config-securitylevel

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

3:36 p.m.

Beartooth wrote:

...

I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

SELinux is not a "thing". It is a way of writing apps. Certain apps must be "SELinux aware". Unfortunately, that makes it like a source code virus, which invades everything on the system. There is no way to remove it without either reverting to an earlier version of the source, or getting copies of the source and (if the developers were smart enough) recompiling with some define changed (like #define SELINUX 0) or editing out all the crap to get rid of it.

It's too bad that Red Hat has jumped on the SELinux bandwagon so wholeheartedly. That is, it is for those of us who don't like it, but want to use Red Hat products or projects.

Mike

Tim

21 Sep 21 Sep

4:52 a.m.

On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:

...

It's too bad that Red Hat has jumped on the SELinux bandwagon so wholeheartedly. That is, it is for those of us who don't like it, but want to use Red Hat products or projects.

One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which doesn't require dangerous executable things in places they shouldn't be, doesn't try to access files it shouldn't, etc. They can, of course, just write it any old way, and it won't work on our systems. Or try to get us to use sloppy security to allow it, but probably won't succeed in getting that approach accepted.

On the other hand, without any SELinux, trying to make your system secure, when you're using programs that the software authors had free-range to do any old crap in the first place, is much more difficult.

Mike McCarty

9:59 a.m.

Tim wrote:

...

On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:

...
It's too bad that Red Hat has jumped on the SELinux bandwagon so wholeheartedly. That is, it is for those of us who don't like it, but want to use Red Hat products or projects.

One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which

They are forced into writing it SELinux aware. That is not part of my definition of "better".

[snip]

...

On the other hand, without any SELinux, trying to make your system secure, when you're using programs that the software authors had free-range to do any old crap in the first place, is much more difficult.

I don't like to load and run crap. Do you? That's one reason I don't have SELinux enabled on the machines I administer. Not all of them are FC2, BTW.

Note that SELinux does not attempt to make a machine more secure, except in a very general sense. It attempts to mitigate damage on a machine WHICH IS ALREADY COMPROMISED.

It does little AFAICT to prevent compromise.

Mike

Andrew Kelly

10:25 a.m.

On Fri, 2007-09-21 at 09:59 -0500, Mike McCarty wrote:

...

Tim wrote:

...
On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:

...
It's too bad that Red Hat has jumped on the SELinux bandwagon so wholeheartedly. That is, it is for those of us who don't like it, but want to use Red Hat products or projects.

One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which

They are forced into writing it SELinux aware. That is not part of my definition of "better".

[snip]

...
On the other hand, without any SELinux, trying to make your system secure, when you're using programs that the software authors had free-range to do any old crap in the first place, is much more difficult.

I don't like to load and run crap. Do you? That's one reason I don't have SELinux enabled on the machines I administer. Not all of them are FC2, BTW.

Note that SELinux does not attempt to make a machine more secure, except in a very general sense. It attempts to mitigate damage on a machine WHICH IS ALREADY COMPROMISED.

It does little AFAICT to prevent compromise.

Mike

Quick hit and run, here, before I call it a weekend...

My cousin is an auto mechanic and several years ago he said something which you've just repeated in different terms.

We were arguing Air Bag vs Anti-Lock Braking System. He said given the choice of only one, it would be insanity to take the AB. I says,"Huh?". He says, "Isn't it more important to avoid the accident in the first place?"

Brilliant.

Of course the right choice is to have them both, but given the choice of one, you're on the money IMO, Mike.

Andy

Arthur Pemberton

10:45 a.m.

On 9/21/07, Andrew Kelly akelly@corisweb.org wrote:

...

On Fri, 2007-09-21 at 09:59 -0500, Mike McCarty wrote:

...
Tim wrote:

...
On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:

...
It's too bad that Red Hat has jumped on the SELinux bandwagon so wholeheartedly. That is, it is for those of us who don't like it, but want to use Red Hat products or projects.

One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which

They are forced into writing it SELinux aware. That is not part of my definition of "better".

[snip]

...
On the other hand, without any SELinux, trying to make your system secure, when you're using programs that the software authors had free-range to do any old crap in the first place, is much more difficult.

I don't like to load and run crap. Do you? That's one reason I don't have SELinux enabled on the machines I administer. Not all of them are FC2, BTW.

Note that SELinux does not attempt to make a machine more secure, except in a very general sense. It attempts to mitigate damage on a machine WHICH IS ALREADY COMPROMISED.

It does little AFAICT to prevent compromise.

Mike

Quick hit and run, here, before I call it a weekend...

My cousin is an auto mechanic and several years ago he said something which you've just repeated in different terms.

We were arguing Air Bag vs Anti-Lock Braking System. He said given the choice of only one, it would be insanity to take the AB. I says,"Huh?". He says, "Isn't it more important to avoid the accident in the first place?"

Brilliant.

Of course the right choice is to have them both, but given the choice of one, you're on the money IMO, Mike.

Andy

Why would someone have to choose only one?

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Arthur Pemberton

10:36 a.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Tim wrote:

...
On Thu, 2007-09-20 at 15:36 -0500, Mike McCarty wrote:

...
It's too bad that Red Hat has jumped on the SELinux bandwagon so wholeheartedly. That is, it is for those of us who don't like it, but want to use Red Hat products or projects.

One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which

They are forced into writing it SELinux aware. That is not part of my definition of "better".

You could give google a try to see how much others agree. As in, others who've found and fixed bugs in their apps due to SELinux.

...

...
On the other hand, without any SELinux, trying to make your system secure, when you're using programs that the software authors had free-range to do any old crap in the first place, is much more difficult.

I don't like to load and run crap. Do you? That's one reason I don't have SELinux enabled on the machines I administer. Not all of them are FC2, BTW.

Because calling a piece of software crap because you don't like it is the mark of good administration.

...

Note that SELinux does not attempt to make a machine more secure, except in a very general sense. It attempts to mitigate damage on a machine WHICH IS ALREADY COMPROMISED.

It does little AFAICT to prevent compromise.

Further proving that you are not properly informed about it. Please, do a little research into the matter.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

1:15 p.m.

Arthur Pemberton wrote:

[snip]

...

Further proving that you are not properly informed about it. Please, do a little research into the matter.

The approach is wrong-headed. I don't need to investigate further something which is on the wrong path. Since I don't like the entire approach, I don't need the details.

Mike

Mikkel

1:55 p.m.

Mike McCarty wrote:

...

Arthur Pemberton wrote:

[snip]

...
Further proving that you are not properly informed about it. Please, do a little research into the matter.

The approach is wrong-headed. I don't need to investigate further something which is on the wrong path. Since I don't like the entire approach, I don't need the details.

Mike

Hmm - the approach is wrong-headed because I say it is wrong-headed. I know it is true, so I do not have to look at anything that says otherwise. That sounds like a religious conviction.

Mikkel

-- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!

Mike McCarty

3:45 p.m.

Mikkel L. Ellertson wrote:

...

Mike McCarty wrote:

Hmm - the approach is wrong-headed because I say it is wrong-headed. I know it is true, so I do not have to look at anything that says otherwise. That sounds like a religious conviction.

Call it what you like. If I get compromised, then I'm going to reload my system, anyway. I don't care how much of it got toasted along the way, and it's probably too much effort to go picking around in the rubble. I do regular backups, and I'll be able to get my data back from backup, anyway. The system areas I'm not going to try to salvage.

I have a desktop, not a bunch of credit card numbers. I keep no information on my machine, such as bank account numbers, which might be consequential if someone got access to them.

I don't care if I lose one day's e-mail, or even a week's loss. As often as I get the feeling that if I lost data I might miss it, I do a backup. In fact, I feel one coming on Real Soon Now.

Mike

Arthur Pemberton

1:58 p.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Arthur Pemberton wrote:

[snip]

...
Further proving that you are not properly informed about it. Please, do a little research into the matter.

The approach is wrong-headed. I don't need to investigate further something which is on the wrong path. Since I don't like the entire approach, I don't need the details.

Mike

Umm, ok.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Tim

11:43 p.m.

Tim:

...

...
One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which

Mike McCarty:

...

They are forced into writing it SELinux aware. That is not part of my definition of "better".

This is you trying to fit it into your blinkered view. You harp on about it being about mitigating already compromised machines, which is an over-simplification to the point of being stupidly and utterly wrong.

Ignoring your ignorance, for the moment. If you read what I wrote, and snipped off. Writing to support working with SELinux means writing software in a better manner so that it doesn't expect to be able to do things that it shouldn't be allowed to (accessing files it has no business doing so, being executable in places that it shouldn't, and so on). It's *that* sort of thing that makes for better programming. If you can't grasp that, you're not up to the task of programming in a safe manner.

...

Note that SELinux does not attempt to make a machine more secure, except in a very general sense. It attempts to mitigate damage on a machine WHICH IS ALREADY COMPROMISED.

Bollocks!

...

It does little AFAICT to prevent compromise.

Oh do some research!

Mike McCarty

24 Sep 24 Sep

3:39 p.m.

Tim wrote:

...

Tim:

...
...
One of the (almost) unsung benefits of it is to do with created software.

If the programmers use a system with SELinux, they're forced into writing their software better. And we end up with software which

Mike McCarty:

...
They are forced into writing it SELinux aware. That is not part of my definition of "better".

This is you trying to fit it into your blinkered view. You harp on about it being about mitigating already compromised machines, which is an over-simplification to the point of being stupidly and utterly wrong.

Ignoring your ignorance, for the moment. If you read what I wrote, and

[...]

...

Oh do some research!

My ignorance is based on reading NSA's descriptions of SELinux. Now, I've read some of Red Hat's docu as well.

Still ignorant, I guess.

Mike

Gene Heskett

20 Sep 20 Sep

10:30 p.m.

On Thursday 20 September 2007, Beartooth wrote:

...

I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

...

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) FLASH! Intelligence of mankind decreasing. Details at ... uh, when the little hand is on the ....

David

10:49 p.m.

on 9/20/2007 11:30 PM, Gene Heskett wrote:

...

On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

-- David

Matthew Miller

21 Sep 21 Sep

9:13 a.m.

On Thu, Sep 20, 2007 at 11:49:41PM -0400, David Boles wrote:

...

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file. /etc/selinux/config change SELINUX=enforcing to SELINUX=disabled

If you do this, are you still paying the performance penalty but with no security gain?

-- Matthew Miller mattdm@mattdm.org http://mattdm.org/ Boston University Linux ------> http://linux.bu.edu/

David

9:22 a.m.

on 9/21/2007 10:13 AM, Matthew Miller wrote:

...

On Thu, Sep 20, 2007 at 11:49:41PM -0400, David Boles wrote:

...
This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file. /etc/selinux/config change SELINUX=enforcing to SELINUX=disabled

If you do this, are you still paying the performance penalty but with no security gain?

What performance penalty?

-- David

Mike McCarty

10:44 a.m.

Matthew Miller wrote:

...

On Thu, Sep 20, 2007 at 11:49:41PM -0400, David Boles wrote:

...
This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file. /etc/selinux/config change SELINUX=enforcing to SELINUX=disabled

If you do this, are you still paying the performance penalty but with no security gain?

Depends on what you mean by "performance penalty". One measure of performance is RAM utilization. If SELinux is built into the distro, then it eats RAM regardless of whether it be "enforcing". Furthermore, some of the code in it gets executed, no matter what. Defects in that code are always waiting for the circumstances to be right (or wrong, one might say) to be triggered.

Mike

Ralf Corsepius

12:07 p.m.

On Fri, 2007-09-21 at 10:44 -0500, Mike McCarty wrote:

...

Matthew Miller wrote:

...
On Thu, Sep 20, 2007 at 11:49:41PM -0400, David Boles wrote:

...

...
If you do this, are you still paying the performance penalty but with no security gain?

Depends on what you mean by "performance penalty". One measure of performance is RAM utilization. If SELinux is built into the distro, then it eats RAM regardless of whether it be "enforcing". Furthermore, some of the code in it gets executed, no matter what.

What you say is right on the spot. I have a low end (i586) machine which kills itself by running out of memory during selinux-policy updates or relabel actions.

Ralf

Beartooth

10:35 a.m.

On Thu, 20 Sep 2007 23:49:41 -0400, David Boles wrote:

[....]

...

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

Here's an interesting discovery. On a machine where I haven't touched selinux since installing F7, I get this :

[root@localhost btth]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 [root@localhost btth]#

Note that it says "targeted" -- typically, without giving me any faintest hint at what. The same file on the machine I disabled selinux from yesterday is the same except for "disabled" instead of "permissive."

I *hope* targeted makes no difference so long as selinux is disabled. But that doesn't tell me what is targeted on the other machines, nor whether the default choices fit my kind of situation. (If they do, I'll take it on faith that they're well chosen.)

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Rahul Sundaram

10:37 a.m.

Beartooth wrote:

...

I *hope* targeted makes no difference so long as selinux is disabled. But that doesn't tell me what is targeted on the other machines, nor whether the default choices fit my kind of situation. (If they do, I'll take it on faith that they're well chosen.)

Targeted covers a specific set of software while strict is more comprehensive but also more specialized. Targeted is the default policy in Fedora.

See the SELinux FAQ at http://docs.fedoraproject.org for more details.

Rahul

Arthur Pemberton

10:49 a.m.

On 9/21/07, Beartooth Beartooth@swva.net wrote:

...

On Thu, 20 Sep 2007 23:49:41 -0400, David Boles wrote:

[....]

...
This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled
    Here's an interesting discovery. On a machine where I haven't
touched selinux since installing F7, I get this :

[root@localhost btth]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 [root@localhost btth]#
    Note that it says "targeted"  -- typically, without giving me any
faintest hint at what. The same file on the machine I disabled selinux from yesterday is the same except for "disabled" instead of "permissive."
    I *hope* targeted makes no difference so long as selinux is
disabled. But that doesn't tell me what is targeted on the other machines, nor whether the default choices fit my kind of situation. (If they do, I'll take it on faith that they're well chosen.)

It is targeted at daemons for which rules have been explicitly written, and are available for on the machine.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Steve Searle

10:50 a.m.

Around 04:35pm on Friday, September 21, 2007 (UK time), Beartooth scrawled:

...

Here's an interesting discovery. On a machine where I haven't touched selinux since installing F7, I get this :

[root@localhost btth]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 [root@localhost btth]#

Note that it says "targeted" -- typically, without giving me any faintest hint at what. The same file on the machine I disabled selinux

In the comment immediately before the SELINUXTYPE=targeted, it states: "targeted - Only targeted network daemons are protected". More than a faint hint I would say, and in the most convenient possible of places.

Steve

-- A: Because it messes up the order in which people normally read text. Q: Why is top-posting a bad thing? 16:47:42 up 7 days, 2:48, 1 user, load average: 0.02, 0.15, 0.14

Beartooth

22 Sep 22 Sep

1:40 p.m.

On Fri, 21 Sep 2007 16:50:41 +0100, Steve Searle wrote:

...

...
Note that it says "targeted" -- typically, without giving me any faintest hint at what. The same file on the machine I disabled selinux

In the comment immediately before the SELINUXTYPE=targeted, it states: "targeted - Only targeted network daemons are protected". More than a faint hint I would say, and in the most convenient possible of places.

More than one to you; less than one to me. All the words are English, and the meaning is beyond my imagination -- as is yours. The problem, as I keep repeating, is mainly that those of you who know the most have forgotten how *little* it is possible to know about what are after all *your* specialties.

Example : a botanist would have no trouble with another botanist who named all plants only in Linnean Latin -- and might well prefer it. It's more concise and more unequivocal. But the likes of me would get nothing from that other botanist, despite endless good will.

For Latin read something like "computer concepts."

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Tim

23 Sep 23 Sep

1:02 a.m.

On Sat, 2007-09-22 at 18:40 +0000, Beartooth wrote:

...

Example : a botanist would have no trouble with another botanist who named all plants only in Linnean Latin -- and might well prefer it. It's more concise and more unequivocal. But the likes of me would get nothing from that other botanist, despite endless good will.

Actually, in that case, you probably would. You could look up the Latin and find out that the name of the tree means "tall tree with long thin leaves." I kid you not, that's how many trees are named in Latin. It's amusingly childish, on the face of it.

Bruno Wolff III

22 Sep 22 Sep

10:31 a.m.

On Fri, Sep 21, 2007 at 15:35:51 +0000, Beartooth Beartooth@swva.net wrote:

...

# SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted

...

Note that it says "targeted" -- typically, without giving me any faintest hint at what. The same file on the machine I disabled selinux from yesterday is the same except for "disabled" instead of "permissive."

You didn't happen to notice the comment lines preceding the definition? Though it is a bit out of date as the targeted policy is covering some non-deamons now. But most stuff run by users is going to run in the unconfined domain. In F8 there will be a way to have some users run programs in a confined domain by default.

...

I *hope* targeted makes no difference so long as selinux is disabled. But that doesn't tell me what is targeted on the other machines, nor whether the default choices fit my kind of situation. (If they do, I'll take it on faith that they're well chosen.)

It makes a difference in permissive in that newly created files get a context based on the definitions from the policy being used. This doesn't happen when SELinux is disabled, which is related to why this mode is discouraged.

Even in disabled mode it might have some effect if you were to run some of the relabelling programs. I never tried that though and its possible they wouldn't actually do any relabelling when SELinux is disabled.

David

20 Sep 20 Sep

10:51 p.m.

on 9/20/2007 11:30 PM, Gene Heskett wrote:

...

On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

-- David

Craig White

10:59 p.m.

On Thu, 2007-09-20 at 23:51 -0400, David Boles wrote:

...

on 9/20/2007 11:30 PM, Gene Heskett wrote:

...
On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

---- got a problem with system-config-security?

On KDE, it's in Administration menu called Firewall and SELinux

see selinux tab - changed to Disabled - click OK

Craig

David

21 Sep 21 Sep

8:58 a.m.

on 9/20/2007 11:59 PM, Craig White wrote:

...

On Thu, 2007-09-20 at 23:51 -0400, David Boles wrote:

...
on 9/20/2007 11:30 PM, Gene Heskett wrote:

...
On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

got a problem with system-config-security?

On KDE, it's in Administration menu called Firewall and SELinux

see selinux tab - changed to Disabled - click OK

Craig

I have no problem with 'system-config-security' but not knowing which WM he is using I tried to give a 'fits-all' type of suggestion so there was no email tag will trying to find it in the menu.

Not everyone uses KDE. I use GNOME myself. So I would not really know just were to find it in a KDE menu.

-- David

Gene Heskett

20 Sep 20 Sep

11:34 p.m.

On Thursday 20 September 2007, David Boles wrote:

...

on 9/20/2007 11:30 PM, Gene Heskett wrote:

...
On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months ago, and I frankly don't care what you put in whatever /etc/sysconfig file, and there have been at least 3 named here in the last 72 hours, if you really want to disable it AND use the machine for something other than a training exercise in writing selinux rules from scratch, and figuring out how to protect them from yum/smart update activities, you WILL use the "crude" way because its the only one that actually works.

With this file in effect: [root@coyote ~]# grep SELINUX /etc/sysconfig/* /etc/sysconfig/selinux:# SELINUX= can take one of these three values: /etc/sysconfig/selinux:SELINUX=disabled /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values are: /etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a usb-seriel adaptor. It was also denied access to a regular serial port when the cm11a was hooked up to one of the 2 very precious serial ports on this box.

bulldog, the monitor for belkin ups's, was denied access to both the serial port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready to switch distro's to something that didn't cross-breed with selinux. Steven suggested I try the grub command I've quoted here, and magically everything started working once I'd undone the configuration messes I'd made trying to make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should be all that's required. That information has already been through the bovine digestive tract once, and should be treated as such, chopped up, and spread on a cornfield and plowed back in cuz that is all its good for.

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) parallel processors running perpendicular today

Rahul Sundaram

11:42 p.m.

Gene Heskett wrote:

...

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

That's perhaps because it works for them?

...

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

Well I would assume that if someone like NSA actually wants to put a backdoor, Free and open source code in the Linux kernel is a very unlikely candidate.

You might want to read up the two divisions of NSA and the differences between them and which division SELinux comes from. It has all been discussed before in fedora-selinux list if you want to take a look.

Rahul

Ed Greshko

21 Sep 21 Sep

12:05 a.m.

Rahul Sundaram wrote:

...

That's perhaps because it works for them?

Works very fine for me. FWIW, the only issue that I've had is with some 3rd party proprietary software that wasn't designed with SELinux in mind. Using the toubleshooting tools I was able to resolve the issues and write the appropriate rules to get around any problems with future install of that product.

Mike McCarty

12:23 a.m.

Rahul Sundaram wrote:

[snip]

...

You might want to read up the two divisions of NSA and the differences between them and which division SELinux comes from. It has all been discussed before in fedora-selinux list if you want to take a look.

Since the RH devel team, in its wisdom, has decided that SELinux is not an optional package, it machts nichts. Anyone wishing to use RH or an RH derivative is going to get SELinux on his machine, period, full stop, end of story.

It looks like all the other distros are going to follow suit. Debian is already infected, as well.

My next distro may be LFS.

Mike

Rahul Sundaram

12:31 a.m.

Mike McCarty wrote:

...

Rahul Sundaram wrote:

[snip]

...
You might want to read up the two divisions of NSA and the differences between them and which division SELinux comes from. It has all been discussed before in fedora-selinux list if you want to take a look.

Since the RH devel team, in its wisdom, has decided that SELinux is not an optional package, it machts nichts. Anyone wishing to use RH or an RH derivative is going to get SELinux on his machine, period, full stop, end of story.

It looks like all the other distros are going to follow suit. Debian is already infected, as well.

An earlier mail in the same thread says SELinux has not been adopted by other distribution. Now this mail complains about how it is been adopted and calls it a "infection". I guess some people are never happy.

...

My next distro may be LFS.

Good luck Mike. I guess you should keep it more updated than FC2.

Rahul

Ralf Corsepius

1:14 a.m.

On Fri, 2007-09-21 at 11:01 +0530, Rahul Sundaram wrote:

...

Mike McCarty wrote:

...
Rahul Sundaram wrote:

...

...
It looks like all the other distros are going to follow suit. Debian is already infected, as well.

An earlier mail in the same thread says SELinux has not been adopted by other distribution.

Right.

...

Now this mail complains about how it is been adopted and calls it a "infection".

Right.

...

I guess some people are never happy.

No, you are tearing sentences out of context.

If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection". => This is users complaining about SELinux's usability, based on their personal experiences with the Fedora implementation.

If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Ralf

Rahul Sundaram

1:17 a.m.

Ralf Corsepius wrote:

...

If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection".

Pretty much every security solution has had a history of such problems. I remember back in the days when a firewall used to get very similar complaints and everyone was suggesting just to turn it off instead SELinux is a fundamental security paradigm change. It has taken a lot of effort to get where we are now.

...

=> This is users complaining about SELinux's usability, based on their personal experiences with the Fedora implementation.

Atleast on Mike McCarty's case he has no personal experience with it. Users have mixed opinions as always.

...

If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Sure. Technology changes like this take time. Lilo vs GRUB. Static dev vs udev as other relatively fundamental changes have also taken time for distributions to adopt.

SELinux is indeed upstream and a number of distributions have varying levels of support for it. Both the technology as well as adoption have only been increasing over time.

Rahul

Arthur Pemberton

1:43 a.m.

On 9/21/07, Rahul Sundaram sundaram@fedoraproject.org wrote:

...

Ralf Corsepius wrote:

...
If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection".

Pretty much every security solution has had a history of such problems. I remember back in the days when a firewall used to get very similar complaints and everyone was suggesting just to turn it off instead SELinux is a fundamental security paradigm change. It has taken a lot of effort to get where we are now.

Quite true.

...

...
=> This is users complaining about SELinux's usability, based on their personal experiences with the Fedora implementation.

Atleast on Mike McCarty's case he has no personal experience with it. Users have mixed opinions as always.

I have plenty of personal experience with SELinux in both Fedora and CentOS, and I have been using it since FC2, ie. before setroubleshoot. It was a good tool then, now, I do not deploy and internet facing machine without it.

...

...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Sure. Technology changes like this take time. Lilo vs GRUB. Static dev vs udev as other relatively fundamental changes have also taken time for distributions to adopt.

SELinux is indeed upstream and a number of distributions have varying levels of support for it. Both the technology as well as adoption have only been increasing over time.

Rahul

That aside, popularity shouldn't be a metric when gauging the usefulness of a piece of software.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Ralf Corsepius

1:43 a.m.

On Fri, 2007-09-21 at 11:47 +0530, Rahul Sundaram wrote:

...

Ralf Corsepius wrote:

...
If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection".

Pretty much every security solution has had a history of such problems.

Well, then better acknowledge these facts and stop reiterating RH's marketing slogans.

Many Fedora users, have had encounters/clashes with SELinux, so at least this group of people knows that SELinux has not matured to a stage that it is working transparently. We _know_ that SELinux can prevent systems from operating, no matter what RH marketing wants to tell us.

...

I remember back in the days when a firewall used to get very similar complaints and everyone was suggesting just to turn it off instead SELinux is a fundamental security paradigm change. It has taken a lot of effort to get where we are now.

Only if you consider it to be progress and a sustainable solution. So far this is not clear yet. History will judge if it really is or not.

Remember iptables and friends. They had to go through several iterations until they had reached a point most people found them to be in an acceptable and usable shape. Still you will find many people who switch firewalls off, on certain situations (I do so on my home network's clients. My server has them turned on).

...

...
=> This is users complaining about SELinux's usability, based on their personal experiences with the Fedora implementation.

Atleast on Mike McCarty's case he has no personal experience with it. Users have mixed opinions as always.

...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Sure. Technology changes like this take time. Lilo vs GRUB. Static dev vs udev as other relatively fundamental changes have also taken time for distributions to adopt.

Yes, and whether you want to accept it or not, these steps still are arguable.

...

SELinux is indeed upstream and a number of distributions have varying levels of support for it. Both the technology as well as adoption have only been increasing over time.

Right, the art of upstream maintenance is to separate the "junk being flooded with" from the "really useful things" and to separate "temporary warts" from "promising approaches".

This applies esp. to Linux (with competing vendors violently trying to push _their_ approaches for marketing/political reason) and in particular to Fedora (which, due to its open nature, contains a lot of stuff which would deserve to be named "junk ware")

Ralf

Rahul Sundaram

1:48 a.m.

Ralf Corsepius wrote:

...

On Fri, 2007-09-21 at 11:47 +0530, Rahul Sundaram wrote:

...
Ralf Corsepius wrote:

...
If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection".

Pretty much every security solution has had a history of such problems.

Well, then better acknowledge these facts and stop reiterating RH's marketing slogans.

I have never disagreed that there are problems and you need to stop the usual adhominem attacks to maintain a rational discussion.

...

...
...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did.

Note that contrary to your claims upstream has adopted it even before the first 2.6 kernel release and many other distributions are in-fact adopting it as you have agreed with the example of Debian earlier in this thread. Popularity doesn't determine the best choices. Otherwise we would be all running Windows now.

Rahul

Mike McCarty

2:16 a.m.

Rahul Sundaram wrote:

...

Note that contrary to your claims upstream has adopted it even before the first 2.6 kernel release and many other distributions are in-fact adopting it as you have agreed with the example of Debian earlier in this thread. Popularity doesn't determine the best choices. Otherwise we would be all running Windows now.

You need to keep you attributions straight, Rahul. You are getting confused over who said what.

Mike

Rahul Sundaram

3:25 a.m.

Mike McCarty wrote:

...

Rahul Sundaram wrote:

...
Note that contrary to your claims upstream has adopted it even before the first 2.6 kernel release and many other distributions are in-fact adopting it as you have agreed with the example of Debian earlier in this thread. Popularity doesn't determine the best choices. Otherwise we would be all running Windows now.

You need to keep you attributions straight, Rahul. You are getting confused over who said what.

I don't see anyone wrongly attributed. Point out to me explicitly if that has happened.

Rahul

Mike McCarty

10:09 a.m.

Rahul Sundaram wrote:

...

Mike McCarty wrote:

...
Rahul Sundaram wrote:

...
Note that contrary to your claims upstream has adopted it even before the first 2.6 kernel release and many other distributions are in-fact adopting it as you have agreed with the example of Debian earlier in this thread. Popularity doesn't determine the best choices. Otherwise we would be all running Windows now.

You need to keep you attributions straight, Rahul. You are getting confused over who said what.

I don't see anyone wrongly attributed. Point out to me explicitly if that has happened.

That's because you're confused and not keeping track.

I'M the one who has pointed out that other distros have adopted SELinux, not Ralph. You are conflating the messages Ralf and I have sent. Ralf has consistently stated that other distros have not adopted SELinux. I stated that other distros are starting to follow RH, and bemoaned that fact. I'm glad to hear that there exist distros which do not have it.

Before very much longer, I'm going to be forced to hop to another distro. Because I am familiar with "the RH way", I had considered CentOS. However, since RH insists on SELinux, I have pretty much discarded that idea.

It is clear, from the discussions I have seen here, that RH is COMMITTED to SELinux, at least for the next few years, which decision I refuse to follow. I like control over what gets installed in my machine, and SELinux is not something I want. So, in order to get it off and keep it off, I regretfully am not going to use any further RH distros or derivatives, like CentOS, White Hat (is it dieing?) and Scientific Linux. C'est la vie.

I've heard very good things about SLAX, and now hear that it has not jumped on the bandwagon. So, I'm reconsidering SLAX.

In fact, I think I'll download a LiveCD based on SLAX and boot up the ISO image using QEMU today.

Kill Bill looks fun, at least!

I was disappointed to find out that Debian has SELinux in it, as I must administer a Debian machine. At least it's turned off, so I haven't had to become a hydra killer.

Mike

Rahul Sundaram

10:19 a.m.

Mike McCarty wrote:

...

That's because you're confused and not keeping track.

Again, I don't see it.

...

I'M the one who has pointed out that other distros have adopted SELinux, not Ralph.

Yes and I was pointing out to Ralf that his claim about upstream as well as distribution adoption was not true. It's Ralf btw. Besides your claim about SELinux only mitigating a compromised system and would not be able to prevent a security issue from happening in the first place isn't true as well. I even pointed out examples in our previous discussion on that topic. This suggests a need for a better understanding of the basic concepts behind it for which many references are available now.

Rahul

Ralf Corsepius

12:03 p.m.

On Fri, 2007-09-21 at 10:09 -0500, Mike McCarty wrote:

...

Rahul Sundaram wrote:

...
Mike McCarty wrote:

...
Rahul Sundaram wrote:

...
Note that contrary to your claims upstream has adopted it even before the first 2.6 kernel release and many other distributions are in-fact adopting it as you have agreed with the example of Debian earlier in this thread. Popularity doesn't determine the best choices. Otherwise we would be all running Windows now.

You need to keep you attributions straight, Rahul. You are getting confused over who said what.

I don't see anyone wrongly attributed. Point out to me explicitly if that has happened.

That's because you're confused and not keeping track.

I'M the one who has pointed out that other distros have adopted SELinux, not Ralph. You are conflating the messages Ralf and I have sent. Ralf has consistently stated that other distros have not adopted SELinux.

Let me put it this way: To my knowledge, there is no other distro around but Fedora which has been shipped with SELinux, so far, nor am I aware about any other OS which has it.

It would be news to me if Debian should have adopted it.

Ralf

Rahul Sundaram

12:07 p.m.

Ralf Corsepius wrote:

...

Let me put it this way: To my knowledge, there is no other distro around but Fedora which has been shipped with SELinux, so far, nor am I aware about any other OS which has it.

It would be news to me if Debian should have adopted it.

http://www.redhat.com/security/innovative/selinux/ http://www.engardelinux.org/ http://www.gentoo.org/proj/en/hardened/selinux/index.xml http://wiki.debian.org/SELinux

Some more info at http://selinux.sourceforge.net/

A BSD port at

http://www.trustedbsd.org/sebsd.html

Rahul

Beartooth

12:09 p.m.

On Fri, 21 Sep 2007 10:09:24 -0500, Mike McCarty wrote: [....]

...

Before very much longer, I'm going to be forced to hop to another distro. Because I am familiar with "the RH way", I had considered CentOS. However, since RH insists on SELinux, I have pretty much discarded that idea.

It is clear, from the discussions I have seen here, that RH is COMMITTED to SELinux, at least for the next few years, which decision I refuse to follow. I like control over what gets installed in my machine, and SELinux is not something I want. So, in order to get it off and keep it off, I regretfully am not going to use any further RH distros or derivatives, like CentOS, White Hat (is it dieing?) and Scientific Linux. C'est la vie.

[....] I must be missing something. The last few times I've done a Fedora install, anaconda has given me three SELinux choices -- enforcing, permissive, and disabled -- with a strongly worded recommendation against the last. I've always chosen permissive, partly because I know I'm nowhere near being able to cope with enforcing, and mainly because I have no idea what I'd be up against with disabled.

But I'm already planning to insist on disabled with F8 -- barring any nasty surprises on my present #3 machine, where it's disabled now.

So how much difference *is* there between disabled and not installed?

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Mike McCarty

1:22 p.m.

Beartooth wrote:

[snip]

...

But I'm already planning to insist on disabled with F8 -- barring any nasty surprises on my present #3 machine, where it's disabled now.

So how much difference *is* there between disabled and not installed?

These come to mind:

(1) room on disc (probably minor) (2) room in memory (maybe minor, maybe not) (3) even if "disabled", code is present and being run, which code has defects, some of which may be security exploits

Mike

Chris Jones

2:34 p.m.

...

(3) even if "disabled", code is present and being run, which code has defects, some of which may be security exploits

My understanding, which might well be wrong, is this is not the case. With most recent kernels if you turn off selinux it is really completely off, the kernel disables all selinux features and nothing is loaded.

But maybe a real selinux expert can clarify here.

Chris

Mike McCarty

3:46 p.m.

Chris Jones wrote:

...

...
(3) even if "disabled", code is present and being run, which code has defects, some of which may be security exploits

My understanding, which might well be wrong, is this is not the case. With most recent kernels if you turn off selinux it is really completely off, the kernel disables all selinux features and nothing is loaded.

But maybe a real selinux expert can clarify here.

Not even the code to check whether it is enabled? :-)

Mike

Chris Jones

3:54 p.m.

...

Not even the code to check whether it is enabled? :-)

no, not even that. I don't proclaim to understand completely how - see other messages in this never ending thread.

Chris

Arthur Pemberton

1:55 a.m.

On 9/21/07, Ralf Corsepius rc040203@freenet.de wrote:

...

...
I remember back in the days when a firewall used to get very similar complaints and everyone was suggesting just to turn it off instead SELinux is a fundamental security paradigm change. It has taken a lot of effort to get where we are now.

Only if you consider it to be progress and a sustainable solution. So far this is not clear yet. History will judge if it really is or not.

Remember iptables and friends. They had to go through several iterations until they had reached a point most people found them to be in an acceptable and usable shape. Still you will find many people who switch firewalls off, on certain situations (I do so on my home network's clients. My server has them turned on).

This seems like an argument for RFCs and RFEs and bug reports, and constructive discussions, but blunt subjective bashing

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Andy Green

3:44 a.m.

New subject: "Many" happy selinux users nowadays

Somebody in the thread at some point said:

...

On Fri, 2007-09-21 at 11:47 +0530, Rahul Sundaram wrote:

...
Ralf Corsepius wrote:

...
If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection".

Pretty much every security solution has had a history of such problems.

Well, then better acknowledge these facts and stop reiterating RH's marketing slogans.

Many Fedora users, have had encounters/clashes with SELinux, so at least this group of people knows that SELinux has not matured to a stage that it is working transparently. We _know_ that SELinux can prevent systems from operating, no matter what RH marketing wants to tell us.

Well "many" is hard to quantify compared to using it for "many with problems" and the completely silent majority I think we will find, of "many without problems" nowadays.

...

acceptable and usable shape. Still you will find many people who switch firewalls off, on certain situations (I do so on my home network's clients. My server has them turned on).

It's obviously up to you how you deal with that, but I strongly believe that you can't inherently trust machines on any internal network any more than those outside. There was an interesting thread about this on Full Disclosure the other week with some guy going on about how he would heroically jump in the way of any foreign "cyber attack" from boxes in $COUNTRY and lend his powers to repelling it, etc. A guy replied shortly pointing out that the attack comes from the machine next to you, not some easily identified foreign box. And that is exactly what we see with worms and viruses.

...

...
...
=> This is users complaining about SELinux's usability, based on their personal experiences with the Fedora implementation.

Atleast on Mike McCarty's case he has no personal experience with it. Users have mixed opinions as always.

...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Sure. Technology changes like this take time. Lilo vs GRUB. Static dev vs udev as other relatively fundamental changes have also taken time for distributions to adopt.

Yes, and whether you want to accept it or not, these steps still are arguable.

You have to mix in the level of grief to implement it. For example everyone keeps agreeing that the initscripts and especially shutdown can be made MUCH better, but it's so frightening to take care of everything with minimal breakage that somehow Fedora doesn't seem to get anywhere with it (over years).

-Andy

Ralf Corsepius

4:24 a.m.

New subject: "Many" happy selinux users nowadays

On Fri, 2007-09-21 at 09:44 +0100, Andy Green wrote:

...

Somebody in the thread at some point said:

...
On Fri, 2007-09-21 at 11:47 +0530, Rahul Sundaram wrote:

...
Ralf Corsepius wrote:

...
If SELinux was transparently working (Which it doesn't on Fedora on many situations), nobody would name it "infection".

Pretty much every security solution has had a history of such problems.

Well, then better acknowledge these facts and stop reiterating RH's marketing slogans.

Many Fedora users, have had encounters/clashes with SELinux, so at least this group of people knows that SELinux has not matured to a stage that it is working transparently. We _know_ that SELinux can prevent systems from operating, no matter what RH marketing wants to tell us.

Well "many" is hard to quantify compared to using it for "many with problems" and the completely silent majority I think we will find, of "many without problems" nowadays.

No disagreement.

IMO, it's basically a matter of complexity of an existing installation which causes SELinux to interfere and cause faults - The essential question to answer would be: Why does SELinux cause such breakdown. Fundamental SELinux design flaw? Fedora SELinux policy maintainer oversight? Lack of maturity? I don't know the answers. Probably something inbetween all of them.

...

...
acceptable and usable shape. Still you will find many people who switch firewalls off, on certain situations (I do so on my home network's clients. My server has them turned on).

It's obviously up to you how you deal with that, but I strongly believe that you can't inherently trust machines on any internal network any more than those outside.

Absolutely. It's just that I consider my own network and its users to be sufficiently trustworthy to run these machines without a firewall on each of them enabled.

It's actually is quite simple. As always when it comes to security, users need to decide when to compromise between "negligent carelessness" and "paranoia" and to find a suitable compromise with security measure.

Some people will want to live in an atomic bunker with filtered air, 2 years of food supply in storage and won't leave their home without an armored guard. Others will want to live naked in a jungle full of poisonous animals and violent warriors around - Most people won't do either ;)

It should be up to the user to decide which precautions to take and which risk they want to tolerate. - SELinux, Firewalls, read-only file-systems, encrypted file-systems etc. all are aiming into the same direction.

...

There was an interesting thread about this on Full Disclosure the other week with some guy going on about how he would heroically jump in the way of any foreign "cyber attack" from boxes in $COUNTRY and lend his powers to repelling it, etc. A guy replied shortly pointing out that the attack comes from the machine next to you, not some easily identified foreign box.

ACK, the real damaging attacks are caused from inside of a network or the user himself.

That's the point where at least I perceive SELinux's most noteworthy achievement to be "self-protection" and "protection against the distro itself misbehaving" - Not protection against external attackers.

Ralf

Mike McCarty

10:20 a.m.

New subject: "Many" happy selinux users nowadays

Andy Green wrote:

[snip]

...

It's obviously up to you how you deal with that, but I strongly believe that you can't inherently trust machines on any internal network any

My issues with SELinux are:

(1) it is wrong-headed (2) it is pervasive (3) it has defects, and always will

The additional "security" it offers to an already compromised system is debatable. This thread proves it. That it causes additional admin is not debatable. So, there are costs associated with using it. Whether those costs are justified by the perceived threat is a subjective, and I would argue EVEN IF IT IS IN SOME CIRCUMSTANCES USEFUL[*] installation dependent, matter.

SELinux might protect against a malicious intruder who is already on your machine. I don't have any. There are exactly three users defined on my machine who can actually log on:

root me another guy who no longer has access to my machine, a friend.

My machine sits behind a hardware firewall which doesn't even respond to attempts to access, except for the e-mail port, which is closed. Perusal of the logs on my machine show not even one attempt to gain access. Perusal of the logs on the firewall show numerous attempts to gain access.

I don't download and execute other people's programs.

I don't permit Java or Javascript to run on my machine.

I don't permit my mailer to use links or to download images.

...

You have to mix in the level of grief to implement it. For example everyone keeps agreeing that the initscripts and especially shutdown can be made MUCH better, but it's so frightening to take care of everything with minimal breakage that somehow Fedora doesn't seem to get anywhere with it (over years).

I don't know to what you refer.

[*] I don't subscribe to this, but even if it is stipulated, in that case it's still an installation-dependent matter. Even if SELinux were actually useful, which I do not admit, not all installations would have the additional security benefit justify the additional overhead.

Mike

Andy Green

1:50 p.m.

New subject: "Many" happy selinux users nowadays

Somebody in the thread at some point said:

...

Andy Green wrote:

[snip]

...
It's obviously up to you how you deal with that, but I strongly believe that you can't inherently trust machines on any internal network any

My issues with SELinux are:

(1) it is wrong-headed (2) it is pervasive (3) it has defects, and always will

The additional "security" it offers to an already compromised system is debatable. This thread proves it. That it causes

I value it for what it can do at the moment of the attempted compromise. My external servers are set up to send me regular and very frequent emails with several log entries since the last email -- and I read all of those emails with care. If an attacker is stymied for even a little while because he didn't get a shell out of httpd, I will see what nearly happened and have the chance to step in.

I think the decision to include selinux is right... people will use it and gain some increment of security from it if it doesn't make overt trouble. If you're sure the bad feelings that have stacked up against selinux are really deserved, you can always recook the appropriate packages having done stuff along the lines of sed s/--enable-selinux//g to the spec file, or in extremis move to your own distro. But I think it won't gain much of a following to define the distro by removing a feature rather than adding stuff.

In fact I wrote up a giant procedure here

http://warmcat.com/_wp/?p=35#more-35

for converting 1&1 dedicated servers that are on some weird FC4 - Debian mutant hybrid without selinux to F7 with selinux, involving reformatting their pervacious XFS partitions to ext3 entirely remotely.

...

I don't download and execute other people's programs.

The whole distro is full of other peoples' programs though.

...

I don't permit Java or Javascript to run on my machine.

I don't permit my mailer to use links or to download images.

I must be pretty lax, Javascript is okay in a browser (not Thunderbird though) and I will click on email links after hovering to see where they go.

...

...
You have to mix in the level of grief to implement it. For example everyone keeps agreeing that the initscripts and especially shutdown can be made MUCH better, but it's so frightening to take care of everything with minimal breakage that somehow Fedora doesn't seem to get anywhere with it (over years).

I don't know to what you refer.

There are a few projects around that replace the venerable "System V" -- it refers to some ancient Unix flavour AIUI -- initscripts. This is the stuff defined in /etc/init.d and /etc/rcx.d that happens after the kernel boots, it goes through bringing up services like web servers, sshd and so on and says, hopefully, [OK] a lot. It's the stuff that chkconfig actually turns on and off.

In other distros they have moved to newer initscript systems that run non-dependent scripts in parallel and see a pretty good reduction in boot time accordingly. They threw out most of the shutdown action to it is ~instantaneous. It keeps getting discussed on fedora-devel, I'm not sure there are any voices against the general plan, but it doesn't cross the threshold into the painful action.

I mentioned it because there was a proposition that good ideas will get adopted and you can tell a bad idea because other people aren't doing it already. Improved initscripts is pretty much universally approved of but doesn't get adopted in Fedora so far.

-Andy

Mike McCarty

3:58 p.m.

New subject: "Many" happy selinux users nowadays

Andy Green wrote:

...

Somebody in the thread at some point said:

...
Andy Green wrote:

[snip]

...
It's obviously up to you how you deal with that, but I strongly believe that you can't inherently trust machines on any internal network any

My issues with SELinux are:

(1) it is wrong-headed (2) it is pervasive (3) it has defects, and always will

The additional "security" it offers to an already compromised system is debatable. This thread proves it. That it causes

I value it for what it can do at the moment of the attempted compromise.

And I do not, since my setup is proably vastly different from yours. I have a stand-alone desktop with no sensitive data on it, behind a hardware firewall which has never let one bad guy in. I take steps to prevent inadvertent code or malicious code execute on my machine. I regularly look for signs of invasion. If I get compromised, then I plan to use one of my frequent backups to recover DATA. The system will be reloaded, not recovered.

[snip]

...

I think the decision to include selinux is right... people will use it

Apparently it is for you. I support people being able to install or not install software as THEY see fit.

[snip]

...

to the spec file, or in extremis move to your own distro. But I think it won't gain much of a following to define the distro by removing a feature rather than adding stuff.

I have no desire to control what other people put on their machines. I have no desire to influence what other people put on their machines. You like SELinux, fine. I don't want it. I support the choice to install or not install, that's all.

[snip]

...

...
I don't download and execute other people's programs.

The whole distro is full of other peoples' programs though.

Of course.

...

...
I don't permit Java or Javascript to run on my machine.

I don't permit my mailer to use links or to download images.

I must be pretty lax, Javascript is okay in a browser (not Thunderbird though) and I will click on email links after hovering to see where they go.

No cookies on my machine, either. No internet cache, either. No stored passwords. I won't characterize what you do as lax or not, since I'm not aware of your needs and desires. Your security measures need to be tailored to your configuration and your goals, not mine.

...

...
...
You have to mix in the level of grief to implement it. For example everyone keeps agreeing that the initscripts and especially shutdown can be made MUCH better, but it's so frightening to take care of everything with minimal breakage that somehow Fedora doesn't seem to get anywhere with it (over years).

I don't know to what you refer.

There are a few projects around that replace the venerable "System V" -- it refers to some ancient Unix flavour AIUI -- initscripts. This is the

[snip]

Thanks for the explanation.

Mike

John Lagrue

23 Sep 23 Sep

4:50 p.m.

New subject: "Many" happy selinux users nowadays

On 21/09/2007, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Andy Green wrote:

...
Somebody in the thread at some point said:

...

...
I think the decision to include selinux is right... people will use it

Apparently it is for you. I support people being able to install or not install software as THEY see fit.

Unfortunately, though I approve of the whole SELinux idea in concept, found it impossible t use, even with F7. I ran it in Permissive mode so I'd see what errors it was catching, but found only two things:

1. It kept repeating the same errors every day, with long detailed instructions on how to fix this. 2. The instructions didn't work!

So every time I come across it now I turn it off completely. Which is a pity because if it worked correctly it would probably be a useful thing to have on my main outward facing server.

JDL

Tim

9:59 p.m.

New subject: "Many" happy selinux users nowadays

On Sun, 2007-09-23 at 22:50 +0100, John Lagrue wrote:

...

Unfortunately, though I approve of the whole SELinux idea in concept, found it impossible t use, even with F7. I ran it in Permissive mode so I'd see what errors it was catching, but found only two things:

It kept repeating the same errors every day, with long detailed

instructions on how to fix this. 2. The instructions didn't work!

Bugzilling that is the only way its going to get fixed.

Daniel J Walsh

25 Sep 25 Sep

7:39 a.m.

New subject: "Many" happy selinux users nowadays

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

John Lagrue wrote:

...

On 21/09/2007, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
Andy Green wrote:

...
Somebody in the thread at some point said:

...
...
I think the decision to include selinux is right... people will use it

Apparently it is for you. I support people being able to install or not install software as THEY see fit.

Unfortunately, though I approve of the whole SELinux idea in concept, found it impossible t use, even with F7. I ran it in Permissive mode so I'd see what errors it was catching, but found only two things:

It kept repeating the same errors every day, with long detailed

instructions on how to fix this. 2. The instructions didn't work!

So every time I come across it now I turn it off completely. Which is a pity because if it worked correctly it would probably be a useful thing to have on my main outward facing server.

JDL

Please report the problem you were having, or at least send the setroubleshoot statement to this list. I do try to fix/help people with SELinux setups. As long as they don't rant for several hundred emails. :^)

...PGP SIGNATURE...

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFG+QForlYvE4MpobMRAlMHAJ4zyrD1hxBk/M1DQdp0U2OTtOI0yQCffEt3 D22U1oYORpwnnun46d3ZTWk= =yghE -----END PGP SIGNATURE-----

Beartooth

21 Sep 21 Sep

11:26 a.m.

New subject: F7, SELinux, and security

Picked out of the getting rid of SELinux thread on this list, originated by me, and now made a thread of its own, also by me -- because, while still as interesting as ever, especially to me, it has broadened enough that people seeking help specifically with SELinux would be apt to overlook it. (Or at least I would.)

On Fri, 21 Sep 2007 09:44:37 +0100, Andy Green wrote: [....] I strongly believe

...

that you can't inherently trust machines on any internal network any more than those outside. There was an interesting thread about this on Full Disclosure the other week with some guy going on about how he would heroically jump in the way of any foreign "cyber attack" from boxes in $COUNTRY and lend his powers to repelling it, etc. A guy replied shortly pointing out that the attack comes from the machine next to you, not some easily identified foreign box. And that is exactly what we see with worms and viruses.

[....] Since the context (I think) involves LANs and suchlike things, you must mean "physically next," not just electronically via the Net, right?

Iow, if I run some app that discovers malware on linux boxes, and find some on one of the machines on my desk, it will more likely have come from one of my others that off the Net or the Web, right?

But surely that machine here, or some machine here, got it in the first place electronically?

I seem to be getting more confused than usual here ....

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Ric Moore

24 Sep 24 Sep

4:54 p.m.

New subject: F7, SELinux, and security

On Fri, 2007-09-21 at 16:26 +0000, Beartooth wrote:

...

Picked out of the getting rid of SELinux thread on this list, originated by me, and now made a thread of its own, also by me -- because, while still as interesting as ever, especially to me, it has broadened enough that people seeking help specifically with SELinux would be apt to overlook it. (Or at least I would.)

On Fri, 21 Sep 2007 09:44:37 +0100, Andy Green wrote: [....] I strongly believe

...
that you can't inherently trust machines on any internal network any more than those outside. There was an interesting thread about this on Full Disclosure the other week with some guy going on about how he would heroically jump in the way of any foreign "cyber attack" from boxes in $COUNTRY and lend his powers to repelling it, etc. A guy replied shortly pointing out that the attack comes from the machine next to you, not some easily identified foreign box. And that is exactly what we see with worms and viruses.

[....] Since the context (I think) involves LANs and suchlike things, you must mean "physically next," not just electronically via the Net, right?

Iow, if I run some app that discovers malware on linux boxes, and find some on one of the machines on my desk, it will more likely have come from one of my others that off the Net or the Web, right?

But surely that machine here, or some machine here, got it in the first place electronically?

I seem to be getting more confused than usual here ....

But at least you're hanging in there. You go Beartooth. Light dispels the Darkness. Getting every ones perceptions is never a bad thing. Ric

Res

21 Sep 21 Sep

1:24 a.m.

On Fri, 21 Sep 2007, Ralf Corsepius wrote:

...

If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Ralf

Well put. Most of us in charge of ISP's, OSP's etc, wont touch it, because it has given many people in many companies, in many places around the world, many headaches, which I guess is why most DC's I've known to run RH, have all but 1 dumped it in moves to either Slackware or Debian, and if the suggestion made by someone that Debian is going the same way, then they will see an exodus as well going by trends on whats discussed at BBQ's on Saturday afternoos, they need to remember, senior network managers/engineers from competing networks in same cities tend to all know each other, and we all have many get-togethers, it only takes one person to mention a problem with a certain bit of software, even if just as a passing comment, it tends to stay in our minds, we will never make more work for ourselves than we already have.

-- Cheers Res

Arthur Pemberton

1:53 a.m.

On 9/21/07, Res res@ausics.net wrote:

...

On Fri, 21 Sep 2007, Ralf Corsepius wrote:

...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Ralf

Well put. Most of us in charge of ISP's, OSP's etc, wont touch it, because it has given many people in many companies, in many places around the world, many headaches, which I guess is why most DC's I've known to run RH, have all but 1 dumped it in moves to either Slackware or Debian, and if the suggestion made by someone that Debian is going the same way, then they will see an exodus as well going by trends on whats discussed at BBQ's on Saturday afternoons, they need to remember, senior network managers/engineers from competing networks in same cities tend to all know each other, and we all have many get-togethers, it only takes one person to mention a problem with a certain bit of software, even if just as a passing comment, it tends to stay in our minds, we will never make more work for ourselves than we already have.

Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Ed Greshko

2:03 a.m.

Arthur Pemberton wrote:

...

Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

I can understand it. I always reject anything that I don't understand...except for my wife that is. :-)

Res

2:12 a.m.

On Fri, 21 Sep 2007, Arthur Pemberton wrote:

...

Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

and its a PITA, stopping many things working, we dont have time to sit in front of a newly built server and spend an hour telling the thing its "safe" blah blah blah, its one of the reasons the fedora desktops on internal lan in still FC1 because its stable, although, by default we dont use half of RH's installed stuff on the desktops, we use the real sendmails, real firefox's real openoffices, real evolutions, real kernels , real mplayer and other multimedia stuff that plays the formats WE want not what RH decides we should use, and so on and so on.

its simple, if the user doesnt want to use it, they should not have to install or deconfigure it.

-- Cheers Res

Ed Greshko

2:17 a.m.

Res wrote:

...

On Fri, 21 Sep 2007, Arthur Pemberton wrote:

...
Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

and its a PITA, stopping many things working, we dont have time to sit in front of a newly built server and spend an hour telling the thing its "safe" blah blah blah, its one of the reasons the fedora desktops on internal lan in still FC1 because its stable, although, by default we dont use half of RH's installed stuff on the desktops, we use the real sendmails, real firefox's real openoffices, real evolutions, real kernels , real mplayer and other multimedia stuff that plays the formats WE want not what RH decides we should use, and so on and so on.

I think you may be forgetting the reason why Fedora and/or Red Hat doesn't supply support for certain formats. But I think you know that it isn't because it is something RH has decided. Probably shouldn't be spreading FUD on Friday evenings. Also, I pity that folks at your BBQ discuss software.

...

its simple, if the user doesnt want to use it, they should not have to install or deconfigure it.

-- "In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Res

5:16 a.m.

On Fri, 21 Sep 2007, Ed Greshko wrote:

...

on Friday evenings. Also, I pity that folks at your BBQ discuss software.

oh we discuss lots of things, like which idiot lamers we dont wont as customers amongst other things, problem is come monday we cant rmeember much :) shop is only about 5% of whats discussed tho, most of us have lives that allow us to shut-off from work, most the times

-- Cheers Res

Andrew Kelly

5:25 a.m.

On Fri, 2007-09-21 at 20:16 +1000, Res wrote:

...

On Fri, 21 Sep 2007, Ed Greshko wrote:

...
on Friday evenings. Also, I pity that folks at your BBQ discuss software.

oh we discuss lots of things, like which idiot lamers we dont wont as customers amongst other things, problem is come monday we cant rmeember much :) shop is only about 5% of whats discussed tho, most of us have lives that allow us to shut-off from work, most the times

<sniff>

You got room for one more over there?

Andy

Gene Heskett

11:12 a.m.

On Friday 21 September 2007, Andrew Kelly wrote:

...

On Fri, 2007-09-21 at 20:16 +1000, Res wrote:

...
On Fri, 21 Sep 2007, Ed Greshko wrote:

...
on Friday evenings. Also, I pity that folks at your BBQ discuss software.

oh we discuss lots of things, like which idiot lamers we dont wont as customers amongst other things, problem is come monday we cant rmeember much :) shop is only about 5% of whats discussed tho, most of us have lives that allow us to shut-off from work, most the times

<sniff>

You got room for one more over there?

Andy

Need directions, I'll bring a case of Michelob Ultra. You have ice I assume?

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Microsoft is not the answer. Microsoft is the question. NO (or Linux) is the answer. -- Taken from a .signature from someone from the UK, source unknown

Res

5:51 p.m.

On Fri, 21 Sep 2007, Andrew Kelly wrote:

...

On Fri, 2007-09-21 at 20:16 +1000, Res wrote:

...
On Fri, 21 Sep 2007, Ed Greshko wrote:

...
on Friday evenings. Also, I pity that folks at your BBQ discuss software.

oh we discuss lots of things, like which idiot lamers we dont wont as customers amongst other things, problem is come monday we cant rmeember much :) shop is only about 5% of whats discussed tho, most of us have lives that allow us to shut-off from work, most the times

<sniff>

You got room for one more over there?

lol

-- Cheers Res

Ed Greshko

12:46 p.m.

Res wrote:

...

On Fri, 21 Sep 2007, Ed Greshko wrote:

...
on Friday evenings. Also, I pity that folks at your BBQ discuss software.

oh we discuss lots of things, like which idiot lamers we dont wont as customers amongst other things, problem is come monday we cant rmeember much :) shop is only about 5% of whats discussed tho, most of us have lives that allow us to shut-off from work, most the times

I would think that at a BBQ you'd be better off discussing "soft-ware" as opposed to "software". But, at least, there sounds like you have a bit of redemption in that you can't recall on on Monday what you discussed on Saturday.

Arthur Pemberton

2:21 a.m.

On 9/21/07, Res res@ausics.net wrote:

...

On Fri, 21 Sep 2007, Arthur Pemberton wrote:

...
Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

and its a PITA, stopping many things working, we dont have time to sit in front of a newly built server and spend an hour telling the thing its "safe" blah blah blah, its one of the reasons the fedora desktops on internal lan in still FC1 because its stable, although, by default we dont use half of RH's installed stuff on the desktops, we use the real sendmails, real firefox's real openoffices, real evolutions, real kernels , real mplayer and other multimedia stuff that plays the formats WE want not what RH decides we should use, and so on and so on.

its simple, if the user doesnt want to use it, they should not have to install or deconfigure it.

That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Res

5:19 a.m.

On Fri, 21 Sep 2007, Arthur Pemberton wrote:

...

That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

and lets face it, if a box does get hacked, its hacked and the bastards will run what they want anyway, though have not had a hacked box in a long time, in fact since I disabled supporting front page.

-- Cheers Res

Alan Cox

6:26 a.m.

...

so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

Nobody competent to assess that I know of would agree with that statement.

Alan

Mike McCarty

10:25 a.m.

Alan Cox wrote:

...

...
so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

Nobody competent to assess that I know of would agree with that statement.

That sounds more like a description of you than of anyone else.

To my ears, it sounds like

"Nobody who disagrees with me can have an opinion worth listening to."

Mike

Alan Cox

10:42 a.m.

...

"Nobody who disagrees with me can have an opinion worth listening to."

Well I disagree with you, and you don't seem to like it. Tough. Go read the past 30 years academic research literature on this stuff and you'll find people are very much convinced it makes systems more secure, and also that there are interesting usability challenges in getting it right

Craig White

11:13 a.m.

On Fri, 2007-09-21 at 10:25 -0500, Mike McCarty wrote:

...

Alan Cox wrote:

...
...
so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

Nobody competent to assess that I know of would agree with that statement.

That sounds more like a description of you than of anyone else.

To my ears, it sounds like

"Nobody who disagrees with me can have an opinion worth listening to."

---- do you use a screen reader program? How else could your ears perceive that?

there are few on this list with the credentials of Alan's but you are free to interpret his statement any way you choose.

The point is now and has always been that Red Hat is packaging for the widest array of possible users, some of whom will not want SELinux but some...

http://www.infoworld.com/article/07/06/15/red-hat-linux-gets-top-government-...

who very much value the security benefits of SELinux

Evidently, it takes a peculiar mix of ignorance and arrogance to endlessly argue about the lack of merits concerning SELinux when in fact, there are a number of significantly informed people who feel otherwise.

-- Craig White craig@tobyhouse.com

Tim

11:44 p.m.

Apparently Mike said:

...

...
...
selinux offeres no, i repeat NO advantage over what our normal security is now.

Alan Cox:

...

...
Nobody competent to assess that I know of would agree with that statement.

Mike McCarty:

...

That sounds more like a description of you than of anyone else.

To my ears, it sounds like

"Nobody who disagrees with me can have an opinion worth listening to."

Pot, kettle, black...

You've approached this whole issue single-mindedly, and the aspect you carry on about regarding SELinux isn't only the aspect that it's for.

Res

5:50 p.m.

On Fri, 21 Sep 2007, Alan Cox wrote:

...

...
so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

Nobody competent to assess that I know of would agree with that statement.

You cant know many people, or at least know many that run a myriad of programs, paying customers get to run what they want, when they want.

I note you neglected to include and comment on the fact that if a box is taken it *is* taken and theres not a thing selinux can do shit about it, sure selinux might be all dandy for some cluless tart who has nfi about securing their pc and is directly connected to the net, but to large ISP's its a complete hinderance and nuisance, but since we have ceased use of all RH products as servers as at EOL of RH9 (the last decent RH released product) and moved them all to slackware, we dont have any problem, tried earlier fedoras, but that was never going to last with so little update maintenance time frames and instability and unreliability (fair enough as RH have said its not designed for our uses), at least if we install say sendmail or bind we have one package, not 3 or however many its up to now, and we dont have it butchered and customised to suite RH, since the move to Slackware on servers we have not looked back at all and stability and reliability is excellent, ongoing updates in at least equal to RHES time frames, in some cases exceeds 5 years, and to see the the lack of maintenance required, one only has to look at the update repos for slackware and fedora, granted slackware doesant come with as much as fedora, nor does it come with gnome anymore, but compare the programs that it has to fedoras and because of RH's butchering and patching to suite their way of life (smells more like m$ every day) you can see the difference.

-- Cheers Res

Craig White

6:11 p.m.

On Sat, 2007-09-22 at 08:50 +1000, Res wrote:

...

On Fri, 21 Sep 2007, Alan Cox wrote:

...
...
so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

Nobody competent to assess that I know of would agree with that statement.

You cant know many people, or at least know many that run a myriad of programs, paying customers get to run what they want, when they want.

I note you neglected to include and comment on the fact that if a box is taken it *is* taken and theres not a thing selinux can do shit about it, sure selinux might be all dandy for some cluless tart who has nfi about securing their pc and is directly connected to the net, but to large ISP's its a complete hinderance and nuisance, but since we have ceased use of all RH products as servers as at EOL of RH9 (the last decent RH released product) and moved them all to slackware, we dont have any problem, tried earlier fedoras, but that was never going to last with so little update maintenance time frames and instability and unreliability (fair enough as RH have said its not designed for our uses), at least if we install say sendmail or bind we have one package, not 3 or however many its up to now, and we dont have it butchered and customised to suite RH, since the move to Slackware on servers we have not looked back at all and stability and reliability is excellent, ongoing updates in at least equal to RHES time frames, in some cases exceeds 5 years, and to see the the lack of maintenance required, one only has to look at the update repos for slackware and fedora, granted slackware doesant come with as much as fedora, nor does it come with gnome anymore, but compare the programs that it has to fedoras and because of RH's butchering and patching to suite their way of life (smells more like m$ every day) you can see the difference.

---- do you have the slightest clue who you are talking to here?

since you obviously don't...

http://www.google.com/search?hl=en&q=Alan+Cox+Red+Hat+kernel&btnG=Se...

-- Craig White craig@tobyhouse.com

Res

6:14 p.m.

On Fri, 21 Sep 2007, Craig White wrote:

...

do you have the slightest clue who you are talking to here?

since you obviously don't...

Yes I know who alan is, i've known who he is for many many many years and just because he says its good and needed am i am to stfu and say oh well it must be good then? well no sorry it doesnt work that way.

-- Cheers Res

Craig White

6:32 p.m.

On Sat, 2007-09-22 at 09:14 +1000, Res wrote:

...

On Fri, 21 Sep 2007, Craig White wrote:

...
do you have the slightest clue who you are talking to here?

since you obviously don't...

Yes I know who alan is, i've known who he is for many many many years and just because he says its good and needed am i am to stfu and say oh well it must be good then? well no sorry it doesnt work that way.

---- I didn't see an stfu

I did see him suggest, "Nobody competent to assess that I know of would agree with that statement."

Your interpretation of his statement is faulty.

-- Craig White craig@tobyhouse.com

Res

6:59 p.m.

On Fri, 21 Sep 2007, Craig White wrote:

...

On Sat, 2007-09-22 at 09:14 +1000, Res wrote:

...
On Fri, 21 Sep 2007, Craig White wrote:

...
do you have the slightest clue who you are talking to here?

since you obviously don't...

Yes I know who alan is, i've known who he is for many many many years and just because he says its good and needed am i am to stfu and say oh well it must be good then? well no sorry it doesnt work that way.

I didn't see an stfu

I did see him suggest, "Nobody competent to assess that I know of would agree with that statement."

Your interpretation of his statement is faulty.

I know what he was implying and it doesnt suprise me as I've seen it before from him to others.

-- Cheers Res

Mike McCarty

24 Sep 24 Sep

3:46 p.m.

Craig White wrote:

...

On Sat, 2007-09-22 at 08:50 +1000, Res wrote:

...
On Fri, 21 Sep 2007, Alan Cox wrote:

...
...
so your suggesting we should make ourselves suffer for no reason just for the hell of it? selinux offeres no, i repeat NO advantage over what our normal security is now.

Nobody competent to assess that I know of would agree with that statement.

You cant know many people, or at least know many that run a myriad of programs, paying customers get to run what they want, when they want.

[snip]

...

do you have the slightest clue who you are talking to here?

since you obviously don't...

http://www.google.com/search?hl=en&q=Alan+Cox+Red+Hat+kernel&btnG=Se...

I fail to see the relevance. You're using an ad-hominem argument "in reverse" so to speak.

You didn't address anything he said.

Mike

Res

4:16 p.m.

On Mon, 24 Sep 2007, Mike McCarty wrote:

...

I fail to see the relevance. You're using an ad-hominem argument "in reverse" so to speak.

You didn't address anything he said.

More so it's completely irrelevant, I've known some really excellent programmers, but there's no way in hell I'd let any of them touch my network :)

-- Cheers Res

Craig White

4:31 p.m.

On Tue, 2007-09-25 at 07:16 +1000, Res wrote:

...

On Mon, 24 Sep 2007, Mike McCarty wrote:

...
I fail to see the relevance. You're using an ad-hominem argument "in reverse" so to speak.

You didn't address anything he said.

More so it's completely irrelevant, I've known some really excellent programmers, but there's no way in hell I'd let any of them touch my network :)

---- almost as irrelevant as Mike McCarthy (Fedora Core 2) and Res (Fedora Core 1) talking about SELinux

I guess their dominating the list all day last Friday wasn't enough though.

I'm perfectly willing to let Mike and Res go on and on with the topic...I'm done with this thread.

-- Craig White craig@tobyhouse.com

Res

4:50 p.m.

On Mon, 24 Sep 2007, Craig White wrote:

...

On Tue, 2007-09-25 at 07:16 +1000, Res wrote:

...
On Mon, 24 Sep 2007, Mike McCarty wrote:

...
I fail to see the relevance. You're using an ad-hominem argument "in reverse" so to speak.

You didn't address anything he said.

More so it's completely irrelevant, I've known some really excellent programmers, but there's no way in hell I'd let any of them touch my network :)

...

almost as irrelevant as Mike McCarthy (Fedora Core 2) and Res (Fedora Core 1) talking about SELinux

I guess their dominating the list all day last Friday wasn't enough though.

I'm perfectly willing to let Mike and Res go on and on with the topic...I'm done with this thread.

and as relevant as your post, guess what pot kettle back mr white, you have also contributed to the very high noise level of this thread with useless comments

-- Cheers Res

Alan M. Evans

4:33 p.m.

On Mon, 2007-09-24 at 15:46 -0500, Mike McCarty wrote:

...

I fail to see the relevance. You're using an ad-hominem argument "in reverse" so to speak.

Point of order: No. It's rather Argumentum ad Verecundiam inasmuch as the validity of the claim (regarding SELinux) doesn't necessarily follow from the credibility of the source (Alan Cox).

It's, technically, a logical fallacy of relevance, but in this case, I'd have to concede that Alan probably has some useful and trustworthy input regarding the subject.

Alan Cox

21 Sep 21 Sep

6:51 p.m.

...

I note you neglected to include and comment on the fact that if a box is taken it *is* taken and theres not a thing selinux can do shit about it, sure selinux might be all dandy for some cluless tart who has nfi about

For a large number of cases SELinux in the basic setup will stop an exploit getting from something like core dumping the web server to executing arbitary code. Thats a big help.

There are also cases it won't help you. It really comes into its own when you do custom setups for highly secure systems but that isn't a shippable generic policy and most users would certainly hate such a locked down box.

...

securing their pc and is directly connected to the net, but to large ISP's its a complete hinderance and nuisance, but since we have ceased use

I know several large ISP's who use SELinux extensively.

...

of all RH products as servers as at EOL of RH9 (the last decent RH released product) and moved them all to slackware, we dont have any problem, tried earlier fedoras, but that was never going to last with so little update maintenance time frames and instability and unreliability

Fedora isn't really intended for back end highly reliable boring server jobs, thats RHEL, Centos, SLES etc. Its intended to be current, usable and dynamic.

If you like slackware, use it. If you don't like Fedora nobody is making you run it or sit on the list.

Res

7:15 p.m.

On Sat, 22 Sep 2007, Alan Cox wrote:

...

There are also cases it won't help you. It really comes into its own when you do custom setups for highly secure systems but that isn't a shippable generic policy and most users would certainly hate such a locked down box.

This applies not only to dedicated hosting but shared hosting as well

...

...
ISP's its a complete hinderance and nuisance, but since we have ceased use

I know several large ISP's who use SELinux extensively.

Thats their choice, its the choice of many not to go near it because they have been bitten before, 8/10 I know who have used it have cursed it and therego no longer touch it.

So why is it mandaroty to install it, its bloatware, I mean you dont install bind, apache, mysql and christ knows whatever else on a server (or desktop for that matter) if you have no intentions of running or using that service, so its much the same situation.

Mike McCarty

24 Sep 24 Sep

3:58 p.m.

Res wrote:

[snip]

...

So why is it mandaroty to install it, its bloatware, I mean you dont install bind, apache, mysql and christ knows whatever else on a server (or desktop for that matter) if you have no intentions of running or using that service, so its much the same situation.

I'll take the other side of the fence for a second...

Because SELinux is not a "thing", it is a way of writing apps. In order to put SELinux into place, they modified 50 or so apps. Each of these would need to be split into pieces, and the pieces put into shared objects, and the shared objects shipped in two forms, one with SELinux it them, and one not, or the apps themselves would need to be shipped in two forms, one with and one without SELinux.

It's a pervasive sort of thing.

So, the QA would be greater, and the packaging effort would increase.

The changes to the installer wouldn't be all that great, I suppose. Also, it would be easy not to install the GUI and management programs.

But not the apps which are "SELinux aware", like "ls", "mv", "cp", "ps", "install", "login", "ssh", etc. They all have code in them specific to SELinux. And really not to install SELinux would require two copies of "ls" and "find", as an example.

Presumably, RH is of the opinion that it would be expending effort for very little if any return.

Mike

Alan M. Evans

4:40 p.m.

On Mon, 2007-09-24 at 15:58 -0500, Mike McCarty wrote:

...

Because SELinux is not a "thing", it is a way of writing apps.

No, no no! How many times does this have to be explained?

Applications don't need to know anything about SELinux in order to be under its purview. Only applications that need to interact with SELinux in some way need to know about it. I can easily write a program that tries to open a forbidden resource and SELinux can most easily prevent it despite that my application only #includes stdio.h and knows nothing of the hidden hand that blocks it.

Mikkel

4:50 p.m.

Alan M. Evans wrote:

...

On Mon, 2007-09-24 at 15:58 -0500, Mike McCarty wrote:

...
Because SELinux is not a "thing", it is a way of writing apps.

No, no no! How many times does this have to be explained?

Applications don't need to know anything about SELinux in order to be under its purview. Only applications that need to interact with SELinux in some way need to know about it. I can easily write a program that tries to open a forbidden resource and SELinux can most easily prevent it despite that my application only #includes stdio.h and knows nothing of the hidden hand that blocks it.

Well, in one way it is a way of writing apps - you have to write apps that are well behaved if they are going to run with SELinux. Then again, you should be writing apps that way anyway. You could say that SELinux forces you to write better code. ;-)

Mikkel

-- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup!

Arthur Pemberton

4:55 p.m.

On 9/24/07, Mikkel L. Ellertson mikkel@infinity-ltd.com wrote:

...

Alan M. Evans wrote:

...
On Mon, 2007-09-24 at 15:58 -0500, Mike McCarty wrote:

...
Because SELinux is not a "thing", it is a way of writing apps.

No, no no! How many times does this have to be explained?

Applications don't need to know anything about SELinux in order to be under its purview. Only applications that need to interact with SELinux in some way need to know about it. I can easily write a program that tries to open a forbidden resource and SELinux can most easily prevent it despite that my application only #includes stdio.h and knows nothing of the hidden hand that blocks it.

Well, in one way it is a way of writing apps - you have to write apps that are well behaved if they are going to run with SELinux. Then again, you should be writing apps that way anyway. You could say that SELinux forces you to write better code. ;-)

Mikkel

change "with" to "under", since most people are running SELinux in targeted mode

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

5:43 p.m.

Alan M. Evans wrote:

...

On Mon, 2007-09-24 at 15:58 -0500, Mike McCarty wrote:

...
Because SELinux is not a "thing", it is a way of writing apps.

No, no no! How many times does this have to be explained?

See below. My objection to SELinux is not due to my ignorance of what it is.

...

Applications don't need to know anything about SELinux in order to be under its purview. Only applications that need to interact with SELinux

I didn't say that. You are arguing against something I emphatically did not say. I particularly object to you asking "how many times does this have to be explained" like I am some sort of idiot.

...

in some way need to know about it. I can easily write a program that tries to open a forbidden resource and SELinux can most easily prevent it despite that my application only #includes stdio.h and knows nothing of the hidden hand that blocks it.

I KNOW what SELinux is. I KNOW how it is intended to work.

How many times does THAT need to be explained?

The apps I'm talking about are find, ls, mv, cp, ssh, etc.

Mike

Alan M. Evans

6:09 p.m.

On Mon, 2007-09-24 at 17:43 -0500, Mike McCarty wrote:

...

I KNOW what SELinux is. I KNOW how it is intended to work.

Then why do you keep making demonstrably false statements about it? You started off saying that your hardware firewall provided sufficient protection. Then you kept screaming that you knew all about how it worked even as multiple people tried in vain to explain that SELinux was there to help in cases that the firewall wouldn't help with. More recently, you've claimed that it works, mechanically, just like MSDOS Flu-shot+. To those who actually know what SELinux is about, neither of those is true.

...

How many times does THAT need to be explained?

Until that other Mike McCarty stops posting crap about SELinux.

...

The apps I'm talking about are find, ls, mv, cp, ssh, etc.

Since the file contexts are required by the kernel, I see no reason (none) that ls shouldn't be able to show them to me based on a command line parameter. Otherwise, it's not "taking up cycles" as you have said.

Mike McCarty

6:49 p.m.

Alan M. Evans wrote:

...

On Mon, 2007-09-24 at 17:43 -0500, Mike McCarty wrote:

...
I KNOW what SELinux is. I KNOW how it is intended to work.

Then why do you keep making demonstrably false statements about it? You started off saying that your hardware firewall provided sufficient protection. Then you kept screaming that you knew all about how it

For my machine, yes.

...

worked even as multiple people tried in vain to explain that SELinux was there to help in cases that the firewall wouldn't help with. More

I understand what it is intended to do.

...

recently, you've claimed that it works, mechanically, just like MSDOS Flu-shot+. To those who actually know what SELinux is about, neither of those is true.

No, not "just like..." anything. However, it works similarly in attempting to trap accesess which are considered suspect. I wasn't trying to draw any closer analogy than that.

...

...
How many times does THAT need to be explained?

Until that other Mike McCarty stops posting crap about SELinux.

...
The apps I'm talking about are find, ls, mv, cp, ssh, etc.

Since the file contexts are required by the kernel, I see no reason (none) that ls shouldn't be able to show them to me based on a command line parameter. Otherwise, it's not "taking up cycles" as you have said.

Yes, "ls" doesn't. Other things do. I don't see why "ls" would need to do anything more than have a few more bytes to format the state of the extended attributes.

Mike

Mike McCarty

21 Sep 21 Sep

10:23 a.m.

Arthur Pemberton wrote:

...

That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

I fear people who believe that they know better than me what software to install and run on my own machine.

Mike

Arthur Pemberton

10:40 a.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Arthur Pemberton wrote:

...
That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

I fear people who believe that they know better than me what software to install and run on my own machine.

Feel free to point those people out.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

1:26 p.m.

Arthur Pemberton wrote:

...

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
Arthur Pemberton wrote:

...
That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

I fear people who believe that they know better than me what software to install and run on my own machine.

Feel free to point those people out.

Arthur Pemberton, for one.

Mike

Arthur Pemberton

1:40 p.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Arthur Pemberton wrote:

...
On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
Arthur Pemberton wrote:

...
That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

I fear people who believe that they know better than me what software to install and run on my own machine.

Feel free to point those people out.

Arthur Pemberton, for one.

I have not argued that _you_ should run SELinux. I'm just arguing that SELinux is the waste of time that people make it seem.

If I did infact attempt to tell you what software should run on your own machine, my apologies. However, removing SELinux wholesale takes away my opportunity to use it, keeping it allows you to use it, or disable it.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

4:28 p.m.

Arthur Pemberton wrote:

...

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
Arthur Pemberton wrote:

...
On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
Arthur Pemberton wrote:

...
That comment doesn't seem to have been written with the intention of attracting constructive responses. I fear sysadmins who are always quick to say that they don't have time.

I fear people who believe that they know better than me what software to install and run on my own machine.

Feel free to point those people out.

Arthur Pemberton, for one.

I have not argued that _you_ should run SELinux. I'm just arguing that SELinux is the waste of time that people make it seem.

If I did infact attempt to tell you what software should run on your own machine, my apologies. However, removing SELinux wholesale takes

Accepted.

...

away my opportunity to use it, keeping it allows you to use it, or disable it.

Umm, I haven't lobbied for that. What I have lobbied for is the ability to install or not. I haven't lobbied for removing it. If you want to run SELinux, fine for you. I don't. I don't want it on my machine. So far, RH has provided tools which only know how to install a version of Linux which has SELinux in it. I'd like the option NOT to install it, and have it not be on my machine.

When I installed, there were a LOT of packages I chose not to install. Like PERL DEVEL, for example. I don't have little bits and pieces of PERL DEVEL running at odd moments and doing little things, waking up and realizing they have nothing to do, then going back to sleep every so often. How would you feel if the PERL DEVEL package (or pick any other package you didn't want, say Open Office) ALWAYS installed, running every so often, checking if you wanted them to do something, deciding that you didn't and then go back to sleep?

What if GCC were a non-optional part of the distro, and that it woke up several times a second, checked for files to compile in the "to be compiled spool queue", and then would go back to sleep? Each time a file got saved from an editor, it would wake up and check for a .C or .H extension, check it's enforcement rules, and if it thought it needed to would automatically kick off a compile. And you couldn't remove it?

Wouldn't you have a natural reaction of WTH IS THAT CRAP DOING ON MY MACHINE? I didn't want to install it!

Would you be mollified by "Well, all you have to do is set a flag, and then every time GCC woke up, it would know that you didn't want to compile, and it would go back to sleep, but it would be even better if you developed a good set of rules so it could automatically compile for you when you need it."? And if you argued "I don't EVER want to compile like that" the answer is "But you SHOULD, and we're not all going to do things your way! And if we remove that, then those of us who want it won't have it!"

What if ALL the development packages worked that way? PERL, TCL, GCC, G++, FORTRAN, PASCAL, all those compilers get a shot at files when they get saved, and based on rules they would take action. If you don't want that, well just set the "disable" flag for each of them. Open Office. You name it. Make all of them get a shot at each file and see what they need to do.

Ridiculous?

Well, that's my reaction to SELinux. I don't want it, and see no reason for me to put up with it if I don't care to, even in a "disabled" state.

Frankly, I don't understand why ANYONE would not prefer things the way I see them. I don't understand the idea of installing lots of code, which wakes up and realizes it has nothing to do over and over, by noting a "disabled" flag. Translate what we're being asked to accept with SELinux to other packages, and it seems ludicrous.[*]

ISTM that a preferable way to handle it is to change the implementation such that one simply does not install what one does not want. The fact that a "disable" state exists proves that some, at least, of the supporters and developers of SELinux recognize that not everyone will want it. Why force those who don't want it to install it, run it, but make it do nothing?

[*] Well, it does to me, anyway. If the scenarios I described above seem natural to you, then we don't have much in common.

Mike

Chris Jones

4:56 p.m.

...

Umm, I haven't lobbied for that. What I have lobbied for is the ability to install or not. I haven't lobbied for removing it. If you want to run SELinux, fine for you. I don't. I don't want it on my machine. So far, RH has provided tools which only know how to install a version of Linux which has SELinux in it. I'd like the option NOT to install it, and have it not be on my machine.

There is. Its call Ubuntu...

Humor aside, any distro makes some decisions for you as to what you will or will not have installed. You choose to install Fedora, fine, you choose

- To use rpm as the package management system

- To use a 2.6.X kernel[1]

- To have gnome as the default desktop.

- To have selinux

- To not have easy access to various 'non-free' software packages

etc. etc.

yous pays your money (or not, in the case of fedora) you takes your choice.

If you are so against SElinux why on earth do you choose to use fedora ??

Chris

1. If you use a half recent Fedora release

Mike McCarty

24 Sep 24 Sep

4:11 p.m.

Chris Jones wrote:

...

...
Umm, I haven't lobbied for that. What I have lobbied for is the ability to install or not. I haven't lobbied for removing it. If you want to run SELinux, fine for you. I don't. I don't want it on my machine. So far, RH has provided tools which only know how to install a version of Linux which has SELinux in it. I'd like the option NOT to install it, and have it not be on my machine.

There is. Its call Ubuntu...

I found this statement suspect, at least, since Debian has had SELinux in it for some time, and AIUI Ubuntu is a Debian derivative. I looked, and Ubuntu has SELinux.

[snip]

...

If you are so against SElinux why on earth do you choose to use fedora ??

I got an employment contract, and the people I contracted for wanted that I be able to boot WinXP and Fedora. So, I have a machine which is dual boot WinXP and FC2.

On my own, I wouldn't have chosen Fedora. On my own, I wouldn't have chosen WinXP.

Given that I have the machine, and it is dual boot WinXP/FC2, it remains that way. When the time comes that I feel I really must install something newer, it won't be Fedora.

In the meantime, I remain a Fedora User.

Mike

Chris Jones

28 Sep 28 Sep

3:28 p.m.

On Monday 24 September 2007 10:11:45 pm Mike McCarty wrote:

...

Chris Jones wrote:

...
...
Umm, I haven't lobbied for that. What I have lobbied for is the ability to install or not. I haven't lobbied for removing it. If you want to run SELinux, fine for you. I don't. I don't want it on my machine. So far, RH has provided tools which only know how to install a version of Linux which has SELinux in it. I'd like the option NOT to install it, and have it not be on my machine.

There is. Its call Ubuntu...

I found this statement suspect, at least, since Debian has had SELinux in it for some time, and AIUI Ubuntu is a Debian derivative. I looked, and Ubuntu has SELinux.

I may be wrong but I thought you have to go out of you way to have SELinux with ubuntu, its not there in a default install.

Even if it is, replace Ubuntu with "Any-distro-without-SELinux" and my argument still stands.

...

I got an employment contract, and the people I contracted for wanted that I be able to boot WinXP and Fedora. So, I have a machine which is dual boot WinXP and FC2.

On my own, I wouldn't have chosen Fedora. On my own, I wouldn't have chosen WinXP.

Given that I have the machine, and it is dual boot WinXP/FC2, it remains that way. When the time comes that I feel I really must install something newer, it won't be Fedora.

In the meantime, I remain a Fedora User.

Any company that ties itself to FC2 is not one I wish to have dealings with. If there aren't aware of the potential problems involved in running that OS then I question their competence.

Chris

Matthew Saltzman

4:33 p.m.

New subject: How best get rid of "How best get rid of SELinux?"?

On Fri, 2007-09-28 at 21:28 +0100, Chris Jones wrote:

...

...

<sigh> I was so hoping this thread had died. Could somebody please drive a stake through its heart?

-- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu http://www.math.clemson.edu/~mjs

Tim

29 Sep 29 Sep

7:33 a.m.

New subject: How best get rid of "How best get rid of SELinux?"?

On Fri, 2007-09-28 at 17:33 -0400, Matthew Saltzman wrote:

...

<sigh> I was so hoping this thread had died. Could somebody please drive a stake through its heart?

Attempting to accomodate... I'll invoke Godwin's Law: "Damn nazis!"

Chris Jones

21 Sep 21 Sep

4:59 p.m.

...

Frankly, I don't understand why ANYONE would not prefer things the way I see them.

and that is your biggest problem

Andy Green

3:52 a.m.

Somebody in the thread at some point said:

...

Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

I can remember how it made me feel in the early days of it, extreme frustration that it was blocking what I was asking to happen. That frustration ended up dumped on selinux because it built up over the minutes looking for what I had managed to do wrong, before finally finding the AVC and putting two and two together and realizing I didn't do anything wrong: *IT* thought it knew better.

Simply recognizing that problems with permissions, failure to start services or whatever should first cause a check on /var/log/messages reduced the chance for frustration to build up. That and the fact the targeted policies now really match what "many" people are doing with the services, with almost enough bools to customize it in all the main ways.

-Andy

Timothy Murphy

9:46 a.m.

Arthur Pemberton wrote:

...

Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

While I'm not hostile to SELinux, I'm also not convinced it actually gives any protection in the real world. I've never seen anyone say, "Thank God I was running SELinux, or I would have been in a mess".

I see at once from my logwatch that thousands of lunatics are hurling silly packets at my machine, and I'm grateful to shorewall for keeping them out.

I suspect that at the moment SELinux is more of an advertising ploy, "Windows cannot be secured, but Linux can", than a useful defence against any real danger.

There probably will be a real danger in the future, if Linux thrives. So it is certainly a good idea to build up defences now.

Personally, I run SELinux in permissive mode, intending to see what it turns up - one day, when I have time ...

William Hooper

10:02 a.m.

Timothy Murphy wrote:

...

Arthur Pemberton wrote:

...
Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

While I'm not hostile to SELinux, I'm also not convinced it actually gives any protection in the real world. I've never seen anyone say, "Thank God I was running SELinux, or I would have been in a mess".

Mambo Exploit Blocked by SELinux http://interactive.linuxjournal.com/article/9176

-- William Hooper

Gene Heskett

12:10 p.m.

On Friday 21 September 2007, William Hooper wrote:

...

Timothy Murphy wrote:

...
Arthur Pemberton wrote:

...
Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

While I'm not hostile to SELinux, I'm also not convinced it actually gives any protection in the real world. I've never seen anyone say, "Thank God I was running SELinux, or I would have been in a mess".

Mambo Exploit Blocked by SELinux http://interactive.linuxjournal.com/article/9176

Interesting link, which prompted me to run chkrootkit -q here, which output what appears to be a typu on my part: Searching for anomalies in shell history files... Warning: `' is linked to another file

If I could find it, I'd kill it, but howinhell does one find that?

Thanks William.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) [A computer is] like an Old Testament god, with a lot of rules and no mercy. -- Joseph Campbell

Timothy Murphy

12:51 p.m.

William Hooper wrote:

...

...
While I'm not hostile to SELinux, I'm also not convinced it actually gives any protection in the real world. I've never seen anyone say, "Thank God I was running SELinux, or I would have been in a mess".

Mambo Exploit Blocked by SELinux http://interactive.linuxjournal.com/article/9176

OK, that is getting nearer; but as far as I can see, the guy in this case was running some kind of web development server (Mambo) on his machine, and a hacker had targeted this particular server.

I wouldn't be doing anything so esoteric, so still wouldn't feel in great danger. Also, I was struck by the amount of trouble the man had to go to to work out what had happened. I wouldn't be up to that, so SELinux in this case would be wasted on me.

Matthew Miller

12:53 p.m.

On Fri, Sep 21, 2007 at 06:51:32PM +0100, Timothy Murphy wrote:

...

but as far as I can see, the guy in this case was running some kind of web development server (Mambo) on his machine, and a hacker had targeted this particular server. I wouldn't be doing anything so esoteric,

Mambo is a popular content management system. That doesn't necessarily count as esoteric.

-- Matthew Miller mattdm@mattdm.org http://mattdm.org/ Boston University Linux ------> http://linux.bu.edu/

Arthur Pemberton

1:01 p.m.

On 9/21/07, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:

...

William Hooper wrote:

...
...
While I'm not hostile to SELinux, I'm also not convinced it actually gives any protection in the real world. I've never seen anyone say, "Thank God I was running SELinux, or I would have been in a mess".

Mambo Exploit Blocked by SELinux http://interactive.linuxjournal.com/article/9176

OK, that is getting nearer; but as far as I can see, the guy in this case was running some kind of web development server (Mambo) on his machine, and a hacker had targeted this particular server.

I wouldn't be doing anything so esoteric, so still wouldn't feel in great danger. Also, I was struck by the amount of trouble the man had to go to to work out what had happened. I wouldn't be up to that, so SELinux in this case would be wasted on me.

So because you do not deploy such apps, does it make it usless? Or are you not one of those who hold that SELinux is entirely a waste of time?

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Timothy Murphy

1:20 p.m.

Arthur Pemberton wrote:

...

...
...
Mambo Exploit Blocked by SELinux http://interactive.linuxjournal.com/article/9176

OK, that is getting nearer; but as far as I can see, the guy in this case was running some kind of web development server (Mambo) on his machine, and a hacker had targeted this particular server.

I wouldn't be doing anything so esoteric, so still wouldn't feel in great danger. Also, I was struck by the amount of trouble the man had to go to to work out what had happened. I wouldn't be up to that, so SELinux in this case would be wasted on me.

So because you do not deploy such apps, does it make it usless? Or are you not one of those who hold that SELinux is entirely a waste of time?

Sigh. I didn't say SELinux was useless. I said I run it in permissive mode, and hope one day to have time and inclination to see what it finds.

I was speaking purely personally; I don't feel under imminent attack from anything that SELinux might stop, just as I don't feel it likely a suicide bomber will target my home. One has to make a rough internal estimate of the likelihood of different disasters. It is 1000 times more likely that my wife will spill coffee on my laptop than it is that someone will get through my firewall and edit my files.

Arthur Pemberton

1:33 p.m.

On 9/21/07, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:

...

Arthur Pemberton wrote:

...
...
...
Mambo Exploit Blocked by SELinux http://interactive.linuxjournal.com/article/9176

OK, that is getting nearer; but as far as I can see, the guy in this case was running some kind of web development server (Mambo) on his machine, and a hacker had targeted this particular server.

I wouldn't be doing anything so esoteric, so still wouldn't feel in great danger. Also, I was struck by the amount of trouble the man had to go to to work out what had happened. I wouldn't be up to that, so SELinux in this case would be wasted on me.

So because you do not deploy such apps, does it make it usless? Or are you not one of those who hold that SELinux is entirely a waste of time?

Sigh. I didn't say SELinux was useless. I said I run it in permissive mode, and hope one day to have time and inclination to see what it finds.

I was speaking purely personally; I don't feel under imminent attack from anything that SELinux might stop, just as I don't feel it likely a suicide bomber will target my home. One has to make a rough internal estimate of the likelihood of different disasters. It is 1000 times more likely that my wife will spill coffee on my laptop than it is that someone will get through my firewall and edit my files.

Cool, hence why I put in the 'or' in my question.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Steve Searle

6:40 p.m.

Around 07:20pm on Friday, September 21, 2007 (UK time), Timothy Murphy scrawled:

...

It is 1000 times more likely that my wife will spill coffee on my laptop than it is that someone will get through my firewall and edit my files.

Bloody clumsy wives - I am with you brother :-)

Steve

-- A: Because it messes up the order in which people normally read text. Q: Why is top-posting a bad thing? 00:38:18 up 7 days, 10:38, 1 user, load average: 0.06, 0.02, 0.00

Arthur Pemberton

10:31 a.m.

On 9/21/07, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:

...

Arthur Pemberton wrote:

...
Selinux is another layer of security, it isn't a replacement of any security layers, I see no reason why anyone feels such apparently hostility to this piece of technology.

While I'm not hostile to SELinux, I'm also not convinced it actually gives any protection in the real world. I've never seen anyone say, "Thank God I was running SELinux, or I would have been in a mess".

So... would you like me to tell a story of why I like SELinux? And how it saved me from my own weak sysadmin practices?

...

I see at once from my logwatch that thousands of lunatics are hurling silly packets at my machine, and I'm grateful to shorewall for keeping them out.

Please. Lets keep firewalls out of the topic, they SELinux i complementary to firewalls.

...

I suspect that at the moment SELinux is more of an advertising ploy, "Windows cannot be secured, but Linux can", than a useful defence against any real danger.

Your suspicions, while reasonable are untrue.

...

There probably will be a real danger in the future, if Linux thrives. So it is certainly a good idea to build up defences now.

The earlier we start, the better.

...

Personally, I run SELinux in permissive mode, intending to see what it turns up - one day, when I have time ...

I either run it (in targeted mode) or I don't - I do on servers, don't on desktops/laptops

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

1:31 p.m.

Arthur Pemberton wrote:

...

I either run it (in targeted mode) or I don't - I do on servers, don't on desktops/laptops

Then we are agreed on this point, at least: If SELinux has benefit, then it is still an installation dependent issue whether the cost outweighs the benefit, or vice versa. I have a desktop which has exactly one LAN connected machine, my firewall. The firewall on the WAN side is connected exactly to one machine, an ADSL modem.

It does not make sense to install and run software which one does not ever intend to use. Simply having it on the machine but disabled makes the machine potentially less secure, but gives no benefit. Even "disabled", it is present, and code is actively being executed, though I'm sure much less of it gets executed than otherwise.

Mike

Arthur Pemberton

1:38 p.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Arthur Pemberton wrote:

...
I either run it (in targeted mode) or I don't - I do on servers, don't on desktops/laptops

Then we are agreed on this point, at least: If SELinux has benefit, then it is still an installation dependent issue whether the cost outweighs the benefit, or vice versa. I have a desktop which has exactly one LAN connected machine, my firewall. The firewall on the WAN side is connected exactly to one machine, an ADSL modem.

It does not make sense to install and run software which one does not ever intend to use. Simply having it on the machine but disabled makes the machine potentially less secure, but gives no benefit. Even "disabled", it is present, and code is actively being executed, though I'm sure much less of it gets executed than otherwise.

Mike

p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that!

I don't think it is even possible to have SELinux work as separate type install. If so, push for that. The selinux tools are useland, but I'm pretty sure (subject to correction) that SELinux is part of the kernel itself.

Maybe you could ask for a non selinux kernel to be made available for Fedora.

However, just to speak to one of your past points, if you're not worried about the attack vectors that SELinux prevents, I don't think you should be worried with the (possible) attack vectors that the disabled SELinux code introduces.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Stephen Smalley

2:03 p.m.

On Fri, 2007-09-21 at 13:31 -0500, Mike McCarty wrote:

...

Arthur Pemberton wrote:

...
I either run it (in targeted mode) or I don't - I do on servers, don't on desktops/laptops

Then we are agreed on this point, at least: If SELinux has benefit, then it is still an installation dependent issue whether the cost outweighs the benefit, or vice versa. I have a desktop which has exactly one LAN connected machine, my firewall. The firewall on the WAN side is connected exactly to one machine, an ADSL modem.

It does not make sense to install and run software which one does not ever intend to use. Simply having it on the machine but disabled makes the machine potentially less secure, but gives no benefit. Even "disabled", it is present, and code is actively being executed, though I'm sure much less of it gets executed than otherwise.

The SELinux kernel code unhooks itself from the kernel code paths if you use SELINUX=disabled in /etc/selinux/config (and never hooks at all if you use selinux=0 in grub.conf). So the kernel code is not actively executed when disabled.

The userland code should be doing an is_selinux_enabled() check before doing SELinux processing, and skipping it if disabled. If not, then that's a bug.

If you want to be able to remove the libraries (e.g. libselinux), someone would need to rework the users of the libraries to use dlopen() and friends to dynamically lookup the selinux symbols and fall back to non-selinux behavior if not present rather than linking against libselinux at build time. Doable, but at a cost (in time to rework all calling code, and in runtime for the dlopen). If you want to make that happen, patches that implement such changes are the best way...

-- Stephen Smalley National Security Agency

Mike McCarty

4:31 p.m.

Stephen Smalley wrote:

...

The SELinux kernel code unhooks itself from the kernel code paths if you use SELINUX=disabled in /etc/selinux/config (and never hooks at all if you use selinux=0 in grub.conf). So the kernel code is not actively executed when disabled.

That, at least, is somewhat a relief.

...

The userland code should be doing an is_selinux_enabled() check before doing SELinux processing, and skipping it if disabled. If not, then that's a bug.

I'm sure it's not the only one. :-)

...

If you want to be able to remove the libraries (e.g. libselinux), someone would need to rework the users of the libraries to use dlopen()

How about implementing a library with just appropriate stubs?

...

and friends to dynamically lookup the selinux symbols and fall back to non-selinux behavior if not present rather than linking against libselinux at build time. Doable, but at a cost (in time to rework all calling code, and in runtime for the dlopen). If you want to make that happen, patches that implement such changes are the best way...

If it had been done right the first time...

Mike

Mike McCarty

1:57 a.m.

Res wrote:

...

On Fri, 21 Sep 2007, Ralf Corsepius wrote:

...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Ralf

Well put. Most of us in charge of ISP's, OSP's etc, wont touch it, because it has given many people in many companies, in many places around the world, many headaches, which I guess is why most DC's I've known to run RH, have all but 1 dumped it in moves to either Slackware or Debian, and if the suggestion made by someone that Debian is going

I'm not suggesting it, I'm STATING IT CATEGORICALLY:

[QUOTE MODE ON]

Debian SELinux support

The Debian packaged Linux kernels have had SELinux support compiled in (but disabled by default) since version 2.6.9. In order to activate SELinux the parameter selinux=1 must be passed to the kernel when booting. Alternatively, you can compile your own kernel with SELinux enabled by default.

The SELinux support is in constant flux, so it is generally recommended that you use an up-to-date installation of unstable if you want to experiment with SELinux (for instance, the Debian packaged kernels did not include "audit" support until version 2.6.13).

In addition to kernel modifications, several user-space application need to be modified to support SELinux properly. Patched versions of these should be in Debian unstable by now.

[QUOTE MODE OFF]

Original at http://wiki.debian.org/SELinux

Note that there is a difference between not having SELinux, and having SELinux, but disabled.

Hmm, Slackware doesn't have it yet. That would be better than LFS.

Mike

Res

2:06 a.m.

On Fri, 21 Sep 2007, Mike McCarty wrote:

...

I'm not suggesting it, I'm STATING IT CATEGORICALLY:

[QUOTE MODE ON]

Debian SELinux support

Well there ya go :) Not being a Debian user, but I suspect the guys who use it use versions that are years old, cause it worked.

...

Hmm, Slackware doesn't have it yet. That would be better than LFS.

Pat has more sense, he doesnt butcher his packages, they are essentially exactly as the writter of the software designed it, hence why it does not have the multitude of problems the likes of RH have with their hacked-to-shithouse software. I gues sit is also why he can support his version releases for well beyond most others.

-- Cheers Res

Timothy Murphy

9:36 a.m.

Res wrote:

...

Well put. Most of us in charge of ISP's, OSP's etc, wont touch it, because it has given many people in many companies, in many places around the world, many headaches, which I guess is why most DC's I've known to run RH, have all but 1 dumped it in moves to either Slackware or Debian,

Surely it would be much easier to turn off selinux than to change distribution? I mean, one takes 10 seconds, the other takes hours.

Tim

11:42 p.m.

Res:

...

...
Well put. Most of us in charge of ISP's, OSP's etc, wont touch it, because it has given many people in many companies, in many places around the world, many headaches, which I guess is why most DC's I've known to run RH, have all but 1 dumped it in moves to either Slackware or Debian,

Timothy Murphy:

...

Surely it would be much easier to turn off selinux than to change distribution? I mean, one takes 10 seconds, the other takes hours.

Yes, exactly. The prior poster is just ranting. It's the same ignorant rant given out by some idiot admins about not using firewalls because they get in the way.

Gene Heskett

10:58 a.m.

On Friday 21 September 2007, Res wrote:

...

On Fri, 21 Sep 2007, Ralf Corsepius wrote:

...
If SELinux was such an "terrific and compelling approach", upstream Linux and other distros would have adopted it _years ago_ with standing ovations - Fact is: Nobody did. => This is developers and maintainers having doubts on SELinux.

Ralf

Well put. Most of us in charge of ISP's, OSP's etc, wont touch it, because it has given many people in many companies, in many places around the world, many headaches, which I guess is why most DC's I've known to run RH, have all but 1 dumped it in moves to either Slackware or Debian, and if the suggestion made by someone that Debian is going the same way, then they will see an exodus as well going by trends on whats discussed at BBQ's on Saturday afternoos, they need to remember, senior network managers/engineers from competing networks in same cities tend to all know each other, and we all have many get-togethers, it only takes one person to mention a problem with a certain bit of software, even if just as a passing comment, it tends to stay in our minds, we will never make more work for ourselves than we already have.

--

Cheers Res

And that is well said, Res.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) A man of genius makes no mistakes. His errors are volitional and are the portals of discovery. -- James Joyce, "Ulysses"

Res

12:36 a.m.

On Fri, 21 Sep 2007, Mike McCarty wrote:

...

Rahul Sundaram wrote:

[snip]

...
You might want to read up the two divisions of NSA and the differences between them and which division SELinux comes from. It has all been discussed before in fedora-selinux list if you want to take a look.

Since the RH devel team, in its wisdom, has decided that SELinux is not an optional package, it machts nichts. Anyone wishing to use RH or an RH derivative is going to get SELinux on his machine, period, full stop, end of story.

smells of micro$lop...

"You WILL have useless programs on your PC, no matter WHAT YOU THINK OR WANT, I simply don't care, i'll make it so that if you remove it, it breaks a lot of other things even though they don't need it in reality! It's the same as I decide what media formats you must use and screw you for thinking any different " --Bill Gates --Red Hat Inc.

David

20 Sep 20 Sep

11:57 p.m.

on 9/21/2007 12:34 AM, Gene Heskett wrote:

...

On Thursday 20 September 2007, David Boles wrote:

...
on 9/20/2007 11:30 PM, Gene Heskett wrote: This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months ago, and I frankly don't care what you put in whatever /etc/sysconfig file, and there have been at least 3 named here in the last 72 hours, if you really want to disable it AND use the machine for something other than a training exercise in writing selinux rules from scratch, and figuring out how to protect them from yum/smart update activities, you WILL use the "crude" way because its the only one that actually works.

With this file in effect: [root@coyote ~]# grep SELINUX /etc/sysconfig/* /etc/sysconfig/selinux:# SELINUX= can take one of these three values: /etc/sysconfig/selinux:SELINUX=disabled /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values are: /etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a usb-seriel adaptor. It was also denied access to a regular serial port when the cm11a was hooked up to one of the 2 very precious serial ports on this box.

bulldog, the monitor for belkin ups's, was denied access to both the serial port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready to switch distro's to something that didn't cross-breed with selinux. Steven suggested I try the grub command I've quoted here, and magically everything started working once I'd undone the configuration messes I'd made trying to make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should be all that's required. That information has already been through the bovine digestive tract once, and should be treated as such, chopped up, and spread on a cornfield and plowed back in cuz that is all its good for.

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

Wow Gene. I did not mean to set you off. SELinux is designed to help *you* protect your Linux system from one of the major flaws in Windows. Allowing unknown, bad, executables from doing strange things on your system without your permission or, at times, without your knowledge of it happening.

If you chose to turn this protection off that is most certainly your right. It is your system. If you don't feel that the protection is valuable then screw it.

But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

Have a good day.

-- David

Ralf Corsepius

21 Sep 21 Sep

12:24 a.m.

On Fri, 2007-09-21 at 00:57 -0400, David Boles wrote:

...

on 9/21/2007 12:34 AM, Gene Heskett wrote:

...
On Thursday 20 September 2007, David Boles wrote:

...
on 9/20/2007 11:30 PM, Gene Heskett wrote: This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months ago, and I frankly don't care what you put in whatever /etc/sysconfig file, and there have been at least 3 named here in the last 72 hours, if you really want to disable it AND use the machine for something other than a training exercise in writing selinux rules from scratch, and figuring out how to protect them from yum/smart update activities, you WILL use the "crude" way because its the only one that actually works.

With this file in effect: [root@coyote ~]# grep SELINUX /etc/sysconfig/* /etc/sysconfig/selinux:# SELINUX= can take one of these three values: /etc/sysconfig/selinux:SELINUX=disabled /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values are: /etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a usb-seriel adaptor. It was also denied access to a regular serial port when the cm11a was hooked up to one of the 2 very precious serial ports on this box.

bulldog, the monitor for belkin ups's, was denied access to both the serial port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready to switch distro's to something that didn't cross-breed with selinux. Steven suggested I try the grub command I've quoted here, and magically everything started working once I'd undone the configuration messes I'd made trying to make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should be all that's required. That information has already been through the bovine digestive tract once, and should be treated as such, chopped up, and spread on a cornfield and plowed back in cuz that is all its good for.

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

Wow Gene. I did not mean to set you off.

Well, Gene is not alone with his opinion. Though I do not agree with each and every detail he says, I have to concur with him on a large extend.

...

SELinux is designed to help *you*

Here you say it: SELinux is a promise - This doesn't not mean, it actually does what it promises, nor that is actually a "good (tm)" approach, nor that the problem it tries to solve actually is a problem the user.

RedHat and their employees say it was a terrific approach, they say it solves a very critical problem affecting everybody.

Well, it is an approach all other Linux vendors but RH have not adopted, despite the fact SELinux is around for several years, and despite the fact RH has been aggressively promoting it.

And yes, it tries to solve a problem which could hit any user at anytime, but ... fact also is nobody but RH has SELinux, so nobody but those people having tried to use SELinux will miss it.

...

Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve.

Hmm, ... I have been in such situations pretty often :/ [1]

...

It is work in progress and when you use older releases it can cause problems.

Right, SELinux seems to be gradually maturing and becoming better usable, but ... doesn't such a long time of "WIP" trigger some alarm bells to you?

To me it does - It justifies doubts on an approach's fundations and an approach's usability. Whether these doubts are justified, is a different question.

Ralf

[1] E.g. SELinux updates killing nfs or named. Not really nice when updating a machine from remote without physical access to it.

Mike McCarty

12:33 a.m.

David Boles wrote:

Gene wrote

[snip]

...

...
What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

Wow Gene. I did not mean to set you off. SELinux is designed to help *you* protect your Linux system from one of the major flaws in Windows. Allowing unknown, bad, executables from doing strange things on your system without your permission or, at times, without your knowledge of it happening.

As has been mentioned, discussed, and beat to death here, there are people who think it is a BAD IDEA, and they are having it rammed (figuratively) onto them by the makers of the distros.

Of course, no one forces anyone to use Linux, right? I mean, it's not like anyone is being forced to incorporate the code or anything. That's MicroSoft's line, isn't it?

...

If you chose to turn this protection off that is most certainly your right. It is your system. If you don't feel that the protection is valuable then screw it.

Having the code one one's machine, "disabled" or no, is irrelevant to those, like me, and like the OP, who wish NOT TO INSTALL IT AT ALL.

IMO, it is a buggy pile of crap. And if I may be so bold as to speak for Gene, that is what "set him off". Having it on one's machine is demonstrably a cause of:

(1) frustration (2) failing machines (3) unnecessary making of "gurus" when we all want Linux easier for the non-technical user to administer (4) bloat (5) more opportunity for defects and exploits

...

But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

The only way to make systems robust is to make them simpler, not more complex.

...

Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

Bully for you.

Mike

Rahul Sundaram

12:35 a.m.

Mike McCarty wrote:

...

IMO, it is a buggy pile of crap. And if I may be so bold as to speak for Gene, that is what "set him off". Having it on one's machine is demonstrably a cause of:

(1) frustration (2) failing machines (3) unnecessary making of "gurus" when we all want Linux easier for the non-technical user to administer (4) bloat (5) more opportunity for defects and exploits

This opinion would be a bit more reliable if you actually had even a minute of experience using SELinux but that's just my opinion.

Rahul

Mike McCarty

1:05 a.m.

Rahul Sundaram wrote:

...

Mike McCarty wrote:

...
IMO, it is a buggy pile of crap. And if I may be so bold as to speak for Gene, that is what "set him off". Having it on one's machine is demonstrably a cause of:

(1) frustration (2) failing machines (3) unnecessary making of "gurus" when we all want Linux easier for the non-technical user to administer (4) bloat (5) more opportunity for defects and exploits

This opinion would be a bit more reliable if you actually had even a minute of experience using SELinux but that's just my opinion.

Ah, I see. My opinion doesn't count by means of some reasoning or other. The fact that I designed and built super reliable systems for 16 years in the telecomm industry counts not, eh?

Also, one couldn't make one's own actual count of how many problems have been reported here related to SELinux, could one? That mightn't make one's opinion worthwhile would it?

Nor would the stated opinons of those who HAVE used it be worth commenting on, would they? Like that of, say Ralph Corsepius.

I also note that "your opinion" has never addressed my statements in regards to industry standards for estimation of number of defects per line of code.

EVERY LINE OF CODE is an opportunity for a defect. The only way to make systems robust, is to make them simple. See C.A.R.Hoare's address. You know, another one of us who's opinions don't count. The inventor of the Quicker Sort Algorithm. He accepted the Turing award from the ACM in 1980, and in his address he criticized our systems for becoming ever more complex until there was no way for them to be defect free. He addressed PL/I and then Ada specifically as examples, but expounded so as to make it obvious what he meant.

Making systems larger and more complex makes them less secure, not more.

I recall when I read his speech in the CACM how happy I felt that finally someone was willing speak the truth about how our systems were destined for failure if they continued on the current track. I have been dismayed ever since to see that very few people actually understand, agree with, or even know about his speech.

Mike

Ed Greshko

1:10 a.m.

Mike McCarty wrote:

...

EVERY LINE OF CODE is an opportunity for a defect. The only way to make systems robust, is to make them simple.

So, the only secure line of code is the noop? :-)

Mike McCarty

1:18 a.m.

Ed Greshko wrote:

...

Mike McCarty wrote:

...
EVERY LINE OF CODE is an opportunity for a defect. The only way to make systems robust, is to make them simple.

So, the only secure line of code is the noop? :-)

I like that! If my .sig weren't already getting too big, I'd stick it in there!

I'm sure that I can't quote my favorite line from C.A.R.Hoare's address, but it went like this:

There are two ways to make a system: One can make it so simple that there obviously are no defects, or one can make it so complex that there are no obvious defects.

I have commented to engineers many times, that systems which have grown and grown over time start to groan, and it's not so much that they now work because all the defects are gone, as that the defects which remain are so obscure, and happen under such unusual circumstances, that they will never be eradicated, and the systems will simply continue to fail in mysterious ways that we'll never be able to fix.

Mike

Alan M. Evans

10:17 a.m.

On Fri, 2007-09-21 at 14:10 +0800, Ed Greshko wrote:

...

So, the only secure line of code is the noop? :-)

That's funny. But I might argue that a noop is the least secure instruction, because it can typically be easily replaced (with a jmp or call, for example) without affecting other code function.

Mike McCarty

1:37 p.m.

Alan M. Evans wrote:

...

On Fri, 2007-09-21 at 14:10 +0800, Ed Greshko wrote:

...
So, the only secure line of code is the noop? :-)

That's funny. But I might argue that a noop is the least secure instruction, because it can typically be easily replaced (with a jmp or call, for example) without affecting other code function.

Usually[*], the NOP is the smallest instruction, so it may be used to nullify other instructions, all of which are made to be multiples of the size of a NOP. A jump type instruction needs at least an opcode and an address (even if only relative), so is usually larger than a NOP. On some machines, some short form of jump may be just one machine word (a couple of architectures come to mind, like the Z8000 for instance).

[*] I can't think of a counter example, and it wouldn't make sense for it to be otherwise.

Mike

Alan M. Evans

1:52 p.m.

On Fri, 2007-09-21 at 13:37 -0500, Mike McCarty wrote:

...

Usually[*], the NOP is the smallest instruction, so it may be used to nullify other instructions, all of which are made to be multiples of the size of a NOP. A jump type instruction needs at least an opcode and an address (even if only relative), so is usually larger than a NOP. On some machines, some short form of jump may be just one machine word (a couple of architectures come to mind, like the Z8000 for instance).

[*] I can't think of a counter example, and it wouldn't make sense for it to be otherwise.

The counter-example is a processor I used some time ago that included a short jump instruction that was one word in length. That is, the JMP instruction included the jump distance. I don't know if recent x86 has such a thing.

Mike McCarty

4:35 p.m.

Alan M. Evans wrote:

...

On Fri, 2007-09-21 at 13:37 -0500, Mike McCarty wrote:

...
Usually[*], the NOP is the smallest instruction, so it may be used to nullify other instructions, all of which are made to be multiples of the size of a NOP. A jump type instruction needs at least an opcode and an address (even if only relative), so is usually larger than a NOP. On some machines, some short form of jump may be just one machine word (a couple of architectures come to mind, like the Z8000 for instance).

[*] I can't think of a counter example, and it wouldn't make sense for it to be otherwise.

The counter-example is a processor I used some time ago that included a short jump instruction that was one word in length. That is, the JMP instruction included the jump distance. I don't know if recent x86 has such a thing.

That is not a counter example. A counter example would be a machine on which the NOP[*] is larger than another instruction. That wouldn't make sense. I pointed out that I know of two architectures offhand which have a one-word-long short relative jump, and even mentioned the Z8000 as an example.

[*] I'm not referring to "effective NOP" like

jump-using-largest-possible-address-mode-to address-of-next-instruction

Mike

Alan M. Evans

10:15 a.m.

On Fri, 2007-09-21 at 01:05 -0500, Mike McCarty wrote:

...

EVERY LINE OF CODE is an opportunity for a defect. The only way to make systems robust, is to make them simple.

The problem with this argument is not that it's false. It's actually true if your problem is stated with such a limited domain. But it seems to me somewhat short sighted. Are systems with a firewall actually less secure because those without have, in fact, fewer lines of code?

Mike McCarty

1:45 p.m.

Alan M. Evans wrote:

...

On Fri, 2007-09-21 at 01:05 -0500, Mike McCarty wrote:

...
EVERY LINE OF CODE is an opportunity for a defect. The only way to make systems robust, is to make them simple.

The problem with this argument is not that it's false. It's actually true if your problem is stated with such a limited domain. But it seems to me somewhat short sighted. Are systems with a firewall actually less secure because those without have, in fact, fewer lines of code?

You are comparing apples and oranges. Everything has advantages and disadvantages. My comment was made in the context of large systems, like multiuser OS. The only way to make large systems robust is to build them up from a decomposition into small simple systems each of which is so simple that it is obviously correct, and which has no back door connections to other pieces.

A little box which is a dedicated firewall, as I have, is a simple system, not part of my main machine, and which is separable from it. I have confidence that it has few defects. Should a serious one surface, it is easy to remove the firewall and replace it with another firewall. It is not entangled with my kernel. It does not invade my apps.

I have no such confidence in a method which invades all applications it touches, and invades the kernel.

Mike

Res

12:40 a.m.

On Fri, 21 Sep 2007, Mike McCarty wrote:

...

Of course, no one forces anyone to use Linux, right? I mean, it's not like anyone is being forced to incorporate the code or anything. That's MicroSoft's line, isn't it?

You mean no-ones forcing you to use Fedora, there are other distros, that at least in server stakes are as reliable far far far far far far far less bloated, thereby less security risks, for servers try Slackware, support is at least 5 years. However for, desktop stick with Fedora, because who cares,you shouldnt be running services on a desktop :)

-- Cheers Res

Arthur Pemberton

1:50 a.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

IMO, it is a buggy pile of crap. And if I may be so bold as to speak for Gene, that is what "set him off". Having it on one's machine is demonstrably a cause of:

I respect your opinion, and hope you respect those of people like myself who disagree with you, and think SELinux is a good thing

...

(1) frustration

Haven't had such with SELinux in years.

...

(2) failing machines

I have never had a machine fail because of SELinux

...

(3) unnecessary making of "gurus" when we all want Linux easier for the non-technical user to administer

Considering SELinux doesn't require one to install their own rules, I don't see how one makes the case for this point. Nor does everyone share this goal of making everything easier for everyone.

...

(4) bloat

That's highly subjective I believe.

...

(5) more opportunity for defects and exploits

An undeniable consequence, but also a valid arguement against firewalls, package management software, etc.

...

...
But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

The only way to make systems robust is to make them simpler, not more complex.

I don't think that is the only way, complexity may decrease robustness, but they are not mutually exclusive

...

...
Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

Bully for you.

Mike

Interesting response. What is the purpose of posting to the list if not to share opinions?

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

10:40 a.m.

Arthur Pemberton wrote:

...

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

I respect your opinion, and hope you respect those of people like myself who disagree with you, and think SELinux is a good thing

I don't think I'm required to respect opinions. I hope to treat people with respect, until they have proven they don't deserve it.

...

...
(5) more opportunity for defects and exploits

An undeniable consequence, but also a valid arguement against firewalls, package management software, etc.

I'm glad you admit this. Some here seem not to. It's a matter of perceived risk versus perceived benefit. In graduate school I took a course in decision theory. Simply build your probability model, asses costs, and assign a utility function. I have an external hardware firewall which has not once permitted an external attack to flow through. I do keep regular backups. If I ever suffer a successful attack, my machine will be restored to the most recent backup before the compromise. Then, on a selective basis, files from the post compromise state will be reintroduced.

My machine is connected to a LAN, which has exactly one other machine on it: the firewall machine. On the WAN side, the firewall has exactly one machine connected to it: my ADSL modem.

After a machine has been compromised, IMO it must be restored to a pre-compromise state. Trying to mitigate damage on a compromised machine is wrong-headed.

...

...
...
But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

The only way to make systems robust is to make them simpler, not more complex.

I don't think that is the only way, complexity may decrease robustness, but they are not mutually exclusive

Every line of code is a place for a defect to hide.

Please read C.A.R.Hoare's "The Emporer's New Clothes" some time.

...

...
...
Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

Bully for you.

Mike

Interesting response. What is the purpose of posting to the list if not to share opinions?

This list has several purposes. Some which come immediately to mind:

(1) sharing opinions about future directions of Linux, and RH in particular; hopefully being able to influence future paths (2) requesting and receiving assistance from others when faced with challenges in machine behavior or ignorance of standard techniques (3) sharing news and current events of interest to Linux users

"Bully for you" was intended exactly as written, and not as sarcasm.

Mike

Tom Rivers

12:20 p.m.

Mike McCarty wrote:

...

After a machine has been compromised, IMO it must be restored to a pre-compromise state. Trying to mitigate damage on a compromised machine is wrong-headed.

Mike,

I agree that compromised systems should be "fixed" so they aren't compromised anymore. However, I don't agree that it is "wrong-headed" to attempt to mitigate the damage done to such a system. Things like fire doors that close automatically when a fire is detected mitigate the damage a fire can do to a building. Traction control and anti-lock brakes on vehicles attempt to keep the car from crashing once stability is compromised. The firewall that contains a car's engine compartment and the airbag that deploys if the vehicle crashes both attempt to mitigate the damage done to the driver if something goes wrong. Even white blood cells protect against pathogens that have breached the external defenses of our bodies in an attempt to mitigate damage to surrounding tissues.

None of the mechanisms I have just described work as expected 100% of the time but that is hardly reason to do away with any of them entirely. As I'm sure you're aware, any good security posture has "defense in depth" as part of its scheme because it is historically a bad idea to rely on a single mechanism for overall security. SELinux may not the best solution out there but it does serve a very important purpose - it mitigates system damage in order to preserve as much of the remaining system as possible. I don't think anyone would argue that it makes sense to let someone who hacks a web server also get control of the credit card numbers stored in a database on the same machine. Likewise, with all due respect, it doesn't make sense to assert that trying to stop bad guys from doing all the damage they could is the wrong philosophy. That would be like watching your entire home burn down from a fire on the stove because you feel the fire extinguisher, something that would minimize the fire damage, is somehow philosophically wrong.

Tom

Mike McCarty

2:13 p.m.

Tom Rivers wrote:

...

Mike McCarty wrote:

...
After a machine has been compromised, IMO it must be restored to a pre-compromise state. Trying to mitigate damage on a compromised machine is wrong-headed.

Mike,

I agree that compromised systems should be "fixed" so they aren't compromised anymore. However, I don't agree that it is "wrong-headed" to attempt to mitigate the damage done to such a system. Things like fire doors that close automatically when a fire is detected mitigate the damage a fire can do to a building. Traction control and anti-lock

I don't see the analogy. With a building, it makes sense to try to salvage a room and/or its content. In the case of a computer, it doesn't make much sense to do that. IOW, the building must be completely torn down and rebuilt. There is no point in trying to rescue some rooms from smoke damage.[*]

...

brakes on vehicles attempt to keep the car from crashing once stability is compromised. The firewall that contains a car's engine compartment

I believe that ABS attempts to prevent compromise of stability.

...

and the airbag that deploys if the vehicle crashes both attempt to mitigate the damage done to the driver if something goes wrong. Even

Again, one hopes to salvage some or all of the human being. I don't want to salvage a compromised system.

[snip]

...

None of the mechanisms I have just described work as expected 100% of the time but that is hardly reason to do away with any of them entirely. As I'm sure you're aware, any good security posture has

Of course not. The only truly secure machine is one which is physically secure. Anything else leaves the realm of security, and enters the realm of relative security, which is entirely different, and has cost/benefit considerations.

...

"defense in depth" as part of its scheme because it is historically a bad idea to rely on a single mechanism for overall security. SELinux may not the best solution out there but it does serve a very important purpose - it mitigates system damage in order to preserve as much of the remaining system as possible. I don't think anyone would argue that it makes sense to let someone who hacks a web server also get control of the credit card numbers stored in a database on the same machine.

Again, inappropriate, for more than one reason.

(1) I don't run a web server. (2) Anyone who saves credit card info onto a web server and then gets compromised is at best negligent, and possibly criminally negligent. (3) Anyone who lives in the relative security realm, as do most of us at least some of the time (I do have absolutely secure machines), must assess the cost/benefit of each security measure he implements.

I have decided that SELinux is clearly on the cost outweighs benefit side of the ledger for me, and I don't want to install it on my machines. If you chose to do so, then fine. I don't care what you install and run on your machine. If you asked me for my advice, you probably know what I would say.

I think it is unfortunate that RH has made a decision not to support a version of their distro which does not incorporate SELinux into it.

I'm not trying to make anyone not use SELinux. I do wish RH would be more responsive to those who don't want it. Since they are not, I shall use other distros, I suppose. I'm not trying to convince you not to use RH products or their derivatives.

...

Likewise, with all due respect, it doesn't make sense to assert that trying to stop bad guys from doing all the damage they could is the wrong philosophy. That would be like watching your entire home burn down from a fire on the stove because you feel the fire extinguisher, something that would minimize the fire damage, is somehow philosophically wrong.

Wrong analogy, I think. You might feel differently if you installed an enormous machine drawing electricity from your house wiring, intended to operate a sprinkler system, and the additional load was the cause of the fire. SELinux has its own exploits.

[*] I'd be willing to look into such things as stored mail and other pure data files in the user areas, but even then, I keep regular backups. A compromise may not be discovered for some time. The system must be restored to a non-compromised state. Then, and only then, may one try to reintroduce user's data files and so on from the compromised backups. IMO, trying to mitigate damage is not the proper response. The proper response is to keep backups of important data. The system itself must not be reintroduced.

Mike

Tom Rivers

3:21 p.m.

Mike McCarty wrote:

...

I don't see the analogy. With a building, it makes sense to try to salvage a room and/or its content. In the case of a computer, it doesn't make much sense to do that. IOW, the building must be completely torn down and rebuilt. There is no point in trying to rescue some rooms from smoke damage.[*]

OK, I see that you are looking at this from an all or nothing approach. I would argue that it isn't always the right decision to throw the baby out with the bath water, even with a computer system. Just because one part of a thing is broken doesn't mean that the whole thing must be trashed. If that philosophy made sense, doctors wouldn't heal people, they'd just shoot them and move on to the next patient.

Here's something to consider. If you know a machine is compromised, you either know what did it or you don't. If you know the cause, which will certainly help you avoid the errors which led to the system being compromised in the future, then you simply need to clean up the mess. This means that you don't have to trash the whole system to get the job done which saves time, money, and sanity. If, on the other hand, you don't know what caused the system to become compromised, then restoring the system back to a stable state is a problematic endeavor because you haven't fixed what is broken; it is only a matter of time before the same thing happens again. From listening to what you have said on this topic on previous occasions, I have the impression that security is a serious concern of yours. To blindly restore the system without addressing the root cause is a recipe for disaster as I'm sure you would agree.

What this means is one needs to understand both the attack vector as well as what damage the intrusion has done. If you fail to completely understand both of these things, you will simply fail again. In fact, if you don't really know what damage has been done and how, you not only can't trust the installation media, but you also can't trust any of the backups of system files or even user created data either because there is no way for you to be sure!

...

I believe that ABS attempts to prevent compromise of stability.

Actually ABS kicks in a split second after the wheels lock up, after stability has already been lost. It releases the calipers to allow the wheel to spin freely for another split second, and then attempts to re-engage.

...

The only truly secure machine is one which is physically secure. Anything else leaves the realm of security, and enters the realm of relative security, which is entirely different, and has cost/benefit considerations.

Technically speaking, a "physically secure" system isn't secure any more than an "electronically secure" system is. In both cases the assertion is made that good defenses are in place, but I think you'll be hard pressed to find any security professional on the planet who will give a 100% guarantee even if the system is under lock and key and off the Internet entirely. That's because someone can always break a window, pick a lock, or hold your loved ones at gunpoint to gain access.

...

Again, inappropriate, for more than one reason.

(1) I don't run a web server.

That's fine, however I bet you have some kind of remote access to your system. If not, then you certainly have decided to take a hard-line stance on computer security. That wouldn't work for a lot of people, but if that's the way you want to operate then that's certainly a more secure approach. If you do have remote access to your system, there is always the possibility that the program listening on that open port can be compromised using the same line of reasoning you employed to identify SELinux as being potentially vulnerable.

...

(2) Anyone who saves credit card info onto a web server and then gets compromised is at best negligent, and possibly criminally negligent.

I'm sure you've heard of zero-day vulnerabilities. They make it really difficult to guard against the unknown and I believe there are statistics that indicate attacks of this nature are on the rise. I'm not sure you can logically claim someone is negligent if they fail to predict the nature and date of future attacks. Still, you're right that people have to be careful. That's precisely why SELinux is such a good choice. It seeks to eliminate the avenues of interaction between programs and the OS, thus limiting the options a hacked program has with respect to doing further damage to the system. I would even go so far as to argue that if one has the option to use SELinux and doesn't, that the individual in question could be considered negligent, possibly criminally so. Wouldn't you want the on-line entities with which you do business to take every possible precaution with your personal data? If so, then SELinux certainly falls into that category.

...

(3) Anyone who lives in the relative security realm, as do most of us at least some of the time (I do have absolutely secure machines), must assess the cost/benefit of each security measure he implements.

I agree completely.

...

Wrong analogy, I think. You might feel differently if you installed an enormous machine drawing electricity from your house wiring, intended to operate a sprinkler system, and the additional load was the cause of the fire. SELinux has its own exploits.

Well, I think your analogy fails because the person implementing the system should take the power consumption it requires into consideration. Also, your analogy points to the power consumption being the cause of the problems and that doesn't track with SELinux because it is what's working to prevent problems.

I have been running SELinux for some time and have yet to see a performance problem that can be measured. It may exist, however I haven't seen anyone who has any metrics on the drain SELinux has on a system. If you have such information, I would greatly appreciate a link. I would also appreciate some links to information regarding the SELinux exploits you mention because I haven't heard of any.

...

IMO, trying to mitigate damage is not the proper response. The proper response is to keep backups of important data. The system itself must not be reintroduced.

As I said earlier, unless you know what caused the system to become compromised, you simply cannot expect to be more secure by restoring any data at all. If you restore that important data, you will never know if it carries a deadly payload, the kind that was never identified when the decision to scrap the system was made. If you do know what caused it, then you can not only be more secure in the future by protecting against the threat, but you can also save a significant amount of down-time and aggravation reloading everything from scratch.

Blindly scrapping a system and reloading possibly tainted data as a result is quite frankly an act of ignorant desperation. Sure you can go back to a time when you didn't see a vulnerability, however that's exactly the point - nobody saw it coming in the first place or it wouldn't have happened at all! Only by knowing the threat and the damage it has done can anyone be reasonably assured of being in a more secure position after the dust has settled. As Sun Tzu said, "Know thy enemy and know thyself and you need not fear the result of 1000 battles." ;)

Tom

Mike McCarty

5:12 p.m.

Tom Rivers wrote:

...

Mike McCarty wrote:

[snip]

...

OK, I see that you are looking at this from an all or nothing approach. I would argue that it isn't always the right decision to throw the baby out with the bath water, even with a computer system. Just because one

Argue away.

...

Here's something to consider. If you know a machine is compromised, you

Considered.

[snip]

...

...
I believe that ABS attempts to prevent compromise of stability.

Actually ABS kicks in a split second after the wheels lock up, after

I know how they work.

[snip]

...

...
The only truly secure machine is one which is physically secure. Anything else leaves the realm of security, and enters the realm of relative security, which is entirely different, and has cost/benefit considerations.

Technically speaking, a "physically secure" system isn't secure any more than an "electronically secure" system is. In both cases the assertion is made that good defenses are in place, but I think you'll be hard pressed to find any security professional on the planet who will give a 100% guarantee even if the system is under lock and key and off the Internet entirely. That's because someone can always break a window, pick a lock, or hold your loved ones at gunpoint to gain access.

Then you don't understand the meaning of the word "physical security". What you describe is not a physically secure system.

[snip]

...

...
(3) Anyone who lives in the relative security realm, as do most of us at least some of the time (I do have absolutely secure machines), must assess the cost/benefit of each security measure he implements.

I agree completely.

...
Wrong analogy, I think. You might feel differently if you installed an enormous machine drawing electricity from your house wiring, intended to operate a sprinkler system, and the additional load was the cause of the fire. SELinux has its own exploits.

Well, I think your analogy fails because the person implementing the system should take the power consumption it requires into consideration. Also, your analogy points to the power consumption being the cause of the problems and that doesn't track with SELinux because it is what's working to prevent problems.

SELinux has been known to reveal unencrypted root passwords to non-privileged processes. At least one instance is known where this happened, and would not have happenend had SELinux not been installed.

...

I have been running SELinux for some time and have yet to see a performance problem that can be measured. It may exist, however I haven't seen anyone who has any metrics on the drain SELinux has on a system. If you have such information, I would greatly appreciate a link. I would also appreciate some links to information regarding the SELinux exploits you mention because I haven't heard of any.

Google is your friend. I found quite a few mentioned over at nsa.gov.

...

...
IMO, trying to mitigate damage is not the proper response. The proper response is to keep backups of important data. The system itself must not be reintroduced.

As I said earlier, unless you know what caused the system to become compromised, you simply cannot expect to be more secure by restoring any data at all. If you restore that important data, you will never know if

Where did I state that as a goal? If I were not already satisfied with my level of security, I might consider using SELinux more. As it is, I'm pretty sure any compromise will be a result of browsing or mail. As such, hopefully the improvement will come to the tool, the exploit will be plugged, and that will end it.

...

it carries a deadly payload, the kind that was never identified when the

Eh? My text files, PDFs, and so on are deadly payload? I know where they are, and I routinely check for "unusual permissions", like execute, on such kinds of files.

...

decision to scrap the system was made. If you do know what caused it, then you can not only be more secure in the future by protecting against the threat, but you can also save a significant amount of down-time and aggravation reloading everything from scratch.

If my system were going down continually, then I would pull the internet plug.

...

Blindly scrapping a system and reloading possibly tainted data as a result is quite frankly an act of ignorant desperation. Sure you can go

You use pejorative language, but not an argument. One has to reload in any case. One does not "blindly reload".

Mike

Tim

11:40 p.m.

On Fri, 2007-09-21 at 10:40 -0500, Mike McCarty wrote:

...

After a machine has been compromised, IMO it must be restored to a pre-compromise state. Trying to mitigate damage on a compromised machine is wrong-headed.

While that is *also* true (trying to mitigate damage), that's not the only purpose of SELinux. You've grabbed hold of one end of a multi-pronged stick, and you won't see the bigger picture. This is why you're getting a drubbing over the matter.

SELinux is no more *just* for mitigating compromised machines than a firewall is. It's another part of the armor protecting against that happening in the first place.

You may well not have a "compromised" machine, but one that has a defect that may be exploitable. SELinux is another part of the protective process, just like other protective software. Some use to try and prop up their broken systems, others use them to help prevent their system being compromised in the first place.

Mike McCarty

24 Sep 24 Sep

4:17 p.m.

Tim wrote:

[snip]

...

You may well not have a "compromised" machine, but one that has a defect that may be exploitable. SELinux is another part of the protective process, just like other protective software. Some use to try and prop up their broken systems, others use them to help prevent their system being compromised in the first place.

I am aware of what SELinux is, and how it is intended to work. I spent several hours perusing the NSA website on what its goals are, and how it is intended to achieve them.

It's not clear to me why you seem to think that I don't know what SELinux is.

Mike

Arthur Pemberton

4:24 p.m.

On 9/24/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Tim wrote:

[snip]

...
You may well not have a "compromised" machine, but one that has a defect that may be exploitable. SELinux is another part of the protective process, just like other protective software. Some use to try and prop up their broken systems, others use them to help prevent their system being compromised in the first place.

I am aware of what SELinux is, and how it is intended to work. I spent several hours perusing the NSA website on what its goals are, and how it is intended to achieve them.

It's not clear to me why you seem to think that I don't know what SELinux is.

There are quite a few people on this thread posting unfounded attacks against SELinux whose contents lead those who are in the know to believe that these individuals have no understand of what SELinux is, or how it behaves. At this point, it's likely that you may have just been mistaken for one of them.

As an aside, use of SELinux is far less complicated than this thread would have you believe - more importantly, disabling it is trivial if you do not need its protection.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Alan M. Evans

4:43 p.m.

On Mon, 2007-09-24 at 16:24 -0500, Arthur Pemberton wrote:

...

On 9/24/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
It's not clear to me why you seem to think that I don't know what SELinux is.

There are quite a few people on this thread posting unfounded attacks against SELinux whose contents lead those who are in the know to believe that these individuals have no understand of what SELinux is, or how it behaves. At this point, it's likely that you may have just been mistaken for one of them.

I doubt it, since Mike McCarty is the guy who thinks that SELinux is just like MSDOS FLu-shot+ and also thinks that applications have to be written with SELinux in mind for SELinux to work.

Mike McCarty

5:48 p.m.

Alan M. Evans wrote:

...

On Mon, 2007-09-24 at 16:24 -0500, Arthur Pemberton wrote:

...
On 9/24/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...
It's not clear to me why you seem to think that I don't know what SELinux is.

There are quite a few people on this thread posting unfounded attacks against SELinux whose contents lead those who are in the know to believe that these individuals have no understand of what SELinux is, or how it behaves. At this point, it's likely that you may have just been mistaken for one of them.

I doubt it, since Mike McCarty is the guy who thinks that SELinux is just like MSDOS FLu-shot+ and also thinks that applications have to be written with SELinux in mind for SELinux to work.

Apparently, you don't understand what I wrote at all.

The apps I have in mind are ls, find, mv, cp, ssh, etc. I nowhere stated that SELinux "is just like MSDOS Flu-shot+". I do note that the mechanics of them have some similarities.

Mike

Mike McCarty

5:52 p.m.

Alan M. Evans wrote:

...

I doubt it, since Mike McCarty is the guy who thinks that SELinux is just like MSDOS FLu-shot+ and also thinks that applications have to be written with SELinux in mind for SELinux to work.

I had a vague feeling, and went and checked. I was right. You have quoted a few people out of context before in this thread. This is not an isolated instance.

Mike

Mike McCarty

5:47 p.m.

Arthur Pemberton wrote:

[snip]

...

As an aside, use of SELinux is far less complicated than this thread would have you believe - more importantly, disabling it is trivial if you do not need its protection.

The complexity of setting it up should diminish with time, I'd think, as the default setup gets closer to what most need, and smarter tools are written to manage it.

My disinclination to have SELinux on my machine is not based on that.

Mike

Gene Heskett

21 Sep 21 Sep

1:13 a.m.

On Friday 21 September 2007, David Boles wrote:

...

on 9/21/2007 12:34 AM, Gene Heskett wrote:

...
On Thursday 20 September 2007, David Boles wrote:

...
on 9/20/2007 11:30 PM, Gene Heskett wrote: This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months ago, and I frankly don't care what you put in whatever /etc/sysconfig file, and there have been at least 3 named here in the last 72 hours, if you really want to disable it AND use the machine for something other than a training exercise in writing selinux rules from scratch, and figuring out how to protect them from yum/smart update activities, you WILL use the "crude" way because its the only one that actually works.

With this file in effect: [root@coyote ~]# grep SELINUX /etc/sysconfig/* /etc/sysconfig/selinux:# SELINUX= can take one of these three values: /etc/sysconfig/selinux:SELINUX=disabled /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values are: /etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a usb-seriel adaptor. It was also denied access to a regular serial port when the cm11a was hooked up to one of the 2 very precious serial ports on this box.

bulldog, the monitor for belkin ups's, was denied access to both the serial port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready to switch distro's to something that didn't cross-breed with selinux. Steven suggested I try the grub command I've quoted here, and magically everything started working once I'd undone the configuration messes I'd made trying to make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should be all that's required. That information has already been through the bovine digestive tract once, and should be treated as such, chopped up, and spread on a cornfield and plowed back in cuz that is all its good for.

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

Wow Gene. I did not mean to set you off. SELinux is designed to help *you* protect your Linux system from one of the major flaws in Windows.

And that flaw is (other than BG and his lawyers need to make a living)?

...

Allowing unknown, bad, executables from doing strange things on your system without your permission or, at times, without your knowledge of it happening.

Cups isn't exactly something I'd call unknown, but just because it can't guess the fine points of driving an old C82 properly without my help in the configuration files makes it a bad-ass?

If I didn't want heyu running the exterior lights & logging some of the odd activities its sensors might record, would I have installed it?

...

If you chose to turn this protection off that is most certainly your right. It is your system. If you don't feel that the protection is valuable then screw it.

I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans. I know enough about such things to know that someday, somebody will read the RFC's and figure out a way around it. To have to put up with that bit of paranoia harassing me everytime the clock ticks until that time is asking too much of any user. I built this box, and the 6 or 7 before it, to use, too do usefull things, and I want it to do usefull things, which it cannot even begin to do with selinux enabled in any capacity.

...

But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

He'll have to get through that firewall for starters, then figure out which machine the milling program is running on. But there are far more tasty targets here than a copy of emc-2.1.7 that I can download and re-install in 15 minutes as long as the network is up. Me and one of my kids who thinks he is a windows expert spent the better part of 2 hours on the phone one night a few months ago, each using the others actual ip address, and trying to figure out a way into the others box. But first, you have to prove there is actually a box at that address, right? He had the latest satan and something I never heard of and I had nmap, ping in both protocols and traceroute in both protocols, and neither of us could even get a response from the identd daemon, so effectively (and we tried 100% of the port range up to 65535) there was no computer to be attacked at that ip address, for either of us. I had to admit he had that XP box locked up quite nicely. And all that time, email was flowing at both ends of that 1200 mile circuit at full speed.

...

Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

There should be, in the man-pages, a direct translation of the logged error to a command that would fix it. There is not for 90% of the cases, and I rest my case.

Having come "hat in hand" with 20k of logfiles, and be told in no uncertain terms to take my problems to the selinux list sucks. If redhat/fedora doesn't want to either write some docs that make sense, or support the crap they put in the distribution, then it gets its lifeline cut. It really is that simple.

Oh, and in case anyone is interested, FC6 is not what I'd call "older" just yet, it still has some support although that seems to be drying up as F8 approaches. Older is me, I'll be 73 in 2 weeks. The unfunny part is that the person whom I gave my red Chiefs chair to at the tv station 5 years ago, and now 50 years old, is laying in the shop right now waiting for a catherization session that will probably install some stents tomorrow.

...

Have a good day.

I did actually. I'm learning how to do cabinet joinery with hand cut mortise and tenons, building me a gun cabinet for the room I just got done remodeling. I'm getting better as I go, but it still works up a sweat when doing it by hand with an antique wooden hammer and some Marples (rebranded Record) chisels. That will keep me out of the bars for at least a couple months by the time I get ready to put a 2 wheeler under it and take it to the house. Ash frame parts, solid cherry paneling. And I know where the trees that supplied the wood once stood. There's a certain cachet to that which you'll never get dropping the card for something like that.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Mal: "Dear Buddha: please send me a pony, and a plastic rocket, and..." --"Serenity"

Ed Greshko

1:22 a.m.

Gene Heskett wrote:

...

I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans.

I'm not sure why you are comparing the functions of SELinux with the functions of a firewall. It would be nice to hear your interpretation of the issues that SELinux targets v.s. what a Firewall targets. If you think they serve the same functions it would be nice if you would cite your source.

Mike McCarty

1:48 a.m.

Ed Greshko wrote:

...

Gene Heskett wrote:

...
I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans.

I'm not sure why you are comparing the functions of SELinux with the functions of a firewall. It would be nice to hear your interpretation of the issues that SELinux targets v.s. what a Firewall targets. If you think they serve the same functions it would be nice if you would cite your source.

Umm, I think they have very little in common, myself, except in some sort of vague overall "enhanced security" sense.

The firewall intends to prevent compromise. SELinux intends to mitigate damage on a compromised machine.

Note that I speak of intent, not what is accomplished.

Mike

Alan M. Evans

10:24 a.m.

On Fri, 2007-09-21 at 01:48 -0500, Mike McCarty wrote:

...

The firewall intends to prevent compromise. SELinux intends to mitigate damage on a compromised machine.

I think a better description would be that SELinux intends to keep a compromised application from becoming a compromised system.

Mike McCarty

2:15 p.m.

Alan M. Evans wrote:

...

On Fri, 2007-09-21 at 01:48 -0500, Mike McCarty wrote:

...
The firewall intends to prevent compromise. SELinux intends to mitigate damage on a compromised machine.

I think a better description would be that SELinux intends to keep a compromised application from becoming a compromised system.

One of the technical terms for that is Fault Isolation. I've designed some Fault Isolation systems, myself.

Mike

Gene Heskett

10:56 a.m.

On Friday 21 September 2007, Ed Greshko wrote:

...

Gene Heskett wrote:

...
I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans.

I'm not sure why you are comparing the functions of SELinux with the functions of a firewall. It would be nice to hear your interpretation of the issues that SELinux targets v.s. what a Firewall targets. If you think they serve the same functions it would be nice if you would cite your source.

Several people have referred to 'that hacker' getting into the system, which is how I at least made the connection to a firewall. And to me, the firewall function of standing guard between my stuff and the rest of the planet is at least 10,000 times more important than silently, no log was generated, blocking off any and all access to the hardware data ports (usb and serial) even when that file says SELINUX=disabled.

In truth, and from the clues this old troubleshooter has detected, the only thing disabled by the above line is the logging, selinux is still standing behind the user, with a baseball bat hitting you in the back of the knee joints but using a pillow to muffle the noise. But that will be denied vociferously by those whose purpose it is to see to it that we run with it enabled. If you don't believe that, just watch this space...

Questions that need answered _here_, where the whole list will read them are:

Why do the supposed selinux functions, if 10,000% less important than a firewall (my personal estimation anyway) seem to take 10,000 times more maintenance than the far more important firewall?

And why is it that any "refutation of my claims messages" all have little or nothing to say except point the reader to other net locations where the propaganda to be read was written by someone WITH an agenda.

And why is it that an error if logged, can't it be grepped for in the man-pages and the correct command line option to fix it be found?

I suppose the theory there is not to make it too simple for the hacker to fix, but if the hacker has gotten to that point, I'll submit that you already have a hell of a lot bigger problem than selinux is ever going to fix.

Rant/Observation:

Its a 'solution' looking for a 'problem' and if it can't find a problem, it will make 10 problems just for spite.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) That's easy to fix, but I can't be bothered.

Alan Cox

11:08 a.m.

...

Why do the supposed selinux functions, if 10,000% less important than a firewall (my personal estimation anyway) seem to take 10,000 times more maintenance than the far more important firewall?

They solve a harder problem. And actually when we first turned on firewalling by default a similar thing occurred until howtos and the like to tweak it appeared

Its solving a very different problem. Firewalls stop attacks against the host from outside inwards. Modern attacks are all based on things like web page flaws, and user stupidity because both of those bypass firewalls.

Since the bad guys can't get in via services they wait for you to come to them and try and break through your web browser, or they mail you and try to break your mail client or have you do dumb things like save a PDF file then read it with acroread without forcing safe mode.

SELinux helps contain these types of attack. Its one of about five differing things going on - all of which broke something on the way - NX broke miswritten apps, non-exec elsewhere broke stuff, and so on.

Alan

Tom Rivers

11:15 a.m.

Gene Heskett wrote:

...

Questions that need answered _here_, where the whole list will read them are:

Why do the supposed selinux functions, if 10,000% less important than a firewall (my personal estimation anyway) seem to take 10,000 times more maintenance than the far more important firewall?

Hi Gene,

I'm no SELinux expert, but I think you may be wide of the mark with how you have phrased this question. Firewalls and SELinux perform two different functions. Take a typical web server for example. The firewall will need to be changed to allow port 80 traffic through at a minimum. In the case of an attacker who targets that web server, the firewall isn't going to do anything because the door has already been left wide open. SELinux, however, will help prevent a hacked web server process from doing additional damage by limiting what it is allowed to do with the rest of the system. What I'm trying to say is that I think you are comparing apples to oranges.

With respect to your point that firewalls are easier to configure than SELinux, I agree. However, it makes sense that this is the case. Firewalls are merely gatekeepers. Telling them to admit, restrict, or deny traffic isn't really that complex. SELinux, on the other hand, deals with the entire OS and the many ways in which programs can interact with it. In comparison, firewalls deal with a small subset of the number of entities SELinux does.

Could SELinux be more easy to configure and manage? I hope so because I have had my fair share of issues with it. Is it understandable that trying to consolidate every way in which every program can deal with every resource on a computer system is a difficult task? I think so. :)

Tom

Robin Laing

4:31 p.m.

Tom Rivers wrote:

...

Gene Heskett wrote:

...
Questions that need answered _here_, where the whole list will read them are:

Why do the supposed selinux functions, if 10,000% less important than a firewall (my personal estimation anyway) seem to take 10,000 times more maintenance than the far more important firewall?

Hi Gene,

I'm no SELinux expert, but I think you may be wide of the mark with how you have phrased this question. Firewalls and SELinux perform two different functions. Take a typical web server for example. The firewall will need to be changed to allow port 80 traffic through at a minimum. In the case of an attacker who targets that web server, the firewall isn't going to do anything because the door has already been left wide open. SELinux, however, will help prevent a hacked web server process from doing additional damage by limiting what it is allowed to do with the rest of the system. What I'm trying to say is that I think you are comparing apples to oranges.

With respect to your point that firewalls are easier to configure than SELinux, I agree. However, it makes sense that this is the case. Firewalls are merely gatekeepers. Telling them to admit, restrict, or deny traffic isn't really that complex. SELinux, on the other hand, deals with the entire OS and the many ways in which programs can interact with it. In comparison, firewalls deal with a small subset of the number of entities SELinux does.

Could SELinux be more easy to configure and manage? I hope so because I have had my fair share of issues with it. Is it understandable that trying to consolidate every way in which every program can deal with every resource on a computer system is a difficult task? I think so. :)

Tom

Nicely put.

I would put it another way.

A firewall is the fence and locks on your doors and windows. The alarm system is the alerts you get when someone tries to get in.

SELinux is the two pit bulls and rottweiler's guard dogs that stop the person that does get into your house. Once in they are not going to be able to do much damage.

I am no expert either and I admit that I like the new troubleshooter.

-- Robin Laing

Arthur Pemberton

12:10 p.m.

On 9/21/07, Gene Heskett gene.heskett@verizon.net wrote:

...

On Friday 21 September 2007, Ed Greshko wrote:

...
Gene Heskett wrote:

...
I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans.

I'm not sure why you are comparing the functions of SELinux with the functions of a firewall. It would be nice to hear your interpretation of the issues that SELinux targets v.s. what a Firewall targets. If you think they serve the same functions it would be nice if you would cite your source.

Several people have referred to 'that hacker' getting into the system, which is how I at least made the connection to a firewall.

So you're firewalls are capable of protecting against 'that hacker' who _is_ on your box, ie. has gotten past your firewall somehow - getting past a firewall is by no means an impossible task

...

And to me, the firewall function of standing guard between my stuff and the rest of the planet is at least 10,000 times more important than silently, no log was generated, blocking off any and all access to the hardware data ports (usb and serial) even when that file says SELINUX=disabled.

So umm, why do you think it was SELinux causing the problem?

...

In truth, and from the clues this old troubleshooter has detected, the only thing disabled by the above line is the logging, selinux is still standing behind the user, with a baseball bat hitting you in the back of the knee joints but using a pillow to muffle the noise. But that will be denied vociferously by those whose purpose it is to see to it that we run with it enabled. If you don't believe that, just watch this space...

I have several machines with SELinux disabled, and I see no messages from it.

...

Questions that need answered _here_, where the whole list will read them are:

You make it sound like there is some attempted coverup going on

...

Why do the supposed selinux functions, if 10,000% less important than a firewall (my personal estimation anyway) seem to take 10,000 times more maintenance than the far more important firewall?

Well besides the obvious possibility that your personal estimation is wrong, there is the fact that they provide very different functionality. Here's a bad metric, but one I think is still somewhat useful. The SElinux howto/tutorial is at least 50% the size of that Iptables howto, while providing all the necessary information

...

And why is it that any "refutation of my claims messages" all have little or nothing to say except point the reader to other net locations where the propaganda to be read was written by someone WITH an agenda.

I haven't notice any specific claims. Please provide a list that we can go through, and/or join the fedora-selinux list. Please, it doesn't seem rational to be throwing around the word propaganda just yet.

...

And why is it that an error if logged, can't it be grepped for in the man-pages and the correct command line option to fix it be found?

There is a tool that gives you the exact command you need to fix an SElinux error, much simpler than grepping i believe.

...

I suppose the theory there is not to make it too simple for the hacker to fix, but if the hacker has gotten to that point, I'll submit that you already have a hell of a lot bigger problem than selinux is ever going to fix.

That is not the theory as far as I know. With SELinux present, said hacker would likely not get far enough to disable SELinux. They didn't in my case.

...

Rant/Observation:

Its a 'solution' looking for a 'problem' and if it can't find a problem, it will make 10 problems just for spite.

It solves problems for me, if you do not share this, that is understandable. But it does infact solve problems.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

2:24 p.m.

Arthur Pemberton wrote:

...

On 9/21/07, Gene Heskett gene.heskett@verizon.net wrote:

...
On Friday 21 September 2007, Ed Greshko wrote:

...
Gene Heskett wrote:

...
I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans.

I'm not sure why you are comparing the functions of SELinux with the functions of a firewall. It would be nice to hear your interpretation of the issues that SELinux targets v.s. what a Firewall targets. If you think they serve the same functions it would be nice if you would cite your source.

Several people have referred to 'that hacker' getting into the system, which is how I at least made the connection to a firewall.

So you're firewalls are capable of protecting against 'that hacker' who _is_ on your box, ie. has gotten past your firewall somehow - getting past a firewall is by no means an impossible task

No. But my backups are the appropriate response to a compromised system, not SELinux.

[snip]

...

I have several machines with SELinux disabled, and I see no messages from it.

Then you belive that at least in some circumstances SELinux has a greater cost than it does a benefit. We agree on that. How about allowing those who find themselves in that circumstance the lattitude of not loading and running SELinux at all?

[snip]

...

...
Its a 'solution' looking for a 'problem' and if it can't find a problem, it will make 10 problems just for spite.

It solves problems for me, if you do not share this, that is understandable. But it does infact solve problems.

Though I didn't see you list one problem SELinux solved for you, I'm not going to argue your personal assessment that the perceived cost of SELinux to you (on some of your machines) outweighs the perceived benefit (or rather the utility functions associated with the perceived costs, when weighed by the probabilities you assigned to your outcome space), since that is a personal matter.

What I don't like is RH thinking it knows better than I do what I need in the way of security software.

Mike

Arthur Pemberton

3:59 p.m.

On 9/21/07, Mike McCarty Mike.McCarty@sbcglobal.net wrote:

...

Arthur Pemberton wrote:

...
On 9/21/07, Gene Heskett gene.heskett@verizon.net wrote:

...
On Friday 21 September 2007, Ed Greshko wrote:

...
Gene Heskett wrote:

...
I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans.

I'm not sure why you are comparing the functions of SELinux with the functions of a firewall. It would be nice to hear your interpretation of the issues that SELinux targets v.s. what a Firewall targets. If you think they serve the same functions it would be nice if you would cite your source.

Several people have referred to 'that hacker' getting into the system, which is how I at least made the connection to a firewall.

So you're firewalls are capable of protecting against 'that hacker' who _is_ on your box, ie. has gotten past your firewall somehow - getting past a firewall is by no means an impossible task

No. But my backups are the appropriate response to a compromised system, not SELinux.

So you're still missing the point that SELinux can prevent the system from being compromised.

...

...
I have several machines with SELinux disabled, and I see no messages from it.

Then you belive that at least in some circumstances SELinux has a greater cost than it does a benefit. We agree on that. How about allowing those who find themselves in that circumstance the lattitude of not loading and running SELinux at all?

So disable it. Is that so hard? If you disable, it doesn't run.

...

...
...
Its a 'solution' looking for a 'problem' and if it can't find a problem, it will make 10 problems just for spite.

It solves problems for me, if you do not share this, that is understandable. But it does infact solve problems.

Though I didn't see you list one problem SELinux solved for you, I'm not going to argue your personal assessment that the perceived cost of SELinux to you (on some of your machines) outweighs the perceived benefit (or rather the utility functions associated with the perceived costs, when weighed by the probabilities you assigned to your outcome space), since that is a personal matter.

Well I didn't intend on playing story telling time. But SELinux as prevented me from being rooted at least once.

...

What I don't like is RH thinking it knows better than I do what I need in the way of security software.

If they thought they knew better, they wouldn't make it possible to disable it.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Mike McCarty

5:13 p.m.

Arthur Pemberton wrote:

...

So you're still missing the point that SELinux can prevent the system from being compromised.

One does not miss a premise which one has considered and rejected.

...

...
What I don't like is RH thinking it knows better than I do what I need in the way of security software.

If they thought they knew better, they wouldn't make it possible to disable it.

If they thought I knew better, they'd provide a way for me not to load it.

Mike

David

8:57 a.m.

on 9/21/2007 2:13 AM, Gene Heskett wrote:

...

On Friday 21 September 2007, David Boles wrote:

...
on 9/21/2007 12:34 AM, Gene Heskett wrote: Wow Gene. I did not mean to set you off. SELinux is designed to help *you* protect your Linux system from one of the major flaws in Windows.

And that flaw is (other than BG and his lawyers need to make a living)?

...
Allowing unknown, bad, executables from doing strange things on your system without your permission or, at times, without your knowledge of it happening.

Cups isn't exactly something I'd call unknown, but just because it can't guess the fine points of driving an old C82 properly without my help in the configuration files makes it a bad-ass?

If I didn't want heyu running the exterior lights & logging some of the odd activities its sensors might record, would I have installed it?

...
If you chose to turn this protection off that is most certainly your right. It is your system. If you don't feel that the protection is valuable then screw it.

I have a firewall that has so far been bulletproof. Its called dd-wrt, run on an old scrap x86 box, booting busybox from a cf card, no drives in it & only 2 fans. I know enough about such things to know that someday, somebody will read the RFC's and figure out a way around it. To have to put up with that bit of paranoia harassing me everytime the clock ticks until that time is asking too much of any user. I built this box, and the 6 or 7 before it, to use, too do usefull things, and I want it to do usefull things, which it cannot even begin to do with selinux enabled in any capacity.

...
But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

He'll have to get through that firewall for starters, then figure out which machine the milling program is running on. But there are far more tasty targets here than a copy of emc-2.1.7 that I can download and re-install in 15 minutes as long as the network is up. Me and one of my kids who thinks he is a windows expert spent the better part of 2 hours on the phone one night a few months ago, each using the others actual ip address, and trying to figure out a way into the others box. But first, you have to prove there is actually a box at that address, right? He had the latest satan and something I never heard of and I had nmap, ping in both protocols and traceroute in both protocols, and neither of us could even get a response from the identd daemon, so effectively (and we tried 100% of the port range up to 65535) there was no computer to be attacked at that ip address, for either of us. I had to admit he had that XP box locked up quite nicely. And all that time, email was flowing at both ends of that 1200 mile circuit at full speed.

...
Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

There should be, in the man-pages, a direct translation of the logged error to a command that would fix it. There is not for 90% of the cases, and I rest my case.

Having come "hat in hand" with 20k of logfiles, and be told in no uncertain terms to take my problems to the selinux list sucks. If redhat/fedora doesn't want to either write some docs that make sense, or support the crap they put in the distribution, then it gets its lifeline cut. It really is that simple.

The SELinux list would be where you would find the SELinux 'guys' so that would be, IMO, a better place to look for SELinux help than here on a general list. If I was having a problem with some application, pick one, I would go to its support list.

In Fedora 7 was the beginning of a trouble shooting GUI for SELinux. In Fedora 8 it is now working quite well. When SELinux 'sees' what it 'Thinks' is a 'bad thing trying to happen' it will tell you with an applet warning in the task bar. Clicking on the applet brings down a window with a pretty complete explanation of what is happening, what it thinks is wrong and why. If you disagree just keep reading the very short paragraph and it will tell you how to change the setting. Verbatim. If, it happens very seldom for me, the setting can not be changed it will offer you a bug report.

...

Oh, and in case anyone is interested, FC6 is not what I'd call "older" just yet, it still has some support although that seems to be drying up as F8 approaches. Older is me, I'll be 73 in 2 weeks. The unfunny part is that the person whom I gave my red Chiefs chair to at the tv station 5 years ago, and now 50 years old, is laying in the shop right now waiting for a catherization session that will probably install some stents tomorrow.

Fedora Core 6 is EOL in December. I would consider that 'older'. ;-)

BTW Happy birthday. You got me by a little more that 12 years.

...

...
Have a good day.

I did actually. I'm learning how to do cabinet joinery with hand cut mortise and tenons, building me a gun cabinet for the room I just got done remodeling. I'm getting better as I go, but it still works up a sweat when doing it by hand with an antique wooden hammer and some Marples (rebranded Record) chisels. That will keep me out of the bars for at least a couple months by the time I get ready to put a 2 wheeler under it and take it to the house. Ash frame parts, solid cherry paneling. And I know where the trees that supplied the wood once stood. There's a certain cachet to that which you'll never get dropping the card for something like that.

That sounds interesting. I was never much good at cabinet/finish work in wood. Framing is about my limit there. My trade is sheet metal. HVAC That I can do from flat sheets to the 'last screw'. ;-)

This is getting OT for this list.

-- David

Gene Heskett

11:51 a.m.

On Friday 21 September 2007, David Boles wrote:

...

on 9/21/2007 2:13 AM, Gene Heskett wrote:

...
On Friday 21 September 2007, David Boles wrote:

...

This is getting OT for this list.

I'm subscribed to the selinux list, have been for months. The amount of actual, usable info there would take an assayor a week to detect. But I maybe am about to test it by setting it to permissive on my lappy, letting it relabel it and see if I have a network.

Right now its updating itself. Then I need to re-install ndiswrapper to match the new kernel its putting in.

-- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) If at first you don't succeed, you're doing about average. -- Leonard Levinson

David

2:52 p.m.

on 9/21/2007 12:51 PM, Gene Heskett wrote:

...

On Friday 21 September 2007, David Boles wrote:

...
on 9/21/2007 2:13 AM, Gene Heskett wrote:

...
On Friday 21 September 2007, David Boles wrote:

...
This is getting OT for this list.

I'm subscribed to the selinux list, have been for months. The amount of actual, usable info there would take an assayor a week to detect. But I maybe am about to test it by setting it to permissive on my lappy, letting it relabel it and see if I have a network.

Right now its updating itself. Then I need to re-install ndiswrapper to match the new kernel its putting in.

Hi Gene. Directed at me? You are still on FC-6 correct? It has been so long since I used that release I am not sure what 'can of worms' you might be opening. I honestly do understand your thoughts and feelings here.

SELinux, if I understand it correctly, is not really made to prevent *you* from doing anything but to stop some piece of malicious or poorly written software from trashing your system, files, 'stuff' by doing something that is wrong. The Windows type keylogger that will someday show up in Linux. Or SPAM relay 'bots. The cute little script that trashes fstab. Or grub.conf. Things like these. All made up? Sure. But coming soon to a Linux near you. ;-) Could be. It would be nice if the 'protection' was here first instead of what Windows has. Which is pretty much nothing.

My son tells me that a system very similar to SELinux was being worked on for Windows Vista and was dropped from the release when they needed to release and they could not get it to work. I do *not* want that to happen to Fedora. Or Linux in general.

I will tell you this. The GUI for SELinux in what will be Fedora 8 is nice and very helpful and much progress has been made in general. That could account for the little traffic that you mentioned seein on the selinux-list.

You want SELinux off? Go for it. Your choice. I want SELinux on. My choice.

Disabled SELinux does nothing. And the 'horrible waste of HD space' is about, as near as I can tell something in the neighborhood of 140K. About the size of this email maybe? ;-)

-- David

Beartooth

3:21 p.m.

On Fri, 21 Sep 2007 15:52:51 -0400, David Boles wrote:

[....]

...

SELinux, if I understand it correctly, is not really made to prevent *you* from doing anything but to stop some piece of malicious or poorly written software from trashing your system, files, 'stuff' by doing something that is wrong. The Windows type keylogger that will someday show up in Linux. Or SPAM relay 'bots. The cute little script that trashes fstab. Or grub.conf. Things like these. All made up? Sure. But coming soon to a Linux near you. ;-) Could be. It would be nice if the 'protection' was here first instead of what Windows has. Which is pretty much nothing.

[...]

...

I will tell you this. The GUI for SELinux in what will be Fedora 8 is nice and very helpful and much progress has been made in general. That could account for the little traffic that you mentioned seeing on the selinux-list.

You want SELinux off? Go for it. Your choice. I want SELinux on. My choice.

Disabled SELinux does nothing. And the 'horrible waste of HD space' is about, as near as I can tell something in the neighborhood of 140K. About the size of this email maybe? ;-)

This whole discussion has been very helpful; the comparison of space to one email is especially so. My thanks to all!

And I'll take a good look at the new GUI when I install F8, before I do any disabling. What is nice and helpful to those who know the most may or may not be so to those of us on the other end of the teeter- totter; but I'll keep my hopes up.

Here's a quote from some starlet I know nothing else of : "I try to be cynical, but I just can't keep up." Make that "paranoid" instead of "cynical" and you have the case of those like me who so abominate M$ and all its works (and, in some cases, ditto Apple) that we run without really knowing how to tell whether we've been compromised, nor what to do if we are.

The best solution I know of is to run every defense you can and still be able to operate; hence my reluctance to eliminate SELinux any sooner. But defenses you can't run also interfere; and up till now I'm quite sure I can't begin to "run" SELinux in any way worth the name. It remained present, if not active, so long as it didn't get in the way; it was all those irritating popups, beyond my understanding, that led me to disabling. I hope they're either gone, or a lot more helpful ...

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Andrew Kelly

2:38 a.m.

On Fri, 2007-09-21 at 00:57 -0400, David Boles wrote:

<snip>

...

Wow Gene. I did not mean to set you off. SELinux is designed to help *you* protect your Linux system from one of the major flaws in Windows. Allowing unknown, bad, executables from doing strange things on your system without your permission or, at times, without your knowledge of it happening.

If you chose to turn this protection off that is most certainly your right. It is your system. If you don't feel that the protection is valuable then screw it.

But when that smiling hacker from somewhere finally finally decides that there are enough Linux users that think like Windows users he will write that program that will wipe out your milling program.

Honest Gene. SELinux has never caused me a problem that a simple 'look 'n fix it' could not solve. It is work in progress and when you use older releases it can cause problems.

At some unknown point in the future, a couple hours before SELinux goes EOL, your last sentence will still be accurate.

Andy

Craig White

12:38 a.m.

On Fri, 2007-09-21 at 00:34 -0400, Gene Heskett wrote:

...

On Thursday 20 September 2007, David Boles wrote:

...
on 9/20/2007 11:30 PM, Gene Heskett wrote:

...
On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months ago, and I frankly don't care what you put in whatever /etc/sysconfig file, and there have been at least 3 named here in the last 72 hours, if you really want to disable it AND use the machine for something other than a training exercise in writing selinux rules from scratch, and figuring out how to protect them from yum/smart update activities, you WILL use the "crude" way because its the only one that actually works.

With this file in effect: [root@coyote ~]# grep SELINUX /etc/sysconfig/* /etc/sysconfig/selinux:# SELINUX= can take one of these three values: /etc/sysconfig/selinux:SELINUX=disabled /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values are: /etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a usb-seriel adaptor. It was also denied access to a regular serial port when the cm11a was hooked up to one of the 2 very precious serial ports on this box.

bulldog, the monitor for belkin ups's, was denied access to both the serial port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready to switch distro's to something that didn't cross-breed with selinux. Steven suggested I try the grub command I've quoted here, and magically everything started working once I'd undone the configuration messes I'd made trying to make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should be all that's required. That information has already been through the bovine digestive tract once, and should be treated as such, chopped up, and spread on a cornfield and plowed back in cuz that is all its good for.

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

---- first of all, /etc/sysconfig/selinux is just a symbolic link to /etc/selinux/config

Secondly, the easy method to shut it off is simply system-config-security. You don't have to use it if you choose not to - it's your prerogative. It's just an additional layer of security.

Lastly, just because you showed little ability to learn the new tools to live peaceably with software that is ignorant of the security implications of an important tool set for security, doesn't make it bad. There are a lot of things that you do on a computer that I would surely not recommend to others - such as this suggestion to append selinux=0 to the kernel boot line as opposed to setting selinux as disabled (and there have been others as you know).

As for Rahul, Steve Smalley and you going around on an issue...I would take their side every time, without the slightest bit of hesitation.

Craig

Stephen Smalley

10:14 a.m.

On Fri, 2007-09-21 at 00:34 -0400, Gene Heskett wrote:

...

On Thursday 20 September 2007, David Boles wrote:

...
on 9/20/2007 11:30 PM, Gene Heskett wrote:

...
On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

This way is, IMO, the crude way to do this. Turn SELinux off, if you chose to do so, in the SELinux configuration file.

/etc/selinux/config

change SELINUX=enforcing

to SELINUX=disabled

When you eventually update to a newer version of Fedora there will be better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months ago, and I frankly don't care what you put in whatever /etc/sysconfig file, and there have been at least 3 named here in the last 72 hours, if you really want to disable it AND use the machine for something other than a training exercise in writing selinux rules from scratch, and figuring out how to protect them from yum/smart update activities, you WILL use the "crude" way because its the only one that actually works.

With this file in effect: [root@coyote ~]# grep SELINUX /etc/sysconfig/* /etc/sysconfig/selinux:# SELINUX= can take one of these three values: /etc/sysconfig/selinux:SELINUX=disabled /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values are: /etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a usb-seriel adaptor. It was also denied access to a regular serial port when the cm11a was hooked up to one of the 2 very precious serial ports on this box.

bulldog, the monitor for belkin ups's, was denied access to both the serial port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready to switch distro's to something that didn't cross-breed with selinux. Steven suggested I try the grub command I've quoted here, and magically everything started working once I'd undone the configuration messes I'd made trying to make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should be all that's required. That information has already been through the bovine digestive tract once, and should be treated as such, chopped up, and spread on a cornfield and plowed back in cuz that is all its good for.

Just to clarify (trying to avoid the flame fest here): SELINUX=disabled in /etc/selinux/config on any modern Fedora system should truly disable SELinux in the kernel, by having /sbin/init write a "1" to the /selinux/disable pseudo file provided by the kernel (note that this is only allowed if policy has not yet been loaded). That unregisters the SELinux hooks from the kernel, and it is no longer active on the kernel code paths. It was true though that at one time, the kernel didn't support that and SELINUX=disabled just meant don't load any policy and stay in permissive mode, which would explain your FC2 experience. So, selinux=0 was originally the only way to completely disable SELinux, but with any modern kernel and init, it should be possible to use SELINUX=disabled to the same effect.

Permissive mode is different - SELinux stays active on the code paths and while permission checks are always granted, there are other possible failure paths. However, if you (here you == any user) find that something is broken in permissive mode, please file a bug report so that it can be examined to see whether it can be resolved.

...

Worse yet, its being spewed by people who have a image of being authoritative about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway? Is it something M$ funded to make linux less appealing to the joe sixpack users? Is it a backdoor that NSA conned RedHat into adding? I only know two things about it for sure, and that's that it is a Pain In The Ass, and that the sample grub command option selinux=0 works.

The agenda is the already stated one, to bring flexible mandatory access control to the mainstream in order to counter the threat posed by malicious and flawed programs. Nothing more, nothing less.

-- Stephen Smalley National Security Agency

Mike McCarty

2:28 p.m.

Stephen Smalley wrote:

...

Just to clarify (trying to avoid the flame fest here): SELINUX=disabled in /etc/selinux/config on any modern Fedora system should truly disable SELinux in the kernel, by having /sbin/init write a "1" to

What you just wrote is not possible. At the very least, the code which checks the state of the enable flag must be present and active in memory.

[snip]

...

Permissive mode is different - SELinux stays active on the code paths and while permission checks are always granted, there are other possible failure paths. However, if you (here you == any user) find that something is broken in permissive mode, please file a bug report so that it can be examined to see whether it can be resolved.

What you write here is just as applicable to "disabled" state as it is to "permissive" state, just presumably less code gets executed, unless SELinux itself gets exploited.

[snip]

...

The agenda is the already stated one, to bring flexible mandatory access control to the mainstream in order to counter the threat posed by malicious and flawed programs. Nothing more, nothing less.

It would be nicer if the mandatory access control were an optional feature for those who don't want it.

Mike

Todd Zullinger

2:47 p.m.

Mike McCarty wrote:

...

It would be nicer if the mandatory access control were an optional feature for those who don't want it.

It is optional, just not in Fedora. See www.linuxfromscratch.org for the sort of complete control and customization you seek. Either that or search for a distro that more closely matches your desires.

For Fedora, SELinux is a feature that is most definitely an important part of the distro. You can bemoan it for days (and day and days and days...), but that won't make it what you want it. What you want is not -- and most likely will not be -- provided by Fedora anytime soon.

Beating this dead horse will not make it gallop -- but it does make those of us on the sideline wince. :)

-- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Life is the art of drawing sufficient conclusions from insignificant premises -- Samuel Butler

Mike McCarty

4:42 p.m.

Todd Zullinger wrote:

[snip]

yes, I have a copy of Linux From Scratch, and I'm investigating it. Gentoo also looks promising as a jump off point, though it is also infected, so I hear.

...

Beating this dead horse will not make it gallop -- but it does make those of us on the sideline wince. :)

Is there no one else here who senses that what we have is a lack of imagination? The fact that a "disabled" state exists proves that those who implemented it realized it was not for everyone.

Why cannot someone realize that this is an opportunity to make such kinds of options actually be options?

Mike

Steve Searle

7:26 p.m.

Around 10:42pm on Friday, September 21, 2007 (UK time), Mike McCarty scrawled:

...

Is there no one else here who senses that what we have is a lack of imagination? The fact that a "disabled" state exists proves

Nope - perhaps you are wrong?

...

Why cannot someone realize that this is an opportunity to make such kinds of options actually be options?

Because some people would consider the code that enabled this optional selection a vunerability that was not worth having?

Steve

-- A: Because it messes up the order in which people normally read text. Q: Why is top-posting a bad thing? 01:20:15 up 7 days, 11:20, 1 user, load average: 0.04, 0.05, 0.01

Karl Larsen

7:32 p.m.

Steve Searle wrote:

...

Around 10:42pm on Friday, September 21, 2007 (UK time), Mike McCarty scrawled:

...
Is there no one else here who senses that what we have is a lack of imagination? The fact that a "disabled" state exists proves

Nope - perhaps you are wrong?

...
Why cannot someone realize that this is an opportunity to make such kinds of options actually be options?

Because some people would consider the code that enabled this optional selection a vunerability that was not worth having?

Steve

My finger is tired of deleting all this Crap on SELinux. It is just a bunch of spam. I hate it :-)

-- Karl F. Larsen, AKA K5DI Linux User #450462 http://counter.li.org.

Bob

8:23 p.m.

On Fri, 2007-09-21 at 18:32 -0600, Karl Larsen wrote:

...

Steve Searle wrote:

...
Around 10:42pm on Friday, September 21, 2007 (UK time), Mike McCarty scrawled:

...
Is there no one else here who senses that what we have is a lack of imagination? The fact that a "disabled" state exists proves

Nope - perhaps you are wrong?

...
Why cannot someone realize that this is an opportunity to make such kinds of options actually be options?

Because some people would consider the code that enabled this optional selection a vunerability that was not worth having?

Steve
My finger is tired of deleting all this Crap on SELinux. It is just 
a bunch of spam. I hate it :-)

Early on in these SELinux threads I created a whiner folder under my Fedora-List folder in Evolution and the list is growing of senders email addresses who's emails automatically get dumped there :)

Bob

Alan M. Evans

24 Sep 24 Sep

10:28 a.m.

On Fri, 2007-09-21 at 18:32 -0600, Karl Larsen wrote:

...

My finger is tired of deleting all this Crap on SELinux. It is just

a bunch of spam. I hate it :-)

Excuse me while I go towel off the irony...

David

10:51 a.m.

on 9/24/2007 11:28 AM, Alan M. Evans wrote:

...

On Fri, 2007-09-21 at 18:32 -0600, Karl Larsen wrote:

...
My finger is tired of deleting all this Crap on SELinux. It is just 
a bunch of spam. I hate it :-)
Excuse me while I go towel off the irony...

You will need a *big* towel here. :-)

-- David

Chris Jones

28 Sep 28 Sep

3:31 p.m.

...

Excuse me while I go towel off the irony...

Stephen Smalley

21 Sep 21 Sep

3:06 p.m.

On Fri, 2007-09-21 at 14:28 -0500, Mike McCarty wrote:

...

Stephen Smalley wrote:

...
Just to clarify (trying to avoid the flame fest here): SELINUX=disabled in /etc/selinux/config on any modern Fedora system should truly disable SELinux in the kernel, by having /sbin/init write a "1" to

What you just wrote is not possible. At the very least, the code which checks the state of the enable flag must be present and active in memory.

Once SELinux has been disabled (via selinux=0 or SELINUX=disabled), its kernel code is no longer executed, as it is unhooked from the kernel code paths at the time of disabling. The LSM framework is still executed, if that is what you mean, but that framework is present to support any kernel security module, including the Linux capabilities model. When you call open(2) or other syscalls after SELinux has been disabled, no SELinux code is run, only the LSM framework code.

...

[snip]

...
Permissive mode is different - SELinux stays active on the code paths and while permission checks are always granted, there are other possible failure paths. However, if you (here you == any user) find that something is broken in permissive mode, please file a bug report so that it can be examined to see whether it can be resolved.

What you write here is just as applicable to "disabled" state as it is to "permissive" state, just presumably less code gets executed, unless SELinux itself gets exploited.

Disabled: A call to open(2) never executes any SELinux kernel code. Permissive: A call to open(2) executes SELinux kernel code, using a mode of operation that logs but does not deny permissions. It's a fairly significant difference.

...

[snip]

...
The agenda is the already stated one, to bring flexible mandatory access control to the mainstream in order to counter the threat posed by malicious and flawed programs. Nothing more, nothing less.

It would be nicer if the mandatory access control were an optional feature for those who don't want it.

They are optional. Look, we provided multiple ways of disabling the kernel code (selinux=0 at first, then SELINUX=disabled because some people don't like boot params), and bracketed the userland code with is_selinux_enabled() checks. If it weren't optional, there would be no SELINUX=disabled at all. Possibly the degree of "optional" can be improved, but that requires work on someone's part, always comes with a cost, and it isn't clear that anything less than a full source rebuild with SELinux build options disabled would satisfy you. You can already disable SELinux at runtime, and you can already rebuild the distro from source with SELinux disabled at compile time. What else did you want to do? yum remove libselinux? Ok, that one requires someone to take the time to patch all of the applications that now call it directly to instead use dlopen+dlsym and fall back to non-selinux behavior if not present. Which can be done, but someone has to do it, dlopen carries a cost at runtime, and that still leaves the code to perform the dlopen +dlsym and to switch between the selinux and non-selinux code paths in the application. Is that worth it to you?

-- Stephen Smalley National Security Agency

Tim

22 Sep 22 Sep

12:25 a.m.

On Fri, 2007-09-21 at 14:28 -0500, Mike McCarty wrote:

...

It would be nicer if the mandatory access control were an optional feature for those who don't want it.

Trying to have something that's "mandatory" be "optional" is an oxymoron. But leaving aside how amusing that sounds for the moment, at this point, it's beginning to sound like you're a shill for those who want it to be easy to compromise machines.

"You don't need a firewall, SELinux, anti-virus, file permissions..." Somewhere, in the corner, a malcontent is rubbing his hands with glee.

Beartooth

2:20 p.m.

On Fri, 21 Sep 2007 11:14:04 -0400, Stephen Smalley wrote: [...]

...

Just to clarify (trying to avoid the flame fest here): SELINUX=disabled in /etc/selinux/config on any modern Fedora system should truly disable SELinux in the kernel, by having /sbin/init write a "1" to the /selinux/disable pseudo file provided by the kernel (note that this is only allowed if policy has not yet been loaded). That unregisters the SELinux hooks from the kernel, and it is no longer active on the kernel code paths.

I recall a time (but not which FC) when, watching the boot messages, I always saw something about hooks -- and wondered what they were ... I haven't been seeing that lately.

I *think* therefore that the options available have changed. Is that right?

...

It was true though that at one time, the kernel didn't support that and SELINUX=disabled just meant don't load any policy and stay in permissive mode, which would explain your FC2 experience. So, selinux=0 was originally the only way to completely disable SELinux, but with any modern kernel and init, it should be possible to use SELINUX=disabled to the same effect.

So it's no wonder that all these incomprehensible messages are so new to me. Right? The software (or whatever it takes) to run SELinux was on the machine, where it could be enabled; but in fact, on my machines, it did nothing. Right again? And that changed? Probably with F7?

...

Permissive mode is different - SELinux stays active on the code paths and while permission checks are always granted, there are other possible failure paths. However, if you (here you == any user) find that something is broken in permissive mode, please file a bug report so that it can be examined to see whether it can be resolved.

I quit installing bug buddy because I had the distinct impression I was way short of being able to say anything worth an Alpha Plus Technoid's time to read. In fact, most of its draft bug reports came as surprises to me -- telling me about epiphany crashes I had no idea had happened, etc.

If that's wrong, and the stuff bug buddy puts together is of value even with completely clueless comments (such as "Huh? I dunno what was happening just before <whatever> crashed; news to me that it did."), then I can certainly tell pirut to but bug buddy back.

...

The agenda is the already stated one, to bring flexible mandatory access control to the mainstream in order to counter the threat posed by malicious and flawed programs. Nothing more, nothing less.

-- Beartooth Staffwright, PhD, Neo-Redneck Linux Convert Remember I know precious little of what I am talking about.

Craig White

20 Sep 20 Sep

10:52 p.m.

On Thu, 2007-09-20 at 23:30 -0400, Gene Heskett wrote:

...

On Thursday 20 September 2007, Beartooth wrote:

...
I keep it set to -- supposedly -- NON-enforcing, because of the warning in the installer against eliminating it; but it keeps making all kinds of trouble, anyway. Can I just command "yum remove selinux"?

No, but it can be disabled by only one method I know of, the kernels command line in grub.conf.

Append to it: selinux=0 and reboot.

---- No - not good form. Don't use kernel parameters where configuration files in /etc tree accomplish the task much more elegantly and you can use GUI tools.

# head -n 6 /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=permissive

edit per instructions (changed to disabled) or use system-config-security and change it to disabled there (the result is exactly the same)

Craig

6490

Age (days ago)

6499

Last active (days ago)

users@lists.fedoraproject.org

359 comments

46 participants

tags (0)

participants (46)

Alan Cox
Alan M. Evans
Andrew Kelly
Andy Green
Arthur Pemberton
Ashley M. Kirchner
Beartooth
Bob
Brian A. Seklecki
Bruce Byfield
Bruno Wolff III
Chris Jones
Claude Jones
Craig White
Craig White
Daniel J Walsh
David
Ed Greshko
Ed Kasky
Gene Heskett
John Lagrue
Jonathan Underwood
Jos Vos
Karl Larsen
Les Mikesell
Matthew Miller
Matthew Saltzman
Mike McCarty
Mikkel
Paul Shaffer
Peter Gordon
potat0
Rahul Sundaram
Ralf Corsepius
Res
Ric Moore
Rick Sewill
Robin Laing
Stephen Smalley
Steve Searle
Tim
Timothy Murphy
Todd Zullinger
Tom Horsley
Tom Rivers
William Hooper