selinux??
Ian Malone
ibmalone at gmail.com
Sun Jan 24 23:47:11 UTC 2016
On 24 January 2016 at 15:11, bruce <badouglas at gmail.com> wrote:
>> I am always amazed that people think shutting off a security
>> something-or-other for some-amount-of-time can be considered safe.
>>
>> It takes virtually the blink of an eye to get compromised.
>>
>> If you need to turn off a security feature to do something, then there's
>> something wrong with that /thing/ that required it. It could simply be
>> crap programming, or it could be malicious. And even crap programming
>> can be destructive outside of its own files.
>>
>
> really???
>
> it could also be, prob often is.. is that the person who's doing X is
> simply trying to get something done, and not be a Sys Admin!!!
>
> Doing security right.. is an effort in understanding the nuances.. If
> you've been playing with OS X, than you might have insight into what's
> required. But someone who's not gotten into the "guts" of what
> something like SeLinux requires, might not have an understanding of
> what needs to be configured, or exactly how to configure it, etc..
>
> Or configuring security (firewall, process restrictions, user
> restrictions, port issues, rootkit protections, file restrictions,
> etc.. ) might be fairly easy to setup, just not obvious to the casual
> user on how to do it.
>
> I haven't met a lot of people in my 30+ years of tech who just gloss
> over the impotance of security.. I have met alot who aren't sys
> admins.. and, even thought they create software projects from time to
> time.. wouldn't have a "clue" as to exactly how to set up a good
> secure system.. even thought they'd all say.. would be nice to do it!!
>
You are unlikely to be able to lock yourself out of a system with a
default SELinux setup (I wont say it's impossible, but I think you'd
have to intentionally create a policy to do it). The kinds of problems
you tend to run into for which turning it off is a quick workaround
are trying to serve files that have the wrong context set, e.g. html
not in the right place or java applets with the wrong settings.
(libexec on exectuables that need it is another good one) Usually
things don't work outright.
--
imalone
http://ibmalone.blogspot.co.uk
More information about the users
mailing list