selinux??

Miroslav Grepl mgrepl at redhat.com
Mon Jan 25 09:40:29 UTC 2016 

On 01/25/2016 09:02 AM, bruce wrote:
> Look.
> 
> I fully get the need for security.. But if I can't get the security
> working as it should, but I still need to build whatever the project
> might be.. the project is going to get created.
> 
> If running Selinux in permissive mode is enough, great, so be it.
> But when it comes to policies, for differnt users, applications,
> files,etc.. and the possiblity of screwing something up if you go
> wrong, then you have a bit of an issue there...  And you can't simpy
> tell someone, "if you don't know what you're doing, don't mess with
> linux!" Not going to happen..


Yes, SELinux running in permissive mode is a good start point. We can
say that SELinux is in "learning mode". You adopt SELinux policy for
your setup.

And here the question is how it is complicated?

It depends on your setup. And we are ready to help you on
<selinux at lists.fedoraproject.org> if you don't get answers from
documentation.

And even more your feedback is welcome because this is a good way how to
improve documentation.

> 
> But hey.. to each his/her own.
> 
> My goal wasn't to start a war.. Lord knows there are plenty of those
> on the 'net already!
> 
> Thanks to all who've replied.
> 
> ps. To all who've replied in favor of someone not really implementing
> a fed/centos/linux instance unless secure, I take it you're also
> illing to provide pointers/help if someone asks, yes? (And not just
> saying go look at youtube vides, or read docs!!)
> 
> thanks!!
> 
> 
> 
> On Mon, Jan 25, 2016 at 2:07 AM, Eddie G. O'Connor Jr.
> <eoconnor25 at gmail.com> wrote:
>> On 01/24/2016 10:44 PM, Joe Zeff wrote:
>>>
>>> On 01/24/2016 07:17 PM, Tim wrote:
>>>>
>>>> I have, unfortunately.  And I see a lot of people who do on this list or
>>>> forums.  You can recognise them by the ones that when either dealing
>>>> with a problem, or the installing a system, the first things they do are
>>>> turn off SELinux and firewalls.
>>>
>>>
>>> Back when I did tech support for an ISP, I got a call from a man who
>>> wanted to know if he could host a webpage on the Internet using the Windows
>>> Personal Webserver.  I quickly realized that if he had to ask, he probably
>>> didn't know enough to do it safely, so I tried to warn him about the risks.
>>> He stopped me and said that he was willing to find out the hard way and
>>> reinstall if he had to, so I told him that what he wanted to do was possible
>>> and ended the call.  I've wondered, a few times, how badly he got infected
>>> and just how hard "learning the hard way" turned out to be, but I've always
>>> considered it a case of evolution in every-day life.
>>>
>>> Putting a Linux box on the net with the firewall and SELinux disabled is
>>> just as bad.  I've seen all too many posters, here and elsewhere, who
>>> automatically disable SELinux because there were problems and performance
>>> hits associated with it when it first came out eighteen years ago and I
>>> never argue with them or try to get them to move into the 21st Century.  Not
>>> only is it a waste of my time, I figure that if they're that unwilling to
>>> learn, they're just getting what they deserve.
>>>
>>> The point here is that SELinux wouldn't have been developed and wouldn't
>>> have stuck around as long as it has if it didn't serve an important purpose.
>>> Unless you're sure that you know exactly what you're doing, don't mess with
>>> it.  And, if the troubleshooter shows you how to create a custom policy to
>>> work around an alert, ask yourself if you really need this program working
>>> before continuing.  Working around a glitch in Firefox is one thing; getting
>>> a game to work may or may not be worth the trade-off in security.  Sorry to
>>> go on so long, but once I started, I found that I had more to say than I'd
>>> thought.
>>
>> No worries there Mr. Zeff. It's greatly appreciated, I'm actually going to
>> use your info to point out to someone who LOVES disabling security in Linux
>> just how foolish that is!! So thanks for the input!!
>>
>>
>> EGO II
>>
>> --
>> users mailing list
>> users at lists.fedoraproject.org
>> To unsubscribe or change subscription options:
>> https://admin.fedoraproject.org/mailman/listinfo/users
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>> Have a question? Ask away: http://ask.fedoraproject.org


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

More information about the users mailing list