selinux??

[bruce]

--Gawd...

Feels like I'm trying to spit in the wind!!

1st, not trying to set up web servers, but am looking at running tests
on linux servers.

2nd, recognize that one should have "secure" systems on the net, but
realize I don't have the time/set of skills to "fully" get there...

So, if you want to say  -- hey, don't have an insecure linux box, it
could be hacked and cause us the Internet community probs due to your
crap, that's fair.

But you need to realize, there are lots of people who are attempting
to do as much as they can with limited resources/time. if anyone here
wants to contact me offline, we can discuss. Heck, I've been looking
for a "sysadmin" type that I can pay, talk with for a bit.

If fed/selinux had a "config" file for simple services/ports, great..
But when you get to policies, and understanding the nuances of
selinux, as far as I can tell, it's a learning curve that has to be
dealt with in order to get it right..

And to be honest, I know of a number of operations/organizations that
have put the "security" sysAdmin stuff off until they could find a
sysadmin resource for that function..

There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in
4 weeks" courses. that only get to the basics of coding, much less the
sysadmin stuff..

None of these are going away.. so some guy who pops up a website/app
on some aws instance.. has security issues that they might not even
realize..

Anyway.. thanks guys!


On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox at yahoo.com.au> wrote:
> Allegedly, on or about 25 January 2016, bruce sent:
>> I fully get the need for security.. But if I can't get the security
>> working as it should, but I still need to build whatever the project
>> might be.. the project is going to get created.
>>
>> If running Selinux in permissive mode is enough, great, so be it.
>
> SELinux in permissive mode is *not* secure.  You're using the computer
> in an insecure mode, and all SELinux is doing is logging the things that
> it would have stopped.
>
>> But when it comes to policies, for differnt users, applications,
>> files,etc.. and the possiblity of screwing something up if you go
>> wrong, then you have a bit of an issue there...
>
> I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
> And I haven't had to turn off SELinux, nor do anything beyond open the
> configurator GUI and tick the boxes that said to allow those particular
> services (look through its list, find HTTPD server, tick it, find
> serving CGI scripts, tick that, etc., that was about the extent of what
> I had to do).  Seriously, setting that right was a damn sight easier
> than configuring any of those servers.
>
> If you find something is failing because SELinux is stopping it, chances
> are that /that/ something is badly written, and needs doing better.  Is
> it trying to serve files it has no business serving?  Is it trying to
> execute things that it shouldn't execute but merely read?  There's a
> plethora of dumb things people try to do with their programs, and
> stopping those dumb things is the solution, not allowing them.
>
> Do you ignore programming error messages, too?
>
>> And you can't simpy tell someone, "if you don't know what you're
>> doing, don't mess with linux!" Not going to happen..
>
> I can say if you don't know what you're doing, don't do it on the
> internet.  Dumb things on the internet don't just affect you, they
> affect other people around you.  That's why we have masses of spam on
> the internet, and other hacks.  Compromised user boxes, compromised ISP
> services, abound.
>
>> ps. To all who've replied in favor of someone not really implementing
>> a fed/centos/linux instance unless secure, I take it you're also
>> illing to provide pointers/help if someone asks, yes? (And not just
>> saying go look at youtube vides, or read docs!!)
>
> Here's a loaded weapon, point it at your own foot, and not in our
> direction...  No, I wouldn't give someone advice on how to insecurely
> run their computer, and neither will plenty of others.  You will find,
> however, that if you try doing it securely, and run into snags, that
> people are willing to help you solve the actual problem properly.
>
> Webservers and mailservers, in particular, are at least two things that
> need to be run with a great deal of care.  Hackers go searching for
> badly set up ones to do their nefarious deeds.  And here you are
> advertising that you're going to do so, identifying yourself in the
> process.
>
> --
> [tim at localhost ~]$ uname -rsvp
> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>
> Boilerplate:  All mail to my mailbox is automatically deleted, there is
> no point trying to privately email me, I only get to see the messages
> posted to the mailing list.
>
> Windows, it's enough to make a grown man cry!
>
>
>
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org