selinux??

Ian Malone ibmalone at gmail.com
Mon Jan 25 16:50:55 UTC 2016


On 25 January 2016 at 15:56,  <vendor at billoblog.com> wrote:
> On Mon, 25 Jan 2016, Tim wrote:
>
>>
>> I watched a friend get his box hacked four seconds after establishing a
>> network connection.  He had to re-install to fix the problem.  Same
>> thing happened the next two times he connected up.  I just about wet
>> myself laughing.  It took him three hacks before he wised up that he
>> needed to run protective software all the time.  Drop your guard for a
>> second (or at least a few seconds), and that's enough.
>>
>
> Did you mean "hacked" or "attacked?"  It seems to me that if there are
> successful intrusions by scripted attacks within four seconds of
> installation of a linux distro, it's either the wrong distro or it's wrongly
> installed -- with or without selinux enabled.
>

I have to admit I've heard this often enough (usually about windows),
but not seen it either, Windows or Linux, but I only do installs on
machines that aren't ethernet networked or are behind a NAT.

> The problem I see with selinux is that it is so user-unfriendly.  These
> kinds of things always seem easy and straightforward to someone who knows it
> well.  That's the nature of skill, regardless of the kind of skill it is.
>

> That's what I think of when I read these discussions.  If someone is
> struggling with something like this, they may seem like morons, but it is
> usually someting *other* than simple supidity or laziness that is the
> reason.  It's because the barrier to doing it is greater than the perceived
> benefit.
>

The take-home message, if there is one is this:
*You generally do not need to do anything*
(for SELinux anyway, there are some services I'd normally use that I'd
lock down a bit)

The policies in Fedora are meant to work out of the box. There are
some cases (generally if a file is moved to a location rather than
created there) where you find you need to add labels, and this is
really simple, e.g.
http://forums.fedoraforum.org/showthread.php?t=296243, which amounts
to make sure the files are in the right place and run restorecon.

For some things like home directory http you need to confirm that you
want them enabled, install policycoreutils-gui and run
system-config-selinux to get a gui for controlling them.
https://wiki.centos.org/TipsAndTricks/SelinuxBooleans has a list.

Really this thread isn't going to get very far, because it's based
around completely hypothetical problems which are impossible to fix
because their only definition is they are caused by selinux.

-- 
imalone
http://ibmalone.blogspot.co.uk


More information about the users mailing list