selinux??

Shawn Bakhtiar shashaness at hotmail.com
Tue Jan 26 17:07:36 UTC 2016 

I couldn't agree more bruce.

It's the 1% who get paid too much for doing too little that have such indulgent luxuries.

The rest of us 99% have to work for it :P




> On Jan 26, 2016, at 8:57 AM, bruce <badouglas at gmail.com> wrote:
> 
> What the Heck???
> 
> So.. people who think/decide to just disable seLinux, instead of
> diving in to "learn" it are just lazy????  Lord.. shaking my head..
> 
> How about.. some might be lazy..
> 
> Or, some have a bunch of different things to get accomplished, and
> aren't looking to be a sysAdmin, so they want to (if possible) get to
> the quickest way of getting their "project" working/tested.. And if
> the "security/process" of X (in this case selinux) is in the way.. The
> learning required to implement that gets shoved back. It's a
> prioritization process for a bunch of people.
> 
> You have a limited amount of resources, you priortize and keep going.
> And yeah, you realize that you might be cutting corners re security,
> but you keep going.
> 
> And before people say, "you need to learn security, or you shouldn't
> be writing apps!!".. not going to happen.
> 
> Implementing "good" secutiry, doesn't happen by spending a few hours
> on a few sites. You eventually run into issues that "need to be
> solved", etc.. which then adds time/effort/resources. And rightly so,
> this is why you have skilled sysAdmin resources. But smaller projects
> don't have the resources for this process.. so it becomes a matter of
> prioritization/resource allocation..
> 
> And I say again.. I've been willing to pay hard $$$ for someone
> willing to work with me on security.. No takers..!!!
> 
> So, please, no disparaging "laxy" remarks, ok!
> 
> Thanks!
> 
> 
> On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox at yahoo.com.au> wrote:
>> Allegedly, on or about 25 January 2016, vendor at billoblog.com sent:
>>> Did you mean "hacked" or "attacked?"
>> 
>> To me an attack is the attempt, a hack is they've succeeded.  They
>> succeeded.  Though, to be fair, I didn't say it was Linux computer, but
>> the principle is the same.  All computers are vulnerable, though in our
>> case it's more the applications than the OS.  And if you take no steps
>> to protect your system, or worse, take steps to remove protection, you
>> lay yourself wide open.
>> 
>>> The problem I see with selinux is that it is so user-unfriendly.
>>> These kinds of things always seem easy and straightforward to someone
>>> who knows it well.  That's the nature of skill, regardless of the kind
>>> of skill it is.
>> 
>> I see it no less user-friendly than other things.  I look at ACL (access
>> control lists), and see them as a nightmare.  I can see them being used
>> in security establishments, to control who can see or modify certain
>> documents that need disseminating.  But not in general use.  I can't
>> really imagine employee #54534624 writing a letter, then carefully
>> considering a list of who can do what with their file (mutter, mutter,
>> need to add my boss to read/write, my assistant to read/write, my
>> technically hopeless other boss to read-only so he doesn't foul up my
>> work, my co-workers to read-only, and I have to remember which of them
>> are working on the same case...).
>> 
>> Barring oversights and errors, SELinux generally does what it's supposed
>> to do.  If I create a file in /var/www/html/ to be served, it
>> automatically gets given the right contects to be served, as part of the
>> process of *creating* a file at that location.  If I copy a file from
>> somewhere to there, the same thing happens, the copy is a new creation,
>> and gets the appropriate contexts for where it's created.  A confusing
>> thing happens if you try to move a file, the original file contexts are
>> moved along with the file, and they're probably going to be wrong.  It's
>> logical, but not obvious to the uninitiated.  Though it's not too hard
>> to find out why, you just problem solve it like any other error that
>> takes you by surprise.
>> 
>> It's similar with file permissions.  Some people declare it too hard,
>> and want to make everything rwxrwxrwx, and hang the consequences.  On a
>> webserver, that (making everything world-writeable), or letting the
>> webserver process own the files (making everything writeable by the
>> server, and hence world-writeable), opens you up to all sorts of abuse,
>> not just the destruction of that individual file.
>> 
>>> That's what I think of when I read these discussions.  If someone is
>>> struggling with something like this, they may seem like morons, but it
>>> is usually someting *other* than simple supidity or laziness that is
>>> the reason.  It's because the barrier to doing it is greater than the
>>> perceived benefit.
>> 
>> At times, but the tone of the thread indicates that laziness is an
>> issue.
>> 
>>> There is a truism that I remember being told about computer security a
>>> long, long time ago that usability and technical security are
>>> inversely related.  At some point, when you increase the technical
>>> security enough, you will have made the system unusable to the point
>>> that your users will simply start going around it simply to get their
>>> work done.
>> 
>> That's true on both counts.  Though I tend to feel that SELinux has met
>> that balance at around the right place.
>> 
>> While I have some sympathy for people who haven't yet learnt it, as they
>> try to do something.  My efforts are towards learn it, don't bypass it.
>> Just the same as well tell people don't do things as root - that's often
>> the root cause, pun intended, of all of these issues.  They do one dumb
>> thing, then another on top of that, and have several compounded problems
>> because they will not follow any advice.
>> 
>> It's usually around this point that I bring up an analogy against people
>> trying to do things on computers when they don't really know how, and
>> stubbornly resist all efforts to learn:  I hope these people never get
>> it into their head to half-arsedly learn first aid, and refuse to do
>> something important because they don't want to.
>> 
>>> ...[snip flash drive story]...
>> 
>> I can understand that, and it's not a new story, either.  The need to do
>> it is understandable.  The concept of doing it in isolation can be a
>> required step.  If the drive manages to do something nasty, it only
>> affects that one computer, which then gets sterilised before being
>> allowed back on the network (if the operator knows that, and doesn't
>> just plug it back in, regardless).
>> 
>> We had similar issues with floppy discs.  Back when bootblock viruses
>> were the common enemy, there was no/inadequate protection against them.
>> The only way to stop the spread, was a cold boot in between, and using a
>> system that booted from the disc in question.  That method was no good
>> against an OS that had another disc-based OS running it.
>> 
>>> The combination of security that ignores users and users that ignore
>>> security gives you a system that has neither security nor usability.
>>> And simply calling users morons will not solve this.
>> 
>> I don't believe I've said that.  In this email I've certainly mentioned
>> laziness, because the evidence points that way.
>> 
>> As a general rule, on a user-level, SELinux doesn't get even thought
>> about, here.  It's in the background, and doesn't get in the way.  If
>> you're running services, then it rightly does become something you need
>> to know about managing.
>> 
>> But what particularly gets my goat, it someone who's a programmer
>> developing things telling me that SELinux is too hard to deal with.  Too
>> hard?  Compared with what?  Writing software?!  Jeez, you've got much
>> harder work, *there*.  And, as far as I'm concerned, programmers being
>> hit with the big hammer that says, you have to write data in proper
>> locations, you can't just read any file you like on the system, you
>> can't just serve out files from any ad-hoc locations, is only a good set
>> of conditions to start imposing on so-called programmers.  Bring on the
>> software that pokes them with a sharp stick for doing things that allows
>> them to create buffer-overflow errors.  We could save the entire world a
>> whole lot of grief if programmers started paying attention to getting
>> that one bit of programming right.
>> 
>>> I love KDE, but frankly, it is collapsing under it's own complexity.
>> 
>> I can't say I've ever liked it.  It has the Fisher-Price toy look like
>> XP had, and a gazillion configuration options that I do not like the
>> defaults, and it's always been that way (ever since I saw it, a
>> gazillion configuration options).  Coming from an Amiga user background,
>> I've never agreed with what people said about Gnome looking like
>> Windows, no KDE does.  Gnome looked far more old Mac-like.
>> 
>> The other thing that peeved me about KDE (and I can see this thread is
>> going to open a new can of worms), is the naming of all programs
>> starting with a K followed by a name that seems purely random (regarding
>> what the program actually did).  Not only making it hard to locate
>> software appropriate to your task, but confusingly k-naming things like
>> kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
>> something).
>> 
>>> Selinux is just another exmple.  I used to like linux because it made
>>> sense.  Now it seems that it's little different than Windows sometimes
>>> -- opaque, overly complex, and unfriendly.
>> 
>> I don't think anything compares with the hideousness of Windows.  So
>> much of it is secret business, and I don't just mean closed-source.
>> Resolving some whacko fault involves delving into the registry, adding
>> things with sixteen hexadecimal numbers which mean nothing to no-one,
>> that are only documented on hacking sites, or incomprehensible gibberish
>> on the Microsoft that refers to two versions of Windows ago, warns
>> against doing it on your release, yet the Microsoft search engine
>> provides it as your solution.
>> 
>> We now return you to your regular programming, from
>> alt.computers.help.me.commit.die.quickly
>> 
>> --
>> [tim at localhost ~]$ uname -rsvp
>> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>> 
>> Boilerplate:  All mail to my mailbox is automatically deleted, there is
>> no point trying to privately email me, I only get to see the messages
>> posted to the mailing list.
>> 
>> Lucky for you I typed this, you'd never be able to read my handwriting.
>> 
>> 
>> 
>> --
>> users mailing list
>> users at lists.fedoraproject.org
>> To unsubscribe or change subscription options:
>> https://admin.fedoraproject.org/mailman/listinfo/users
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>> Have a question? Ask away: http://ask.fedoraproject.org
> -- 
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

More information about the users mailing list