selinux??
Shawn Bakhtiar
shashaness at hotmail.com
Tue Jan 26 17:07:36 UTC 2016
I couldn't agree more bruce.
It's the 1% who get paid too much for doing too little that have such indulgent luxuries.
The rest of us 99% have to work for it :P
> On Jan 26, 2016, at 8:57 AM, bruce <badouglas at gmail.com> wrote:
>
> What the Heck???
>
> So.. people who think/decide to just disable seLinux, instead of
> diving in to "learn" it are just lazy???? Lord.. shaking my head..
>
> How about.. some might be lazy..
>
> Or, some have a bunch of different things to get accomplished, and
> aren't looking to be a sysAdmin, so they want to (if possible) get to
> the quickest way of getting their "project" working/tested.. And if
> the "security/process" of X (in this case selinux) is in the way.. The
> learning required to implement that gets shoved back. It's a
> prioritization process for a bunch of people.
>
> You have a limited amount of resources, you priortize and keep going.
> And yeah, you realize that you might be cutting corners re security,
> but you keep going.
>
> And before people say, "you need to learn security, or you shouldn't
> be writing apps!!".. not going to happen.
>
> Implementing "good" secutiry, doesn't happen by spending a few hours
> on a few sites. You eventually run into issues that "need to be
> solved", etc.. which then adds time/effort/resources. And rightly so,
> this is why you have skilled sysAdmin resources. But smaller projects
> don't have the resources for this process.. so it becomes a matter of
> prioritization/resource allocation..
>
> And I say again.. I've been willing to pay hard $$$ for someone
> willing to work with me on security.. No takers..!!!
>
> So, please, no disparaging "laxy" remarks, ok!
>
> Thanks!
>
>
> On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox at yahoo.com.au> wrote:
>> Allegedly, on or about 25 January 2016, vendor at billoblog.com sent:
>>> Did you mean "hacked" or "attacked?"
>>
>> To me an attack is the attempt, a hack is they've succeeded. They
>> succeeded. Though, to be fair, I didn't say it was Linux computer, but
>> the principle is the same. All computers are vulnerable, though in our
>> case it's more the applications than the OS. And if you take no steps
>> to protect your system, or worse, take steps to remove protection, you
>> lay yourself wide open.
>>
>>> The problem I see with selinux is that it is so user-unfriendly.
>>> These kinds of things always seem easy and straightforward to someone
>>> who knows it well. That's the nature of skill, regardless of the kind
>>> of skill it is.
>>
>> I see it no less user-friendly than other things. I look at ACL (access
>> control lists), and see them as a nightmare. I can see them being used
>> in security establishments, to control who can see or modify certain
>> documents that need disseminating. But not in general use. I can't
>> really imagine employee #54534624 writing a letter, then carefully
>> considering a list of who can do what with their file (mutter, mutter,
>> need to add my boss to read/write, my assistant to read/write, my
>> technically hopeless other boss to read-only so he doesn't foul up my
>> work, my co-workers to read-only, and I have to remember which of them
>> are working on the same case...).
>>
>> Barring oversights and errors, SELinux generally does what it's supposed
>> to do. If I create a file in /var/www/html/ to be served, it
>> automatically gets given the right contects to be served, as part of the
>> process of *creating* a file at that location. If I copy a file from
>> somewhere to there, the same thing happens, the copy is a new creation,
>> and gets the appropriate contexts for where it's created. A confusing
>> thing happens if you try to move a file, the original file contexts are
>> moved along with the file, and they're probably going to be wrong. It's
>> logical, but not obvious to the uninitiated. Though it's not too hard
>> to find out why, you just problem solve it like any other error that
>> takes you by surprise.
>>
>> It's similar with file permissions. Some people declare it too hard,
>> and want to make everything rwxrwxrwx, and hang the consequences. On a
>> webserver, that (making everything world-writeable), or letting the
>> webserver process own the files (making everything writeable by the
>> server, and hence world-writeable), opens you up to all sorts of abuse,
>> not just the destruction of that individual file.
>>
>>> That's what I think of when I read these discussions. If someone is
>>> struggling with something like this, they may seem like morons, but it
>>> is usually someting *other* than simple supidity or laziness that is
>>> the reason. It's because the barrier to doing it is greater than the
>>> perceived benefit.
>>
>> At times, but the tone of the thread indicates that laziness is an
>> issue.
>>
>>> There is a truism that I remember being told about computer security a
>>> long, long time ago that usability and technical security are
>>> inversely related. At some point, when you increase the technical
>>> security enough, you will have made the system unusable to the point
>>> that your users will simply start going around it simply to get their
>>> work done.
>>
>> That's true on both counts. Though I tend to feel that SELinux has met
>> that balance at around the right place.
>>
>> While I have some sympathy for people who haven't yet learnt it, as they
>> try to do something. My efforts are towards learn it, don't bypass it.
>> Just the same as well tell people don't do things as root - that's often
>> the root cause, pun intended, of all of these issues. They do one dumb
>> thing, then another on top of that, and have several compounded problems
>> because they will not follow any advice.
>>
>> It's usually around this point that I bring up an analogy against people
>> trying to do things on computers when they don't really know how, and
>> stubbornly resist all efforts to learn: I hope these people never get
>> it into their head to half-arsedly learn first aid, and refuse to do
>> something important because they don't want to.
>>
>>> ...[snip flash drive story]...
>>
>> I can understand that, and it's not a new story, either. The need to do
>> it is understandable. The concept of doing it in isolation can be a
>> required step. If the drive manages to do something nasty, it only
>> affects that one computer, which then gets sterilised before being
>> allowed back on the network (if the operator knows that, and doesn't
>> just plug it back in, regardless).
>>
>> We had similar issues with floppy discs. Back when bootblock viruses
>> were the common enemy, there was no/inadequate protection against them.
>> The only way to stop the spread, was a cold boot in between, and using a
>> system that booted from the disc in question. That method was no good
>> against an OS that had another disc-based OS running it.
>>
>>> The combination of security that ignores users and users that ignore
>>> security gives you a system that has neither security nor usability.
>>> And simply calling users morons will not solve this.
>>
>> I don't believe I've said that. In this email I've certainly mentioned
>> laziness, because the evidence points that way.
>>
>> As a general rule, on a user-level, SELinux doesn't get even thought
>> about, here. It's in the background, and doesn't get in the way. If
>> you're running services, then it rightly does become something you need
>> to know about managing.
>>
>> But what particularly gets my goat, it someone who's a programmer
>> developing things telling me that SELinux is too hard to deal with. Too
>> hard? Compared with what? Writing software?! Jeez, you've got much
>> harder work, *there*. And, as far as I'm concerned, programmers being
>> hit with the big hammer that says, you have to write data in proper
>> locations, you can't just read any file you like on the system, you
>> can't just serve out files from any ad-hoc locations, is only a good set
>> of conditions to start imposing on so-called programmers. Bring on the
>> software that pokes them with a sharp stick for doing things that allows
>> them to create buffer-overflow errors. We could save the entire world a
>> whole lot of grief if programmers started paying attention to getting
>> that one bit of programming right.
>>
>>> I love KDE, but frankly, it is collapsing under it's own complexity.
>>
>> I can't say I've ever liked it. It has the Fisher-Price toy look like
>> XP had, and a gazillion configuration options that I do not like the
>> defaults, and it's always been that way (ever since I saw it, a
>> gazillion configuration options). Coming from an Amiga user background,
>> I've never agreed with what people said about Gnome looking like
>> Windows, no KDE does. Gnome looked far more old Mac-like.
>>
>> The other thing that peeved me about KDE (and I can see this thread is
>> going to open a new can of worms), is the naming of all programs
>> starting with a K followed by a name that seems purely random (regarding
>> what the program actually did). Not only making it hard to locate
>> software appropriate to your task, but confusingly k-naming things like
>> kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
>> something).
>>
>>> Selinux is just another exmple. I used to like linux because it made
>>> sense. Now it seems that it's little different than Windows sometimes
>>> -- opaque, overly complex, and unfriendly.
>>
>> I don't think anything compares with the hideousness of Windows. So
>> much of it is secret business, and I don't just mean closed-source.
>> Resolving some whacko fault involves delving into the registry, adding
>> things with sixteen hexadecimal numbers which mean nothing to no-one,
>> that are only documented on hacking sites, or incomprehensible gibberish
>> on the Microsoft that refers to two versions of Windows ago, warns
>> against doing it on your release, yet the Microsoft search engine
>> provides it as your solution.
>>
>> We now return you to your regular programming, from
>> alt.computers.help.me.commit.die.quickly
>>
>> --
>> [tim at localhost ~]$ uname -rsvp
>> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
>>
>> Boilerplate: All mail to my mailbox is automatically deleted, there is
>> no point trying to privately email me, I only get to see the messages
>> posted to the mailing list.
>>
>> Lucky for you I typed this, you'd never be able to read my handwriting.
>>
>>
>>
>> --
>> users mailing list
>> users at lists.fedoraproject.org
>> To unsubscribe or change subscription options:
>> https://admin.fedoraproject.org/mailman/listinfo/users
>> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
>> Have a question? Ask away: http://ask.fedoraproject.org
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
More information about the users
mailing list