selinux??

[Sylvia Sánchez]

BTW... Yes, you can disable SELinux. Once you have your work done, you can
enable or keep it disabled, as you like it.



Hope it helps,
Sylvia

On Tuesday, 26 January 2016, bruce <badouglas at gmail.com> wrote:

> What the Heck???
>
> So.. people who think/decide to just disable seLinux, instead of
> diving in to "learn" it are just lazy????  Lord.. shaking my head..
>
> How about.. some might be lazy..
>
> Or, some have a bunch of different things to get accomplished, and
> aren't looking to be a sysAdmin, so they want to (if possible) get to
> the quickest way of getting their "project" working/tested.. And if
> the "security/process" of X (in this case selinux) is in the way.. The
> learning required to implement that gets shoved back. It's a
> prioritization process for a bunch of people.
>
> You have a limited amount of resources, you priortize and keep going.
> And yeah, you realize that you might be cutting corners re security,
> but you keep going.
>
> And before people say, "you need to learn security, or you shouldn't
> be writing apps!!".. not going to happen.
>
> Implementing "good" secutiry, doesn't happen by spending a few hours
> on a few sites. You eventually run into issues that "need to be
> solved", etc.. which then adds time/effort/resources. And rightly so,
> this is why you have skilled sysAdmin resources. But smaller projects
> don't have the resources for this process.. so it becomes a matter of
> prioritization/resource allocation..
>
> And I say again.. I've been willing to pay hard $$$ for someone
> willing to work with me on security.. No takers..!!!
>
> So, please, no disparaging "laxy" remarks, ok!
>
> Thanks!
>
>
> On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox at yahoo.com.au
> <javascript:;>> wrote:
> > Allegedly, on or about 25 January 2016, vendor at billoblog.com
> <javascript:;> sent:
> >> Did you mean "hacked" or "attacked?"
> >
> > To me an attack is the attempt, a hack is they've succeeded.  They
> > succeeded.  Though, to be fair, I didn't say it was Linux computer, but
> > the principle is the same.  All computers are vulnerable, though in our
> > case it's more the applications than the OS.  And if you take no steps
> > to protect your system, or worse, take steps to remove protection, you
> > lay yourself wide open.
> >
> >> The problem I see with selinux is that it is so user-unfriendly.
> >> These kinds of things always seem easy and straightforward to someone
> >> who knows it well.  That's the nature of skill, regardless of the kind
> >> of skill it is.
> >
> > I see it no less user-friendly than other things.  I look at ACL (access
> > control lists), and see them as a nightmare.  I can see them being used
> > in security establishments, to control who can see or modify certain
> > documents that need disseminating.  But not in general use.  I can't
> > really imagine employee #54534624 writing a letter, then carefully
> > considering a list of who can do what with their file (mutter, mutter,
> > need to add my boss to read/write, my assistant to read/write, my
> > technically hopeless other boss to read-only so he doesn't foul up my
> > work, my co-workers to read-only, and I have to remember which of them
> > are working on the same case...).
> >
> > Barring oversights and errors, SELinux generally does what it's supposed
> > to do.  If I create a file in /var/www/html/ to be served, it
> > automatically gets given the right contects to be served, as part of the
> > process of *creating* a file at that location.  If I copy a file from
> > somewhere to there, the same thing happens, the copy is a new creation,
> > and gets the appropriate contexts for where it's created.  A confusing
> > thing happens if you try to move a file, the original file contexts are
> > moved along with the file, and they're probably going to be wrong.  It's
> > logical, but not obvious to the uninitiated.  Though it's not too hard
> > to find out why, you just problem solve it like any other error that
> > takes you by surprise.
> >
> > It's similar with file permissions.  Some people declare it too hard,
> > and want to make everything rwxrwxrwx, and hang the consequences.  On a
> > webserver, that (making everything world-writeable), or letting the
> > webserver process own the files (making everything writeable by the
> > server, and hence world-writeable), opens you up to all sorts of abuse,
> > not just the destruction of that individual file.
> >
> >> That's what I think of when I read these discussions.  If someone is
> >> struggling with something like this, they may seem like morons, but it
> >> is usually someting *other* than simple supidity or laziness that is
> >> the reason.  It's because the barrier to doing it is greater than the
> >> perceived benefit.
> >
> > At times, but the tone of the thread indicates that laziness is an
> > issue.
> >
> >> There is a truism that I remember being told about computer security a
> >> long, long time ago that usability and technical security are
> >> inversely related.  At some point, when you increase the technical
> >> security enough, you will have made the system unusable to the point
> >> that your users will simply start going around it simply to get their
> >> work done.
> >
> > That's true on both counts.  Though I tend to feel that SELinux has met
> > that balance at around the right place.
> >
> > While I have some sympathy for people who haven't yet learnt it, as they
> > try to do something.  My efforts are towards learn it, don't bypass it.
> > Just the same as well tell people don't do things as root - that's often
> > the root cause, pun intended, of all of these issues.  They do one dumb
> > thing, then another on top of that, and have several compounded problems
> > because they will not follow any advice.
> >
> > It's usually around this point that I bring up an analogy against people
> > trying to do things on computers when they don't really know how, and
> > stubbornly resist all efforts to learn:  I hope these people never get
> > it into their head to half-arsedly learn first aid, and refuse to do
> > something important because they don't want to.
> >
> >> ...[snip flash drive story]...
> >
> > I can understand that, and it's not a new story, either.  The need to do
> > it is understandable.  The concept of doing it in isolation can be a
> > required step.  If the drive manages to do something nasty, it only
> > affects that one computer, which then gets sterilised before being
> > allowed back on the network (if the operator knows that, and doesn't
> > just plug it back in, regardless).
> >
> > We had similar issues with floppy discs.  Back when bootblock viruses
> > were the common enemy, there was no/inadequate protection against them.
> > The only way to stop the spread, was a cold boot in between, and using a
> > system that booted from the disc in question.  That method was no good
> > against an OS that had another disc-based OS running it.
> >
> >> The combination of security that ignores users and users that ignore
> >> security gives you a system that has neither security nor usability.
> >> And simply calling users morons will not solve this.
> >
> > I don't believe I've said that.  In this email I've certainly mentioned
> > laziness, because the evidence points that way.
> >
> > As a general rule, on a user-level, SELinux doesn't get even thought
> > about, here.  It's in the background, and doesn't get in the way.  If
> > you're running services, then it rightly does become something you need
> > to know about managing.
> >
> > But what particularly gets my goat, it someone who's a programmer
> > developing things telling me that SELinux is too hard to deal with.  Too
> > hard?  Compared with what?  Writing software?!  Jeez, you've got much
> > harder work, *there*.  And, as far as I'm concerned, programmers being
> > hit with the big hammer that says, you have to write data in proper
> > locations, you can't just read any file you like on the system, you
> > can't just serve out files from any ad-hoc locations, is only a good set
> > of conditions to start imposing on so-called programmers.  Bring on the
> > software that pokes them with a sharp stick for doing things that allows
> > them to create buffer-overflow errors.  We could save the entire world a
> > whole lot of grief if programmers started paying attention to getting
> > that one bit of programming right.
> >
> >> I love KDE, but frankly, it is collapsing under it's own complexity.
> >
> > I can't say I've ever liked it.  It has the Fisher-Price toy look like
> > XP had, and a gazillion configuration options that I do not like the
> > defaults, and it's always been that way (ever since I saw it, a
> > gazillion configuration options).  Coming from an Amiga user background,
> > I've never agreed with what people said about Gnome looking like
> > Windows, no KDE does.  Gnome looked far more old Mac-like.
> >
> > The other thing that peeved me about KDE (and I can see this thread is
> > going to open a new can of worms), is the naming of all programs
> > starting with a K followed by a name that seems purely random (regarding
> > what the program actually did).  Not only making it hard to locate
> > software appropriate to your task, but confusingly k-naming things like
> > kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE
> > something).
> >
> >>  Selinux is just another exmple.  I used to like linux because it made
> >> sense.  Now it seems that it's little different than Windows sometimes
> >> -- opaque, overly complex, and unfriendly.
> >
> > I don't think anything compares with the hideousness of Windows.  So
> > much of it is secret business, and I don't just mean closed-source.
> > Resolving some whacko fault involves delving into the registry, adding
> > things with sixteen hexadecimal numbers which mean nothing to no-one,
> > that are only documented on hacking sites, or incomprehensible gibberish
> > on the Microsoft that refers to two versions of Windows ago, warns
> > against doing it on your release, yet the Microsoft search engine
> > provides it as your solution.
> >
> > We now return you to your regular programming, from
> > alt.computers.help.me.commit.die.quickly
> >
> > --
> > [tim at localhost ~]$ uname -rsvp
> > Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64
> >
> > Boilerplate:  All mail to my mailbox is automatically deleted, there is
> > no point trying to privately email me, I only get to see the messages
> > posted to the mailing list.
> >
> > Lucky for you I typed this, you'd never be able to read my handwriting.
> >
> >
> >
> > --
> > users mailing list
> > users at lists.fedoraproject.org <javascript:;>
> > To unsubscribe or change subscription options:
> > https://admin.fedoraproject.org/mailman/listinfo/users
> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> > Have a question? Ask away: http://ask.fedoraproject.org
> --
> users mailing list
> users at lists.fedoraproject.org <javascript:;>
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20160126/a4bd46d6/attachment.html>