selinux??

[Shawn Bakhtiar]

> On Jan 26, 2016, at 9:10 AM, Ian Malone <ibmalone at gmail.com> wrote:
> 
> On 26 January 2016 at 16:57, bruce <badouglas at gmail.com> wrote:
>> What the Heck???
>> 
>> So.. people who think/decide to just disable seLinux, instead of
>> diving in to "learn" it are just lazy????  Lord.. shaking my head..
>> 
>> How about.. some might be lazy..
>> 
>> Or, some have a bunch of different things to get accomplished, and
>> aren't looking to be a sysAdmin, so they want to (if possible) get to
>> the quickest way of getting their "project" working/tested.. And if
>> the "security/process" of X (in this case selinux) is in the way.. The
>> learning required to implement that gets shoved back. It's a
>> prioritization process for a bunch of people.
>> 
>> You have a limited amount of resources, you priortize and keep going.
>> And yeah, you realize that you might be cutting corners re security,
>> but you keep going.
>> 
>> And before people say, "you need to learn security, or you shouldn't
>> be writing apps!!".. not going to happen.
>> 
>> Implementing "good" secutiry, doesn't happen by spending a few hours
>> on a few sites. You eventually run into issues that "need to be
>> solved", etc.. which then adds time/effort/resources. And rightly so,
>> this is why you have skilled sysAdmin resources. But smaller projects
>> don't have the resources for this process.. so it becomes a matter of
>> prioritization/resource allocation..
>> 
>> And I say again.. I've been willing to pay hard $$$ for someone
>> willing to work with me on security.. No takers..!!!
>> 
> 
> If you're really interested in that then it would be better to
> actually advertise.
I would agree with you here. 
> 
> The central point here, you seem to be arguing that you should disable
> all security because you don't have time to learn it and it's
> difficult.
This is a valid reason given the priorities. A lot of SMB/SOHOs don't have the resources to use SELinux. 

> But I bet you don't plan to just make everything on the
> machine world writable and turn off the firewall.
These functions are far easier than understanding the complexities of SELinux.

> Things like SELinux
> are actually there to help you. They can't make you do things like
> properly encrypt user logins, but they can reduce the risk it's going
> to matter. What I've been trying to say is leave it on and there are
> plenty of people that can give you advice if you run into problems.
> 
> And yes, there are people that should not write apps if they aren't
> going to bother with security.

Security is a System Administration function. Not a Software Engineering function. A lot of us function as both, but the idea that we have to be masters off all the disciplines we practice (when most of us are jack of all traits) is simply false. We do our best, and our best sometimes means abandoning complicated mechanisms such as SELinux in order get a project to completion. 

SELinux is bonus, not a requirement.

> If you're not from the UK then search
> google for Talktalk hacked, or imagine what would happen if people
> could get at your uber account details. Failing to protect user data
> properly over here (UK) can attract serious fines.

That's not true... If you are NEGLIGENT you could face fines. Which I believe was the case in Talktalk was grossly negligent and in far greater position than most Linux users to secure their data.

> 
> -- 
> imalone
> http://ibmalone.blogspot.co.uk
> -- 
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org