On 25 January 2016 at 15:56, <vendor@xxxxxxxxxxxxx> wrote: > On Mon, 25 Jan 2016, Tim wrote: > >> >> I watched a friend get his box hacked four seconds after establishing a >> network connection. He had to re-install to fix the problem. Same >> thing happened the next two times he connected up. I just about wet >> myself laughing. It took him three hacks before he wised up that he >> needed to run protective software all the time. Drop your guard for a >> second (or at least a few seconds), and that's enough. >> > > Did you mean "hacked" or "attacked?" It seems to me that if there are > successful intrusions by scripted attacks within four seconds of > installation of a linux distro, it's either the wrong distro or it's wrongly > installed -- with or without selinux enabled. > I have to admit I've heard this often enough (usually about windows), but not seen it either, Windows or Linux, but I only do installs on machines that aren't ethernet networked or are behind a NAT. > The problem I see with selinux is that it is so user-unfriendly. These > kinds of things always seem easy and straightforward to someone who knows it > well. That's the nature of skill, regardless of the kind of skill it is. > > That's what I think of when I read these discussions. If someone is > struggling with something like this, they may seem like morons, but it is > usually someting *other* than simple supidity or laziness that is the > reason. It's because the barrier to doing it is greater than the perceived > benefit. > The take-home message, if there is one is this: *You generally do not need to do anything* (for SELinux anyway, there are some services I'd normally use that I'd lock down a bit) The policies in Fedora are meant to work out of the box. There are some cases (generally if a file is moved to a location rather than created there) where you find you need to add labels, and this is really simple, e.g. http://forums.fedoraforum.org/showthread.php?t=296243, which amounts to make sure the files are in the right place and run restorecon. For some things like home directory http you need to confirm that you want them enabled, install policycoreutils-gui and run system-config-selinux to get a gui for controlling them. https://wiki.centos.org/TipsAndTricks/SelinuxBooleans has a list. Really this thread isn't going to get very far, because it's based around completely hypothetical problems which are impossible to fix because their only definition is they are caused by selinux. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
