Re: selinux??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 25 January 2016 at 15:56,  <vendor@xxxxxxxxxxxxx> wrote:
> On Mon, 25 Jan 2016, Tim wrote:
>
>>
>> I watched a friend get his box hacked four seconds after establishing a
>> network connection.  He had to re-install to fix the problem.  Same
>> thing happened the next two times he connected up.  I just about wet
>> myself laughing.  It took him three hacks before he wised up that he
>> needed to run protective software all the time.  Drop your guard for a
>> second (or at least a few seconds), and that's enough.
>>
>
> Did you mean "hacked" or "attacked?"  It seems to me that if there are
> successful intrusions by scripted attacks within four seconds of
> installation of a linux distro, it's either the wrong distro or it's wrongly
> installed -- with or without selinux enabled.
>

I have to admit I've heard this often enough (usually about windows),
but not seen it either, Windows or Linux, but I only do installs on
machines that aren't ethernet networked or are behind a NAT.

> The problem I see with selinux is that it is so user-unfriendly.  These
> kinds of things always seem easy and straightforward to someone who knows it
> well.  That's the nature of skill, regardless of the kind of skill it is.
>

> That's what I think of when I read these discussions.  If someone is
> struggling with something like this, they may seem like morons, but it is
> usually someting *other* than simple supidity or laziness that is the
> reason.  It's because the barrier to doing it is greater than the perceived
> benefit.
>

The take-home message, if there is one is this:
*You generally do not need to do anything*
(for SELinux anyway, there are some services I'd normally use that I'd
lock down a bit)

The policies in Fedora are meant to work out of the box. There are
some cases (generally if a file is moved to a location rather than
created there) where you find you need to add labels, and this is
really simple, e.g.
http://forums.fedoraforum.org/showthread.php?t=296243, which amounts
to make sure the files are in the right place and run restorecon.

For some things like home directory http you need to confirm that you
want them enabled, install policycoreutils-gui and run
system-config-selinux to get a gui for controlling them.
https://wiki.centos.org/TipsAndTricks/SelinuxBooleans has a list.

Really this thread isn't going to get very far, because it's based
around completely hypothetical problems which are impossible to fix
because their only definition is they are caused by selinux.

-- 
imalone
http://ibmalone.blogspot.co.uk
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux