Allegedly, on or about 25 January 2016, vendor@xxxxxxxxxxxxx sent: > Did you mean "hacked" or "attacked?" To me an attack is the attempt, a hack is they've succeeded. They succeeded. Though, to be fair, I didn't say it was Linux computer, but the principle is the same. All computers are vulnerable, though in our case it's more the applications than the OS. And if you take no steps to protect your system, or worse, take steps to remove protection, you lay yourself wide open. > The problem I see with selinux is that it is so user-unfriendly. > These kinds of things always seem easy and straightforward to someone > who knows it well. That's the nature of skill, regardless of the kind > of skill it is. I see it no less user-friendly than other things. I look at ACL (access control lists), and see them as a nightmare. I can see them being used in security establishments, to control who can see or modify certain documents that need disseminating. But not in general use. I can't really imagine employee #54534624 writing a letter, then carefully considering a list of who can do what with their file (mutter, mutter, need to add my boss to read/write, my assistant to read/write, my technically hopeless other boss to read-only so he doesn't foul up my work, my co-workers to read-only, and I have to remember which of them are working on the same case...). Barring oversights and errors, SELinux generally does what it's supposed to do. If I create a file in /var/www/html/ to be served, it automatically gets given the right contects to be served, as part of the process of *creating* a file at that location. If I copy a file from somewhere to there, the same thing happens, the copy is a new creation, and gets the appropriate contexts for where it's created. A confusing thing happens if you try to move a file, the original file contexts are moved along with the file, and they're probably going to be wrong. It's logical, but not obvious to the uninitiated. Though it's not too hard to find out why, you just problem solve it like any other error that takes you by surprise. It's similar with file permissions. Some people declare it too hard, and want to make everything rwxrwxrwx, and hang the consequences. On a webserver, that (making everything world-writeable), or letting the webserver process own the files (making everything writeable by the server, and hence world-writeable), opens you up to all sorts of abuse, not just the destruction of that individual file. > That's what I think of when I read these discussions. If someone is > struggling with something like this, they may seem like morons, but it > is usually someting *other* than simple supidity or laziness that is > the reason. It's because the barrier to doing it is greater than the > perceived benefit. At times, but the tone of the thread indicates that laziness is an issue. > There is a truism that I remember being told about computer security a > long, long time ago that usability and technical security are > inversely related. At some point, when you increase the technical > security enough, you will have made the system unusable to the point > that your users will simply start going around it simply to get their > work done. That's true on both counts. Though I tend to feel that SELinux has met that balance at around the right place. While I have some sympathy for people who haven't yet learnt it, as they try to do something. My efforts are towards learn it, don't bypass it. Just the same as well tell people don't do things as root - that's often the root cause, pun intended, of all of these issues. They do one dumb thing, then another on top of that, and have several compounded problems because they will not follow any advice. It's usually around this point that I bring up an analogy against people trying to do things on computers when they don't really know how, and stubbornly resist all efforts to learn: I hope these people never get it into their head to half-arsedly learn first aid, and refuse to do something important because they don't want to. > ...[snip flash drive story]... I can understand that, and it's not a new story, either. The need to do it is understandable. The concept of doing it in isolation can be a required step. If the drive manages to do something nasty, it only affects that one computer, which then gets sterilised before being allowed back on the network (if the operator knows that, and doesn't just plug it back in, regardless). We had similar issues with floppy discs. Back when bootblock viruses were the common enemy, there was no/inadequate protection against them. The only way to stop the spread, was a cold boot in between, and using a system that booted from the disc in question. That method was no good against an OS that had another disc-based OS running it. > The combination of security that ignores users and users that ignore > security gives you a system that has neither security nor usability. > And simply calling users morons will not solve this. I don't believe I've said that. In this email I've certainly mentioned laziness, because the evidence points that way. As a general rule, on a user-level, SELinux doesn't get even thought about, here. It's in the background, and doesn't get in the way. If you're running services, then it rightly does become something you need to know about managing. But what particularly gets my goat, it someone who's a programmer developing things telling me that SELinux is too hard to deal with. Too hard? Compared with what? Writing software?! Jeez, you've got much harder work, *there*. And, as far as I'm concerned, programmers being hit with the big hammer that says, you have to write data in proper locations, you can't just read any file you like on the system, you can't just serve out files from any ad-hoc locations, is only a good set of conditions to start imposing on so-called programmers. Bring on the software that pokes them with a sharp stick for doing things that allows them to create buffer-overflow errors. We could save the entire world a whole lot of grief if programmers started paying attention to getting that one bit of programming right. > I love KDE, but frankly, it is collapsing under it's own complexity. I can't say I've ever liked it. It has the Fisher-Price toy look like XP had, and a gazillion configuration options that I do not like the defaults, and it's always been that way (ever since I saw it, a gazillion configuration options). Coming from an Amiga user background, I've never agreed with what people said about Gnome looking like Windows, no KDE does. Gnome looked far more old Mac-like. The other thing that peeved me about KDE (and I can see this thread is going to open a new can of worms), is the naming of all programs starting with a K followed by a name that seems purely random (regarding what the program actually did). Not only making it hard to locate software appropriate to your task, but confusingly k-naming things like kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE something). > Selinux is just another exmple. I used to like linux because it made > sense. Now it seems that it's little different than Windows sometimes > -- opaque, overly complex, and unfriendly. I don't think anything compares with the hideousness of Windows. So much of it is secret business, and I don't just mean closed-source. Resolving some whacko fault involves delving into the registry, adding things with sixteen hexadecimal numbers which mean nothing to no-one, that are only documented on hacking sites, or incomprehensible gibberish on the Microsoft that refers to two versions of Windows ago, warns against doing it on your release, yet the Microsoft search engine provides it as your solution. We now return you to your regular programming, from alt.computers.help.me.commit.die.quickly -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Lucky for you I typed this, you'd never be able to read my handwriting. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
