I couldn't agree more bruce. It's the 1% who get paid too much for doing too little that have such indulgent luxuries. The rest of us 99% have to work for it :P > On Jan 26, 2016, at 8:57 AM, bruce <badouglas@xxxxxxxxx> wrote: > > What the Heck??? > > So.. people who think/decide to just disable seLinux, instead of > diving in to "learn" it are just lazy???? Lord.. shaking my head.. > > How about.. some might be lazy.. > > Or, some have a bunch of different things to get accomplished, and > aren't looking to be a sysAdmin, so they want to (if possible) get to > the quickest way of getting their "project" working/tested.. And if > the "security/process" of X (in this case selinux) is in the way.. The > learning required to implement that gets shoved back. It's a > prioritization process for a bunch of people. > > You have a limited amount of resources, you priortize and keep going. > And yeah, you realize that you might be cutting corners re security, > but you keep going. > > And before people say, "you need to learn security, or you shouldn't > be writing apps!!".. not going to happen. > > Implementing "good" secutiry, doesn't happen by spending a few hours > on a few sites. You eventually run into issues that "need to be > solved", etc.. which then adds time/effort/resources. And rightly so, > this is why you have skilled sysAdmin resources. But smaller projects > don't have the resources for this process.. so it becomes a matter of > prioritization/resource allocation.. > > And I say again.. I've been willing to pay hard $$$ for someone > willing to work with me on security.. No takers..!!! > > So, please, no disparaging "laxy" remarks, ok! > > Thanks! > > > On Mon, Jan 25, 2016 at 11:21 PM, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: >> Allegedly, on or about 25 January 2016, vendor@xxxxxxxxxxxxx sent: >>> Did you mean "hacked" or "attacked?" >> >> To me an attack is the attempt, a hack is they've succeeded. They >> succeeded. Though, to be fair, I didn't say it was Linux computer, but >> the principle is the same. All computers are vulnerable, though in our >> case it's more the applications than the OS. And if you take no steps >> to protect your system, or worse, take steps to remove protection, you >> lay yourself wide open. >> >>> The problem I see with selinux is that it is so user-unfriendly. >>> These kinds of things always seem easy and straightforward to someone >>> who knows it well. That's the nature of skill, regardless of the kind >>> of skill it is. >> >> I see it no less user-friendly than other things. I look at ACL (access >> control lists), and see them as a nightmare. I can see them being used >> in security establishments, to control who can see or modify certain >> documents that need disseminating. But not in general use. I can't >> really imagine employee #54534624 writing a letter, then carefully >> considering a list of who can do what with their file (mutter, mutter, >> need to add my boss to read/write, my assistant to read/write, my >> technically hopeless other boss to read-only so he doesn't foul up my >> work, my co-workers to read-only, and I have to remember which of them >> are working on the same case...). >> >> Barring oversights and errors, SELinux generally does what it's supposed >> to do. If I create a file in /var/www/html/ to be served, it >> automatically gets given the right contects to be served, as part of the >> process of *creating* a file at that location. If I copy a file from >> somewhere to there, the same thing happens, the copy is a new creation, >> and gets the appropriate contexts for where it's created. A confusing >> thing happens if you try to move a file, the original file contexts are >> moved along with the file, and they're probably going to be wrong. It's >> logical, but not obvious to the uninitiated. Though it's not too hard >> to find out why, you just problem solve it like any other error that >> takes you by surprise. >> >> It's similar with file permissions. Some people declare it too hard, >> and want to make everything rwxrwxrwx, and hang the consequences. On a >> webserver, that (making everything world-writeable), or letting the >> webserver process own the files (making everything writeable by the >> server, and hence world-writeable), opens you up to all sorts of abuse, >> not just the destruction of that individual file. >> >>> That's what I think of when I read these discussions. If someone is >>> struggling with something like this, they may seem like morons, but it >>> is usually someting *other* than simple supidity or laziness that is >>> the reason. It's because the barrier to doing it is greater than the >>> perceived benefit. >> >> At times, but the tone of the thread indicates that laziness is an >> issue. >> >>> There is a truism that I remember being told about computer security a >>> long, long time ago that usability and technical security are >>> inversely related. At some point, when you increase the technical >>> security enough, you will have made the system unusable to the point >>> that your users will simply start going around it simply to get their >>> work done. >> >> That's true on both counts. Though I tend to feel that SELinux has met >> that balance at around the right place. >> >> While I have some sympathy for people who haven't yet learnt it, as they >> try to do something. My efforts are towards learn it, don't bypass it. >> Just the same as well tell people don't do things as root - that's often >> the root cause, pun intended, of all of these issues. They do one dumb >> thing, then another on top of that, and have several compounded problems >> because they will not follow any advice. >> >> It's usually around this point that I bring up an analogy against people >> trying to do things on computers when they don't really know how, and >> stubbornly resist all efforts to learn: I hope these people never get >> it into their head to half-arsedly learn first aid, and refuse to do >> something important because they don't want to. >> >>> ...[snip flash drive story]... >> >> I can understand that, and it's not a new story, either. The need to do >> it is understandable. The concept of doing it in isolation can be a >> required step. If the drive manages to do something nasty, it only >> affects that one computer, which then gets sterilised before being >> allowed back on the network (if the operator knows that, and doesn't >> just plug it back in, regardless). >> >> We had similar issues with floppy discs. Back when bootblock viruses >> were the common enemy, there was no/inadequate protection against them. >> The only way to stop the spread, was a cold boot in between, and using a >> system that booted from the disc in question. That method was no good >> against an OS that had another disc-based OS running it. >> >>> The combination of security that ignores users and users that ignore >>> security gives you a system that has neither security nor usability. >>> And simply calling users morons will not solve this. >> >> I don't believe I've said that. In this email I've certainly mentioned >> laziness, because the evidence points that way. >> >> As a general rule, on a user-level, SELinux doesn't get even thought >> about, here. It's in the background, and doesn't get in the way. If >> you're running services, then it rightly does become something you need >> to know about managing. >> >> But what particularly gets my goat, it someone who's a programmer >> developing things telling me that SELinux is too hard to deal with. Too >> hard? Compared with what? Writing software?! Jeez, you've got much >> harder work, *there*. And, as far as I'm concerned, programmers being >> hit with the big hammer that says, you have to write data in proper >> locations, you can't just read any file you like on the system, you >> can't just serve out files from any ad-hoc locations, is only a good set >> of conditions to start imposing on so-called programmers. Bring on the >> software that pokes them with a sharp stick for doing things that allows >> them to create buffer-overflow errors. We could save the entire world a >> whole lot of grief if programmers started paying attention to getting >> that one bit of programming right. >> >>> I love KDE, but frankly, it is collapsing under it's own complexity. >> >> I can't say I've ever liked it. It has the Fisher-Price toy look like >> XP had, and a gazillion configuration options that I do not like the >> defaults, and it's always been that way (ever since I saw it, a >> gazillion configuration options). Coming from an Amiga user background, >> I've never agreed with what people said about Gnome looking like >> Windows, no KDE does. Gnome looked far more old Mac-like. >> >> The other thing that peeved me about KDE (and I can see this thread is >> going to open a new can of worms), is the naming of all programs >> starting with a K followed by a name that seems purely random (regarding >> what the program actually did). Not only making it hard to locate >> software appropriate to your task, but confusingly k-naming things like >> kernal-things got k-named (kmod, anyone? - a kernel module, or a KDE >> something). >> >>> Selinux is just another exmple. I used to like linux because it made >>> sense. Now it seems that it's little different than Windows sometimes >>> -- opaque, overly complex, and unfriendly. >> >> I don't think anything compares with the hideousness of Windows. So >> much of it is secret business, and I don't just mean closed-source. >> Resolving some whacko fault involves delving into the registry, adding >> things with sixteen hexadecimal numbers which mean nothing to no-one, >> that are only documented on hacking sites, or incomprehensible gibberish >> on the Microsoft that refers to two versions of Windows ago, warns >> against doing it on your release, yet the Microsoft search engine >> provides it as your solution. >> >> We now return you to your regular programming, from >> alt.computers.help.me.commit.die.quickly >> >> -- >> [tim@localhost ~]$ uname -rsvp >> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 >> >> Boilerplate: All mail to my mailbox is automatically deleted, there is >> no point trying to privately email me, I only get to see the messages >> posted to the mailing list. >> >> Lucky for you I typed this, you'd never be able to read my handwriting. >> >> >> >> -- >> users mailing list >> users@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe or change subscription options: >> https://admin.fedoraproject.org/mailman/listinfo/users >> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct >> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines >> Have a question? Ask away: http://ask.fedoraproject.org > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://admin.fedoraproject.org/mailman/listinfo/users > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
