Re: selinux??

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote:

> LOL!!!

>

> I feel you bruce :)

>

> I think a LOT of people are struggling (and frustrated, rightfully so) with

> SELinux and simply place it in permissive mode. There is nothing wrong with

> doing this. Don't buy into the fear mongering hype. The only think you have

> to fear is fear itself.

> If/when security is a concern (which in your case it doesn't seem to be)

> then SELinux is a powerful tool. You would run it along with Tripwire,

> rkhunter, et al, to validate the security of a server, and by the time it

> becomes so you can look back over the audit trail to see where perms need

> to be added etc...

> If you are just looking to experiment, exposed to the internet or not,

> SELinux is really irrelevant, and in many cases can be cumbersome. I

> personally have had to disable SELinux (permissive mode) many a time to get

> things to work, and I have yet to have a system compromised by doing so.

> Not that this can't happen, but the actual chances of it happening are so

> low, that you ROI is simply not worth it. There really is not some army out

> their hit small ops looking for vulnerabilities in anything that's not a

> standard package.

> So experiment and produce at will with little to fear. A lot of hype is

> built around SELinux in naiveté. Someone who really cares about security

> actually does not rely on SELinux, they monitor their servers intensely,

> and know every process running on them inside and out, review logs often,

> use tripwire, rkhunter, and monitor network activity with Security Onion,

> etc....

> Again, this is not to say that SELinux is not part a good strategy, but it

> is not the holy grail many make it out to be either. It's a small part of

> security that as you mentioned a lot of use common folk can live without,

> and have done so for a long time, with no adverse effects.

>

>

> > On Jan 25, 2016, at 7:29 AM, bruce <badouglas@xxxxxxxxx> wrote:

> >

> > --Gawd...

> >

> > Feels like I'm trying to spit in the wind!!

> >

> > 1st, not trying to set up web servers, but am looking at running tests

> > on linux servers.

> >

> > 2nd, recognize that one should have "secure" systems on the net, but

> > realize I don't have the time/set of skills to "fully" get there...

> >

> > So, if you want to say -- hey, don't have an insecure linux box, it

> > could be hacked and cause us the Internet community probs due to your

> > crap, that's fair.

> >

> > But you need to realize, there are lots of people who are attempting

> > to do as much as they can with limited resources/time. if anyone here

> > wants to contact me offline, we can discuss. Heck, I've been looking

> > for a "sysadmin" type that I can pay, talk with for a bit.

> >

> > If fed/selinux had a "config" file for simple services/ports, great..

> > But when you get to policies, and understanding the nuances of

> > selinux, as far as I can tell, it's a learning curve that has to be

> > dealt with in order to get it right..

> >

> > And to be honest, I know of a number of operations/organizations that

> > have put the "security" sysAdmin stuff off until they could find a

> > sysadmin resource for that function..

> >

> > There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in

> > 4 weeks" courses. that only get to the basics of coding, much less the

> > sysadmin stuff..

> >

> > None of these are going away.. so some guy who pops up a website/app

> > on some aws instance.. has security issues that they might not even

> > realize..

> >

> > Anyway.. thanks guys!

> >

> >

> > On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox@xxxxxxxxxxxx>

> > wrote:

> >

> >> Allegedly, on or about 25 January 2016, bruce sent:

> >>

> >>> I fully get the need for security.. But if I can't get the security

> >>> working as it should, but I still need to build whatever the project

> >>> might be.. the project is going to get created.

> >>>

> >>> If running Selinux in permissive mode is enough, great, so be it.

> >>

> >>

> >> SELinux in permissive mode is *not* secure. You're using the computer

> >> in an insecure mode, and all SELinux is doing is logging the things that

> >> it would have stopped.

> >>

> >>

> >>> But when it comes to policies, for differnt users, applications,

> >>> files,etc.. and the possiblity of screwing something up if you go

> >>> wrong, then you have a bit of an issue there...

> >>

> >>

> >> I run webservers, mailservers, fileservers, DNS servers, DHCP servers.

> >> And I haven't had to turn off SELinux, nor do anything beyond open the

> >> configurator GUI and tick the boxes that said to allow those particular

> >> services (look through its list, find HTTPD server, tick it, find

> >> serving CGI scripts, tick that, etc., that was about the extent of what

> >> I had to do). Seriously, setting that right was a damn sight easier

> >> than configuring any of those servers.

> >>

> >> If you find something is failing because SELinux is stopping it, chances

> >> are that /that/ something is badly written, and needs doing better. Is

> >> it trying to serve files it has no business serving? Is it trying to

> >> execute things that it shouldn't execute but merely read? There's a

> >> plethora of dumb things people try to do with their programs, and

> >> stopping those dumb things is the solution, not allowing them.

> >>

> >> Do you ignore programming error messages, too?

> >>

> >>

> >>> And you can't simpy tell someone, "if you don't know what you're

> >>> doing, don't mess with linux!" Not going to happen..

> >>

> >>

> >> I can say if you don't know what you're doing, don't do it on the

> >> internet. Dumb things on the internet don't just affect you, they

> >> affect other people around you. That's why we have masses of spam on

> >> the internet, and other hacks. Compromised user boxes, compromised ISP

> >> services, abound.

> >>

> >>

> >>> ps. To all who've replied in favor of someone not really implementing

> >>> a fed/centos/linux instance unless secure, I take it you're also

> >>> illing to provide pointers/help if someone asks, yes? (And not just

> >>> saying go look at youtube vides, or read docs!!)

> >>

> >>

> >> Here's a loaded weapon, point it at your own foot, and not in our

> >> direction... No, I wouldn't give someone advice on how to insecurely

> >> run their computer, and neither will plenty of others. You will find,

> >> however, that if you try doing it securely, and run into snags, that

> >> people are willing to help you solve the actual problem properly.

> >>

> >> Webservers and mailservers, in particular, are at least two things that

> >> need to be run with a great deal of care. Hackers go searching for

> >> badly set up ones to do their nefarious deeds. And here you are

> >> advertising that you're going to do so, identifying yourself in the

> >> process.

> >>

> >> --

> >> [tim@localhost ~]$ uname -rsvp

> >> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

> >>

> >> Boilerplate: All mail to my mailbox is automatically deleted, there is

> >> no point trying to privately email me, I only get to see the messages

> >> posted to the mailing list.

> >>

> >> Windows, it's enough to make a grown man cry!

> >>

> >>

> >>

> >> --

> >> users mailing list

> >> users@xxxxxxxxxxxxxxxxxxxxxxx

> >> To unsubscribe or change subscription options:

> >> https://admin.fedoraproject.org/mailman/listinfo/users

> >> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

> >> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

> >> Have a question? Ask away: http://ask.fedoraproject.org

> >

> > --

> > users mailing list

> > users@xxxxxxxxxxxxxxxxxxxxxxx

> > To unsubscribe or change subscription options:

> > https://admin.fedoraproject.org/mailman/listinfo/users

> > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

> > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

> > Have a question? Ask away: http://ask.fedoraproject.org

>

>

Hi,

Having listened to all this hype by the various advocates of selinux  
I would like to add my 10c (basically - go away and get a job with an AV company!).
I have worked on systems that used Solaris CMW and DEC MLS (which were the original
"secure unix" systems with MAC (Mandatory Access Control) security from the NSA both of which I would rather forget!)
and oh boy! they needed FULL-TIME sysadmins!
The NSA I guess wanted to implement MAC on linux and presumably financed it (somehow - how else would selinux have come about?).
Its the same MAC (using labels) that I would rather forget from CMW/MLS.          
In fact anyone who had to sysadmin one of those had definitely drawn the short straw!

Unix used to live quite happily using DAC security (Discretionary Access Controls), then all the AV companies sprung up
aimed at MS Windows - which heck didn't even have much in the line of DAC!
Now we seem to get all these SYASADMIN wannabes fed on the AV bullshit for UNIX.

Well ok - selinux works behind the scenes (unobtrusively!) eating my cpu cycles and doing I know not what -cos it requires a PHd to
decipher the MAC definitions files - labels (wherever they are).

If you want to develop a new app you now have to consider (painfully) how to get round selinux - what attributes are needed.

As a tiny example of what pisses me off - for years I used syslog now syslog-ng and configured it to output to a spare vtty (tty10)
Now selinux insists on complaining about its access to tty10 and I have to create a local policy file or have an argument with one of you security
obsessed types.
In fact its a good job we have large capacity disks these days - what with the amount of crap selinux logs.

I understand that you are probably more concerned about commercial linux users (the big-time?) - but stop acting like salesmen and
remember the majority of your users - hobbyists and home users.
we can get along with a firewall and DAC thank you - or maybe you want to drive us away!
Selinux is another linux killer like aknonadi & systemd - a kind of takeover by stealth! its ok if I want it but I object to having it forced on me.

 

I expect fire and brimstone!

Andy P

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux