|
On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote: > LOL!!! > > I feel you bruce :) > > I think a LOT of people are struggling (and frustrated, rightfully so) with > SELinux and simply place it in permissive mode. There is nothing wrong with > doing this. Don't buy into the fear mongering hype. The only think you have > to fear is fear itself.
> If/when security is a concern (which in your case it doesn't seem to be) > then SELinux is a powerful tool. You would run it along with Tripwire, > rkhunter, et al, to validate the security of a server, and by the time it > becomes so you can look back over the audit trail to see where perms need > to be added etc...
> If you are just looking to experiment, exposed to the internet or not, > SELinux is really irrelevant, and in many cases can be cumbersome. I > personally have had to disable SELinux (permissive mode) many a time to get > things to work, and I have yet to have a system compromised by doing so. > Not that this can't happen, but the actual chances of it happening are so > low, that you ROI is simply not worth it. There really is not some army out > their hit small ops looking for vulnerabilities in anything that's not a > standard package.
> So experiment and produce at will with little to fear. A lot of hype is > built around SELinux in naiveté. Someone who really cares about security > actually does not rely on SELinux, they monitor their servers intensely, > and know every process running on them inside and out, review logs often, > use tripwire, rkhunter, and monitor network activity with Security Onion, > etc....
> Again, this is not to say that SELinux is not part a good strategy, but it > is not the holy grail many make it out to be either. It's a small part of > security that as you mentioned a lot of use common folk can live without, > and have done so for a long time, with no adverse effects.
> > > > On Jan 25, 2016, at 7:29 AM, bruce <badouglas@xxxxxxxxx> wrote: > > > > --Gawd... > > > > Feels like I'm trying to spit in the wind!! > > > > 1st, not trying to set up web servers, but am looking at running tests > > on linux servers. > > > > 2nd, recognize that one should have "secure" systems on the net, but > > realize I don't have the time/set of skills to "fully" get there... > > > > So, if you want to say -- hey, don't have an insecure linux box, it > > could be hacked and cause us the Internet community probs due to your > > crap, that's fair. > > > > But you need to realize, there are lots of people who are attempting > > to do as much as they can with limited resources/time. if anyone here > > wants to contact me offline, we can discuss. Heck, I've been looking > > for a "sysadmin" type that I can pay, talk with for a bit. > > > > If fed/selinux had a "config" file for simple services/ports, great.. > > But when you get to policies, and understanding the nuances of > > selinux, as far as I can tell, it's a learning curve that has to be > > dealt with in order to get it right.. > > > > And to be honest, I know of a number of operations/organizations that > > have put the "security" sysAdmin stuff off until they could find a > > sysadmin resource for that function.. > > > > There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in > > 4 weeks" courses. that only get to the basics of coding, much less the > > sysadmin stuff.. > > > > None of these are going away.. so some guy who pops up a website/app > > on some aws instance.. has security issues that they might not even > > realize.. > > > > Anyway.. thanks guys! > > > > > > On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mailbox@xxxxxxxxxxxx> > > wrote: > > > >> Allegedly, on or about 25 January 2016, bruce sent: > >> > >>> I fully get the need for security.. But if I can't get the security > >>> working as it should, but I still need to build whatever the project > >>> might be.. the project is going to get created. > >>> > >>> If running Selinux in permissive mode is enough, great, so be it. > >> > >> > >> SELinux in permissive mode is *not* secure. You're using the computer > >> in an insecure mode, and all SELinux is doing is logging the things that > >> it would have stopped. > >> > >> > >>> But when it comes to policies, for differnt users, applications, > >>> files,etc.. and the possiblity of screwing something up if you go > >>> wrong, then you have a bit of an issue there... > >> > >> > >> I run webservers, mailservers, fileservers, DNS servers, DHCP servers. > >> And I haven't had to turn off SELinux, nor do anything beyond open the > >> configurator GUI and tick the boxes that said to allow those particular > >> services (look through its list, find HTTPD server, tick it, find > >> serving CGI scripts, tick that, etc., that was about the extent of what > >> I had to do). Seriously, setting that right was a damn sight easier > >> than configuring any of those servers. > >> > >> If you find something is failing because SELinux is stopping it, chances > >> are that /that/ something is badly written, and needs doing better. Is > >> it trying to serve files it has no business serving? Is it trying to > >> execute things that it shouldn't execute but merely read? There's a > >> plethora of dumb things people try to do with their programs, and > >> stopping those dumb things is the solution, not allowing them. > >> > >> Do you ignore programming error messages, too? > >> > >> > >>> And you can't simpy tell someone, "if you don't know what you're > >>> doing, don't mess with linux!" Not going to happen.. > >> > >> > >> I can say if you don't know what you're doing, don't do it on the > >> internet. Dumb things on the internet don't just affect you, they > >> affect other people around you. That's why we have masses of spam on > >> the internet, and other hacks. Compromised user boxes, compromised ISP > >> services, abound. > >> > >> > >>> ps. To all who've replied in favor of someone not really implementing > >>> a fed/centos/linux instance unless secure, I take it you're also > >>> illing to provide pointers/help if someone asks, yes? (And not just > >>> saying go look at youtube vides, or read docs!!) > >> > >> > >> Here's a loaded weapon, point it at your own foot, and not in our > >> direction... No, I wouldn't give someone advice on how to insecurely > >> run their computer, and neither will plenty of others. You will find, > >> however, that if you try doing it securely, and run into snags, that > >> people are willing to help you solve the actual problem properly. > >> > >> Webservers and mailservers, in particular, are at least two things that > >> need to be run with a great deal of care. Hackers go searching for > >> badly set up ones to do their nefarious deeds. And here you are > >> advertising that you're going to do so, identifying yourself in the > >> process. > >> > >> -- > >> [tim@localhost ~]$ uname -rsvp > >> Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 > >> > >> Boilerplate: All mail to my mailbox is automatically deleted, there is > >> no point trying to privately email me, I only get to see the messages > >> posted to the mailing list. > >> > >> Windows, it's enough to make a grown man cry! > >> > >> > >> > >> -- > >> users mailing list > >> users@xxxxxxxxxxxxxxxxxxxxxxx > >> To unsubscribe or change subscription options: > >> https://admin.fedoraproject.org/mailman/listinfo/users > >> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > >> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > >> Have a question? Ask away: http://ask.fedoraproject.org > > > > -- > > users mailing list > > users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe or change subscription options: > > https://admin.fedoraproject.org/mailman/listinfo/users > > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > > Have a question? Ask away: http://ask.fedoraproject.org > > Hi, Having listened to all this hype by the various advocates of selinux |
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
