selinux stuff - I just don't get -- "outgoing firewalls are broken"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



"Brian T. Brunner" <brian.t.brunner@xxxxxxxxxxxxxxx> wrote:
> How do we define Ready?  I gave that answer in the text you
> replied to: when it doesn't break things.

How's forever work for you?  ;->

NPTL, ANSI C++, GLibC 2 and many other adoptions Red Hat has
made still break things.  Heck, we're not even looking at
recent things -- from 4K stacks to ACLs.  ;->

> You ask about applications not being SELinux aware.  The
> proper things for SELinux to do in those cases is advise
> the operator that SELinux can't manage this app because it
> isn't SELinux aware, and that whatever security holes that
> application embodies are outside the scope of SELinux.

I think that's what the advisement is.  You can start
disabling some aspects of SELinux -- such as with permissive
mode.

> This is consistent with SELinux being a *service* to the
> operator, not a bully-boss to the operator and the
> authors/maintainers of every package Joe Operator might
> have on his system.

Actually, SELinux _is_ a "bully-boss" to the operator.
It will _always_ be a "bully-boss" to the operator.

> No, it doesn't.

I think _many_ people other than myself have seen _many_
viewpoints on this issue.  Why many people seem to think that
there must be no less than an absolutism on SELinux until it
accomplishes no less than the _impossible_ is beyond me.

> It's about ownership of control.  Is this RedHats' system
> to break if they want to compel me to do things their way?

Yes.  And you have these options..
1.  Learn it and see if it fits
2.  Put it into another mode (e.g., permissive)
3.  Disable it
4.  Look to another distro choice

Red Hat has its reasons, and it's not going to change those
reasons.  Common Criteria is a major driver right now because
of Linux can achive higher CC levels than Windows, while
still running applications (which Windows virtually can_not_
do), then Microsoft will lose federal installations en masse.

> If not, then distributing SELinux with a
> default of 'on' when it breaks running systems is
> distributing a broken software package.

SELinux will _always_ break running systems.
Just like a "deny all outgoing" firewall will too.

> Translate: Everybody is out of step except my boy!
> (and those who happen to be in step with him).

Exactly!  SELinux by default is here to stay if you choose
Red Hat.

> I say Broken, and Disabled for Good.

Then that's your choice.
Red Hat has made their default, but you still have choice.

> The proper things for SELinux to do in cases of
> non-compliant apps is to advise the operator that SELinux
> can't manage this app because it isn't SELinux aware, and
> that whatever security holes that application embodies are
> outside the scope of SELinux.  That's a *service*. 

You seem to fail to understand what SELinux does.  ;->

> Breaking said applications is a broken application.

Then add outgoing firewalls to the same list.
Oh, you just turn an outgoing firewall off?
Well then, that's your solution.  ;->

I don't know if I could make a better analogy.

-- Bryan

P.S.  SELinux is _not_ a service.  It is an _enforcement_ in
the kernel.  There are hundreds of rules.  Applications
either learn to make SELinux considerations, help write
rules, or a combination of both.  SELinux is basically the
biggest change to Linux in a long, long time -- breaking the
30+ year legacy UNIX model.



-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith@xxxxxxxx     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux