FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 04-03-2008, 09:33 AM
Matej Cepl
 
Default Fedora (again) forces me to disable SELinux

On Tue, 01 Apr 2008 03:33:06 +0200, Mark scripst:
> doesn't seem to add that much advantage. But i might be wrong..??

Yes, you are ;-). Even totally screwed up Apache server totally in hands
of script-kiddie via totally screwed up PHP release (not that it would
ever happen, just a theoretical example) cannot do more than it is
allowed to do by SELinux -- and that's not that much.

Matej

--
The content of this message is licensed under a Creative Commons
Attribution 3.0 License, Some Rights Reserved.
http://creativecommons.org/licenses/by/3.0/us/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-03-2008, 10:09 AM
Matej Cepl
 
Default Fedora (again) forces me to disable SELinux

On Mon, 31 Mar 2008 19:32:16 -0700, darrell pfeifer scripst:
> I didn't realize that turning off selinux meant I was such a bad tester.
> I just thought it meant there were some parts of the system that I was
> unwilling to test. I don't feel cheap or irresponsible.
>
> If testing selinux is such an important part of the testing agreement,
> please publish this information in a written rather than tacit place.

No turning off selinux doesn't make you bad tester, certainly not. But
the point I have is that it is really not that bad -- there ARE many bugs
in SELinux policy (because it is built against moving target of still
changing Fedora), but OTOH dwalsh is really unbelievable -- bugs I filed
with him in CC list (he prefers to file bugs against the programs which
have problems) and SELinux keyword are in 80% of cases (or even more)
fixed to the next day. And I have filed many many many bugs for him :-)

Matej

--
The content of this message is licensed under a Creative Commons
Attribution 3.0 License, Some Rights Reserved.
http://creativecommons.org/licenses/by/3.0/us/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-03-2008, 08:31 PM
"Arthur Pemberton"
 
Default Fedora (again) forces me to disable SELinux

Here's what people asking for the removal of SELinux don't seem to understand.


When you remove SELinux, those of use who want to have it essentially
can't have it (yes you can always recompile yourself). When you leave
SELinux in, those of you who don't want it can simply turn it off.

Bad example, but it's like deciding whether or not to put a light bulb
in a room. If there is no light bulb, no one can have light. If there
is one, you can always just switch it off when you don't want light.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 08:57 AM
"Gianluca Sforna"
 
Default Fedora (again) forces me to disable SELinux

On Thu, Apr 3, 2008 at 11:33 AM, Matej Cepl <mcepl@redhat.com> wrote:
> On Tue, 01 Apr 2008 03:33:06 +0200, Mark scripst:
>
> > doesn't seem to add that much advantage. But i might be wrong..??
>
> Yes, you are ;-). Even totally screwed up Apache server totally in hands
> of script-kiddie via totally screwed up PHP release (not that it would
> ever happen, just a theoretical example) cannot do more than it is
> allowed to do by SELinux -- and that's not that much.

I think I remember a recent case for SELinux lowering the impact of a
_real_ security issue in one package.
I wanted to blog about it but could not find it anymore

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 09:13 AM
Rahul Sundaram
 
Default Fedora (again) forces me to disable SELinux

Gianluca Sforna wrote:

On Thu, Apr 3, 2008 at 11:33 AM, Matej Cepl <mcepl@redhat.com> wrote:

On Tue, 01 Apr 2008 03:33:06 +0200, Mark scripst:


doesn't seem to add that much advantage. But i might be wrong..??

Yes, you are ;-). Even totally screwed up Apache server totally in hands
of script-kiddie via totally screwed up PHP release (not that it would
ever happen, just a theoretical example) cannot do more than it is
allowed to do by SELinux -- and that's not that much.


I think I remember a recent case for SELinux lowering the impact of a
_real_ security issue in one package.
I wanted to blog about it but could not find it anymore


There are several. Refer to the mitigation news section in

http://tresys.com/selinux/

Rahul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 05:18 PM
Mark
 
Default Fedora (again) forces me to disable SELinux

2008/4/3, Arthur Pemberton <pemboa@gmail.com>:
> Here's what people asking for the removal of SELinux don't seem to understand.
>
>
> When you remove SELinux, those of use who want to have it essentially
> can't have it (yes you can always recompile yourself). When you leave
> SELinux in, those of you who don't want it can simply turn it off.
>
> Bad example, but it's like deciding whether or not to put a light bulb
> in a room. If there is no light bulb, no one can have light. If there
> is one, you can always just switch it off when you don't want light.

To stay on your light bulb.
It might not be the best thing to show down the light bulb like
Mr.Bean does in one of his videos so having the light bulb BUT turning
it off by default is better for the environment only turn it on
when you need the light.

and for that fedora needs to change the current state of that light
bulb from on to off by default

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 05:24 PM
Rahul Sundaram
 
Default Fedora (again) forces me to disable SELinux

Mark wrote:

2008/4/3, Arthur Pemberton <pemboa@gmail.com>:

Here's what people asking for the removal of SELinux don't seem to understand.


When you remove SELinux, those of use who want to have it essentially
can't have it (yes you can always recompile yourself). When you leave
SELinux in, those of you who don't want it can simply turn it off.

Bad example, but it's like deciding whether or not to put a light bulb
in a room. If there is no light bulb, no one can have light. If there
is one, you can always just switch it off when you don't want light.


To stay on your light bulb.
It might not be the best thing to show down the light bulb like
Mr.Bean does in one of his videos so having the light bulb BUT turning
it off by default is better for the environment only turn it on
when you need the light.


Security is needed and hence different features to help support that need.

http://fedoraproject.org/wiki/Security/Features

Rahul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-04-2008, 09:17 PM
Stewart Adam
 
Default Fedora (again) forces me to disable SELinux

On Fri, 2008-04-04 at 19:18 +0200, Mark wrote:
> 2008/4/3, Arthur Pemberton <pemboa@gmail.com>:
>
> To stay on your light bulb.
> It might not be the best thing to show down the light bulb like
> Mr.Bean does in one of his videos so having the light bulb BUT turning
> it off by default is better for the environment only turn it on
> when you need the light.
>
> and for that fedora needs to change the current state of that light
> bulb from on to off by default
>
+1

I don't use SELinux and I understand that some people like it and do
need/use it, however keeping it enabled by default causes a whole lot of
problems from the end-user point of view and I think we need the right
tools to fix these things.

I haven't extensively used SELinux in a long time so excuse me if this
already exists, but if we are to keep this enabled by default and want
it to be attractive to users I think we need to spend more time on tools
like setroubleshoot. Two problems I had when I played with SELinux a few
months ago was sharing content in /home via Samba, and /var/www/html via
Apache - Both of which are relatively trivial in Mac or Windows. Apache
+Windows less so, but at least it doesn't require the command line.

Setroubleshoot was a great help since I could just copy+paste the
command it gave me and then things worked a little better (until I hit
the next slew of audit errors). Printing out the error messages and
giving a error description + command to fix the error is great (huge
improvement since I last tried SELinux in FC2) but I think we need a
user-oriented tool that simply recognizes: SELinux is blocking Samba.
Click here to allow. <click>. done.

The idea is actually pretty similar to how Firestarter detects blocked
packets and you can right-click an event and to choose allow host, allow
service, block host, block service.

Another idea would be to implement a daemon that reports audit messages
to a central database where we could collect and review the cause. That
way we could pick up the common ones and get them solved or put why it's
being blocked by default into a FAQ. Of course, that daemon doesn't have
to be enabled by default, but it would be very useful among testers
imho,

Stewart

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-05-2008, 08:06 AM
Matej Cepl
 
Default Fedora (again) forces me to disable SELinux

On Fri, 04 Apr 2008 17:17:43 -0400, Stewart Adam scripst:
> I haven't extensively used SELinux in a long time so excuse me if this
> already exists, but if we are to keep this enabled by default and want
> it to be attractive to users I think we need to spend more time on tools
> like setroubleshoot. Two problems I had when I played with SELinux a few
> months ago was sharing content in /home via Samba, and /var/www/html via
> Apache - Both of which are relatively trivial in Mac or Windows. Apache
> +Windows less so, but at least it doesn't require the command line.

OK, so this message sent me into overdrive mode (and sorry, if the tone
of my reply will show it). This is really the example message of somebody
who didn't get it or you had really bad day when you wrote it (yes, we
all have such days).

So, let me restate the situation if I understand it correctly -- you are
administering a network of computers with a Linux server (you may be even
paid to do it, who knows?) and you are not willing to type into Yahoo!
(or Google, results are almost the same) "samba selinux home". And guess
what is the first hit in the results? And if you take a look at http://
fedoraproject.org/wiki/SELinux/samba you may find out that actually this
is web representation of manpage selinux_samba(8) (who would guess such
name?) which is already present in your box. So, that's the one.

Then we have this program called system-config-selinux (how unusal name
for the system configuration program in Fedoraland, isn't it? Yes, it is
new in Fedora 8, before that it had different name). And if you switch to
"Booleans" table and write "samba" in the search box, what do you see?
"Support SAMBA home directories" and many other samba related switches (I
am not sure which way your sharing of /home directories goes, so I am not
sure, which is the best for you). Hmm, isn't that interesting?

OK, so you don't use Google, IRC (#fedora or #selinux channels on
FreeNode), installed manapges, or many other methods how to get the
information. So, what's your reaction? "SELinux is too complicated and it
should be switched off by default!". No, sir, if you want to screw up
security of computers you manage, YOU should switch off security features
present there, so that YOU are responsible for the consequences.
Otherwise, we would have hords of people with hijacked and broken-into
boxes screaming here how Fedora is broken, because it doesn't protect
their computer against known security threats.

</mode type="aggressive">

(I haven't understood what's your problem with Apache, so I cannot
comment on that.)

You don't have to know that your other idea (red button "Just allow it!")
is really not a great idea either. On the one hand you have Internet full
of testimonies of people who hate Windows Vista for torturing them with
dialog boxes "Can I do it? [Yes] [No]". On the other hand, if you are
interested, read this http://www.cs.auckland.ac.nz/~pgut001/pubs/
phishing.pdf -- it is a good read.

Good luck with your administering!

Matěj

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 04-05-2008, 08:52 AM
"gopal das"
 
Default Fedora (again) forces me to disable SELinux

I am using SELinux from fedora core 6 and I its working fine. I have installed many packages through yum and its also fine. Though whenever I installed a fedora or red hat based os then I change the selinux to permissive after the first time installation.


Cheers
Gopal Das

On Tue, Apr 1, 2008 at 4:50 AM, Mark <markg85@gmail.com> wrote:

Hey,



I just installed the Fedora 9 Beta release and am doing a full system

update as we speak.

While downloading the updates nothing is wrong.. it just downloads and

that's it. But when installing the updates i get a ton of selinux

notices!! and this is just a default Fedora 9 beta followed by a yum

-y update.



Also another issue that i noticed was when looking at a flash

animation in firefox.. when i want to play the animation selinux

(again) drops in and tells me i can't. (or i need to run a command to

get it working).



Now i've tried to run selinux on Fedora 7 and 8 for as long as

possible just to see how long i can get around it.. i did some

commands in that time as well but i always end up with disabling

selinux.



I have no idea how other users are using fedora in a normal every day

usage without disabling selinux.. i agree that a firewall should be in

linux but selinux just doesn't seem mature yet (if it will ever be).

Perhaps it's time to start considering to turn off selinux and remove

it out of the fedora kernel completely? As long as it's blaming here

when i install updates or simply browse the web than selinux gets shut

down completely!



So.. how are you doing this?





Btw.. justging from the selinux stats here:

http://smolts.org/static/stats/stats.html it says that nearly 50%

(48.4%) is turning off selinux. And my guess is that all fedora

servers keep it on making up the other 50%.



--

fedora-devel-list mailing list

fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 09:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org