FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 08-31-2010, 01:34 PM
Ralf Corsepius
 
Default SELinux

On 08/31/2010 02:26 PM, Tim wrote:
> On Mon, 2010-08-30 at 22:06 +0100, Alan Cox wrote:
>> As to software which demands you disable security, I always apply
>> common sense and treat it the same way as if a passing tradesman says
>> "can you just leave your door unlocked for the weekend"
>
> Likewise for people vehemently advocating to disable SELinux, I view
> them with a great deal of suspicion. Is it simply they really do not
> like it, or do they have ulterior motives?
Neither. Initially, when trying to use it, they typically notice
something stops working. Then, when trying to make it work, they get
lost in arcane and cryptic tools.

To utilize Alan's ABS analogy: In most cases, the only UI ABS offers to
end-users an on/off switch and "just works". SELinux however forces to
fiddle and dig through 100s of knobs and switches.

In short: there is nothing fundamentally wrong with SELinux, except that
its UIs and GUIs are not end-user-ready and that the Fedora SELinux
policy packages suffer from bugs.

Ralf
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 02:00 PM
Paul Cartwright
 
Default SELinux

On Tue August 31 2010, Ralf Corsepius wrote:
> Neither. Initially, when trying to use it, they typically notice
> something stops working. Then, when trying to make it work, they get
> lost in arcane and cryptic tools.

I can relate to that... As always, with something NEW or unfamiliar.. I tried
it also and turned it off in an earlier life

so, this morning I installed selinux:
# yum install policycoreutils-gui

then ran:
# system-config-selinux
rebooted & did the relabel.

this is my travel laptop running FC13.

right now I have nomachine client running, and it just works, as does
thunderbird...
I might set it up on my Debian Desktop also, since I do have a web server
running there...

--
Paul Cartwright
Registered Linux user # 367800
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 02:47 PM
Takehiko Abe
 
Default SELINUX

>> Likewise for people vehemently advocating to disable SELinux, I view
>> them with a great deal of suspicion. Is it simply they really do not
>> like it, or do they have ulterior motives?
>
> Neither. Initially, when trying to use it, they typically notice
> something stops working. Then, when trying to make it work, they get
> lost in arcane and cryptic tools.

You forgot the crucial point. Namely that SELinux is not necessary
for most.

btw I don't know who "vehemently advocating to disable
SELinux". Rather it is "I don't need it" or its variations -- all very
smooth and mild like the Theodore Tso's comment I quoted in the first
place. I quote one more from the same thread. This one is from Linus:

"I find SELinux to be so irrelevant to my usage that I don't use
it at all"

http://lkml.org/lkml/2007/10/2/353
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 03:13 PM
Alan Cox
 
Default SELINUX

> place. I quote one more from the same thread. This one is from Linus:
>
> "I find SELinux to be so irrelevant to my usage that I don't use
> it at all"
>
> http://lkml.org/lkml/2007/10/2/353

Linus is not exactly famous for his ability to understand security
concepts. I find the fact your argument is produced by google and
cut/paste rather than technical material ... enlightening

But hey if Linus jumped down a volcano would you follow ?

There *are* cases where you want SELinux off - isolated high performance
computing clusters for example where you want the absolute minimal
overhead but they also usually turn off other junk Fedora inflicts on
people by default which is far more pointless - like LVM (unless you are
doing crypted fs stuff)

Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 03:14 PM
Takehiko Abe
 
Default SELINUX

;;; sorry other one goes straight to you

> Linus is not exactly famous for his ability to understand security
> concepts. I find the fact your argument is produced by google and
> cut/paste rather than technical material ... enlightening

Well, please educate me. All I hear from advocates is "more security"
without a concrete example. You mentioned the danger of emails get
stolen without SELinux. Please give me the scenario. So we can gauge
the risk.

> But hey if Linus jumped down a volcano would you follow ?

Sure I will. Did he?
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 03:32 PM
Bruno Wolff III
 
Default SELinux

On Wed, Sep 01, 2010 at 00:14:09 +0900,
Takehiko Abe <keke@gol.com> wrote:
> ;;; sorry other one goes straight to you
>
> > Linus is not exactly famous for his ability to understand security
> > concepts. I find the fact your argument is produced by google and
> > cut/paste rather than technical material ... enlightening
>
> Well, please educate me. All I hear from advocates is "more security"
> without a concrete example. You mentioned the danger of emails get
> stolen without SELinux. Please give me the scenario. So we can gauge
> the risk.

If you read email you need selinux. If you read email with a client that
fires up plugins to read special content (e.g. html, pdfs, flash) then you
really need selinux.

If you use a web browser to view more than a short list of trusted sites,
you need selinux.

If you run network services accessible from outside the machine then you
need selinux.

If you run binaries from semitrusted groups (this includes most commercial
software) then you need selinux.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 03:43 PM
Ralf Corsepius
 
Default SELinux

On 08/31/2010 05:32 PM, Bruno Wolff III wrote:
> On Wed, Sep 01, 2010 at 00:14:09 +0900,
> Takehiko Abe<keke@gol.com> wrote:
>> ;;; sorry other one goes straight to you
>>
>> > Linus is not exactly famous for his ability to understand security
>> > concepts. I find the fact your argument is produced by google and
>> > cut/paste rather than technical material ... enlightening
>>
>> Well, please educate me. All I hear from advocates is "more security"
>> without a concrete example. You mentioned the danger of emails get
>> stolen without SELinux. Please give me the scenario. So we can gauge
>> the risk.
>
> If you read email you need selinux. If you read email with a client that
> fires up plugins to read special content (e.g. html, pdfs, flash) then you
> really need selinux.
>
> If you use a web browser to view more than a short list of trusted sites,
> you need selinux.
>
> If you run network services accessible from outside the machine then you
> need selinux.
>
> If you run binaries from semitrusted groups (this includes most commercial
> software) then you need selinux.

You don't _need_ SELinux in any such cases.

SELinux is aiming at catching malfunctioning/misbehaving programs and
_may_ prevent damage in use-cases such as those you list.

However, SELinux also causes mal-functions and prevents applications
from operating properly. Semi-educated tweaking SELinux may even cause
further damage up to rendering systems completely unusable.

To me this means: If the defaults work, use it. If it doesn't, switch it
off, otherwise you might easily shoot yourself into the foot.

Ralf


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 04:13 PM
Alan Cox
 
Default SELinux

> Well, please educate me. All I hear from advocates is "more security"
> without a concrete example. You mentioned the danger of emails get
> stolen without SELinux. Please give me the scenario. So we can gauge
> the risk.

Simple example. Daemons running under selinux can only access the things
they are expected to be accessing. So if I was to crack your httpd and
try and execute a shell SELinux would block it. Standard file permissions
have no notion of who is doing the action and in what context so would
not save you.

The biggest win for a lot of folks is web stuff. If I find a bug in a PHP
script (which for most PHP is pretty much a given) that allows me to
access arbitary files it will be a lot less useful under SELinux because
only files labelled as http content can be accessed this way.

If I manage to use a bug to add a new script to your machine via the web
server I'll not be able to get it to run as a cgi because the web server
isn't allowed to create cgi binaries. Again won't happen with just file
permissions.

Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 04:17 PM
Alan Cox
 
Default SELinux

> > If you use a web browser to view more than a short list of trusted sites,
> > you need selinux.
> >
> > If you run network services accessible from outside the machine then you
> > need selinux.
> >
> > If you run binaries from semitrusted groups (this includes most commercial
> > software) then you need selinux.
>
> You don't _need_ SELinux in any such cases.

I wouldn't dare run some of the web plugins without them being very very
constrained by a security tool. I'm not sure I trust some of the image
libraries either although the google audit work seems to be slowly
improving it.

Unfortunately application library security has taken a nasty turn for the
worse because any library exploit in a library also used on the iphone is
now being sat on by jailbreakers rather than reported.


Alan
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 08-31-2010, 04:55 PM
Marko Vojinovic
 
Default SELinux

On Tuesday, August 31, 2010 15:34:42 James Mckenzie wrote:
> Tim <ignored_mailbox@yahoo.com.au> wrote:
> >On Tue, 2010-08-31 at 00:15 +0000, JB wrote:
> >> Well, if selinux is the best that happened to security since sliced
> >> bread, then why people make these comments ?
> >
> >Because people like to bitch, particularly the ignorant ones.
>
> Maybe because SeLinux is harder than hell to configure, if your favorite
> application is not already configured. This is BY DESIGN to prevent
> 'ordinary' users from mucking around in it.

Yea, sure, can you imagine, one needs to know how to use no less than *two*
commands --- chcon and semanage --- this is waaay beyond the capabilities of
any mortal sysadmin... And reading their dreaded man pages, oh my, I get
scared just thinking about trying to read them...

There is a saying from where I come from --- people are not divided into
competent and incompetent, but into whiners and non-whiners.

Best, :-)
Marko

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 01:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org