On Monday 25 Jan 2016 19:06:11 Shawn Bakhtiar wrote:
> LOL!!!
>
> I feel you bruce :)
>
> I think a LOT of people are struggling (and frustrated, rightfully so) with
> SELinux and simply place it in permissive mode. There is nothing wrong with
> doing this. Don't buy into the fear mongering hype. The only think you have
> to fear is fear itself.
> If/when security is a concern (which in your case it doesn't seem to be)
> then SELinux is a powerful tool. You would run it along with Tripwire,
> rkhunter, et al, to validate the security of a server, and by the time it
> becomes so you can look back over the audit trail to see where perms need
> to be added etc...
> If you are just looking to experiment, exposed to the internet or not,
> SELinux is really irrelevant, and in many cases can be cumbersome. I
> personally have had to disable SELinux (permissive mode) many a time to get
> things to work, and I have yet to have a system compromised by doing so.
> Not that this can't happen, but the actual chances of it happening are so
> low, that you ROI is simply not worth it. There really is not some army out
> their hit small ops looking for vulnerabilities in anything that's not a
> standard package.
> So experiment and produce at will with little to fear. A lot of hype is
> built around SELinux in naiveté. Someone who really cares about security
> actually does not rely on SELinux, they monitor their servers intensely,
> and know every process running on them inside and out, review logs often,
> use tripwire, rkhunter, and monitor network activity with Security Onion,
> etc....
> Again, this is not to say that SELinux is not part a good strategy, but it
> is not the holy grail many make it out to be either. It's a small part of
> security that as you mentioned a lot of use common folk can live without,
> and have done so for a long time, with no adverse effects.
>
>
> > On Jan 25, 2016, at 7:29 AM, bruce <badoug...@gmail.com> wrote:
> >
> > --Gawd...
> >
> > Feels like I'm trying to spit in the wind!!
> >
> > 1st, not trying to set up web servers, but am looking at running tests
> > on linux servers.
> >
> > 2nd, recognize that one should have "secure" systems on the net, but
> > realize I don't have the time/set of skills to "fully" get there...
> >
> > So, if you want to say -- hey, don't have an insecure linux box, it
> > could be hacked and cause us the Internet community probs due to your
> > crap, that's fair.
> >
> > But you need to realize, there are lots of people who are attempting
> > to do as much as they can with limited resources/time. if anyone here
> > wants to contact me offline, we can discuss. Heck, I've been looking
> > for a "sysadmin" type that I can pay, talk with for a bit.
> >
> > If fed/selinux had a "config" file for simple services/ports, great..
> > But when you get to policies, and understanding the nuances of
> > selinux, as far as I can tell, it's a learning curve that has to be
> > dealt with in order to get it right..
> >
> > And to be honest, I know of a number of operations/organizations that
> > have put the "security" sysAdmin stuff off until they could find a
> > sysadmin resource for that function..
> >
> > There are lots of "rails/php/nodejs/etc.. " and lots of "be a coder in
> > 4 weeks" courses. that only get to the basics of coding, much less the
> > sysadmin stuff..
> >
> > None of these are going away.. so some guy who pops up a website/app
> > on some aws instance.. has security issues that they might not even
> > realize..
> >
> > Anyway.. thanks guys!
> >
> >
> > On Mon, Jan 25, 2016 at 9:28 AM, Tim <ignored_mail...@yahoo.com.au>
> > wrote:
> >
> >> Allegedly, on or about 25 January 2016, bruce sent:
> >>
> >>> I fully get the need for security.. But if I can't get the security
> >>> working as it should, but I still need to build whatever the project
> >>> might be.. the project is going to get created.
> >>>
> >>> If running Selinux in permissive mode is enough, great, so be it.
> >>
> >>
> >> SELinux in permissive mode is *not* secure. You're using the computer
> >> in an insecure mode, and all SELinux is doing is logging the things that
> >> it would have stopped.
> >>
> >>
> >>> But when it comes to policies, for differnt users, applications,
> >>> files,etc.. and the possiblity of screwing something up if you go
> >>> wrong, then you have a bit of an issue there...
> >>
> >>
> >> I run webservers, mailservers, fileservers, DNS servers, DHCP servers.
> >> And I haven't had to turn off SELinux, nor do anything beyond open the
> >> configurator GUI and tick the boxes that said to allow those particular
> >> services (look through its list, find HTTPD server, tick it, find
> >> serving CGI scripts, tick that, etc., that was about the extent of what
> >> I had to do). Seriously, setting that right was a damn sight easier
> >> than configuring any of those servers.
> >>
> >> If you find something is failing because SELinux is stopping it, chances
> >> are that /that/ something is badly written, and needs doing better. Is
> >> it trying to serve files it has no business serving? Is it trying to
> >> execute things that it shouldn't execute but merely read? There's a
> >> plethora of dumb things people try to do with their programs, and
> >> stopping those dumb things is the solution, not allowing them.
> >>
> >> Do you ignore programming error messages, too?
> >>
> >>
> >>> And you can't simpy tell someone, "if you don't know what you're
> >>> doing, don't mess with linux!" Not going to happen..
> >>
> >>
> >> I can say if you don't know what you're doing, don't do it on the
> >> internet. Dumb things on the internet don't just affect you, they
> >> affect other people around you. That's why we have masses of spam on
> >> the internet, and other hacks. Compromised user boxes, compromised ISP
> >> services, abound.
> >>
> >>
> >>> ps. To all who've replied in favor of someone not really implementing
> >>> a fed/centos/linux instance unless secure, I take it you're also
> >>> illing to provide pointers/help if someone asks, yes? (And not just
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
