[CentOS] SELinux and access across 'similar types'

Sat Jan 7 14:19:42 UTC 2012
John R. Dennison <jrd at gerdesas.com>

On Sat, Jan 07, 2012 at 05:39:15AM -0800, Bennett Haselton wrote:
> 
> What you think people "should" know is a matter of opinion.  However, 
> complaining about what people "should" know, usually doesn't do any 
> good, and that's an empirical fact, not an opinion.

I'm not complaining.  I'm pointing out that anyone that doesn't take
full advantage of every security technology at their disposal, in this
case limited in scope to selinux and selinux only, (so please stop going
off on tangents about AV and historical issues, please) deserve whatever
they get as a result of what boils down to nothing more than simple
laziness.

> Apparently the marketplace favors hosting companies turning SELinux off 
> because the failures it causes are too obscure and it causes too many 
> support headaches.

Well, tough cookies.  This is in no way justification for crappy
security practices.  In fact this is pure nonsense.  Laziness in not
caring to learn the systems you work with is never justification for
anything.  Hosting companies can trivially put together a set of
documentation to point users at; even if that documentation provides
nothing more than a set of links other, properly-maintained,
documentation available on the net such as that provided by TUV, that
provided by CentOS, that provided by fedora which is still applicable in
many instances, etc.  If they did so their customers would have a place
to go to read up on that which you claim to be a "support headache".
Admins, in 2012, have _no excuse_ not to know selinux basics.

People need to start becoming responsible.

Perhaps if the aforementioned boycott would take place irresponsible
hosting companies might realize that something needed to change from
looking at their bottom-line.

If these companies had any marketing skills worth spit they'd take
advantage of the fact that they provision with selinux enabled and
enforced and spin it in their favor.

I'm truly sick of the "*cry* selinux makes things _hard_ *cry*"
whining from not only users but hosting providers and alleged
"administrators" that are, at the root of it, too lazy to figure out how
to properly use selinux and similar technologies.  I'm not a rocket
scientist and yet _I_ have no issues figuring it out.  If _I_ can do it,
pretty much anyone else can as well.

> A non-changing-human-nature solution might be to 
> notify the user directly when SELinux blocks something.  The GUI 
> apparently already does this via a dialog box when viewing a desktop; 
> perhaps there's a way to do it on the command line too.  (When the user 
> runs something that's blocked by SELinux, just send a message to the 
> terminal saying "SELinux blocked this", or something.  Would be a start.)

setroubleshootd can already do this via email to the configured target
address(s).  Again, a simple matter of reading the available documentation
may have made this clear.

> Nobody else was trimming.  When in Rome :)  (By definition, a 
> quoted-quoted-quoted message can only keep getting longer if nobody else 
> is trimming either.)

I'm close to chalking this up to a form of laziness as well.  Editors
are, after all, _hard_ to use properly :)





							John
-- 
Life is like a game of cards.  The hand that is dealt you represents
determinism; the way you play it is free will.

-- Jawaharlal Nehru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20120107/1a9c02d1/attachment-0005.sig>