Thanks, Mike.
What I read is that SELinux is still 'beta', and while the need for good security is decades old, we (CentOS/RHEL folks) should not be presumed to be willing beta testers. "Enabled by default" presumes I'm willing.
Brian Brunner brian.t.brunner@gai-tronics.com (610)796-5838
lesmikesell@gmail.com 11/19/05 11:41AM >>>
On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
Maybe I'm wrong, but I think any admin needs to experience having their box cracked. It will produce the humbleness necessary to the trade, because overconfidence is dangerous.
Yes, but when the box gets cracked _because_ they are using the latest new thing their distribution added under the guise of increased security, as happened with ssh a while back, it also produces the attitude that new stuff should soak a long, long while in a distribution like fedora before going onto production boxes. You want to at least wait until the surprises stop - and I take the flurry of reports of broken apps at every update as an indication that they haven't stopped yet.
Your analogy to a weapon was a good one. When the experts tuning the distribution still can't keep it from blowing up in peoples's faces some of the time, normal people should keep their distance. When the fedora and Centos lists go several months without a mysterious app failure caused by SELinux it will be time to reconsider.
On Mon, 2005-11-21 at 04:38 -0800, Brian T. Brunner wrote:
Thanks, Mike.
What I read is that SELinux is still 'beta', and while the need for good security is decades old, we (CentOS/RHEL folks) should not be presumed to be willing beta testers. "Enabled by default" presumes I'm willing.
Brian Brunner brian.t.brunner@gai-tronics.com (610)796-5838
It is not enabled by default ... unless you mindlessly click through screens without reading them.
By that standard, using LVM2 and erasing every hard drive is the default too ... (Disk Druid - automatically configure files systems)
Or the package selection, or DHCP, or writing the grub to MBR, etc. All these things are for an administrator to decide.
SELinux is usable, if you want to use it ... if you don't want to, great. That is why you get to install CentOS for yourself and I don't install it for you and tell you what you can have :)
I normally don't use SELinux either ... but that is my choice.
But using SELinux is certainly more secure than not using it.
lesmikesell@gmail.com 11/19/05 11:41AM >>>
On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
Maybe I'm wrong, but I think any admin needs to experience having their box cracked. It will produce the humbleness necessary to the trade, because overconfidence is dangerous.
Yes, but when the box gets cracked _because_ they are using the latest new thing their distribution added under the guise of increased security, as happened with ssh a while back, it also produces the attitude that new stuff should soak a long, long while in a distribution like fedora before going onto production boxes. You want to at least wait until the surprises stop - and I take the flurry of reports of broken apps at every update as an indication that they haven't stopped yet.
No, their boxes get cracked mostly because they don't do security updates.
Your analogy to a weapon was a good one. When the experts tuning the distribution still can't keep it from blowing up in peoples's faces some of the time, normal people should keep their distance. When the fedora and Centos lists go several months without a mysterious app failure caused by SELinux it will be time to reconsider.
That is, of course, you choice.
It is not enabled by default ... unless you mindlessly click through
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
Johnny Hughes wrote:
On Mon, 2005-11-21 at 04:38 -0800, Brian T. Brunner wrote:
Thanks, Mike.
What I read is that SELinux is still 'beta', and while the need for good security is decades old, we (CentOS/RHEL folks) should not be presumed to be willing beta testers. "Enabled by default" presumes I'm willing.
Brian Brunner brian.t.brunner@gai-tronics.com (610)796-5838
It is not enabled by default ... unless you mindlessly click through screens without reading them.
By that standard, using LVM2 and erasing every hard drive is the default too ... (Disk Druid - automatically configure files systems)
Or the package selection, or DHCP, or writing the grub to MBR, etc. All these things are for an administrator to decide.
SELinux is usable, if you want to use it ... if you don't want to, great. That is why you get to install CentOS for yourself and I don't install it for you and tell you what you can have :)
I normally don't use SELinux either ... but that is my choice.
But using SELinux is certainly more secure than not using it.
lesmikesell@gmail.com 11/19/05 11:41AM >>>
On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
Maybe I'm wrong, but I think any admin needs to experience having their box cracked. It will produce the humbleness necessary to the trade, because overconfidence is dangerous.
Yes, but when the box gets cracked _because_ they are using the latest new thing their distribution added under the guise of increased security, as happened with ssh a while back, it also produces the attitude that new stuff should soak a long, long while in a distribution like fedora before going onto production boxes. You want to at least wait until the surprises stop - and I take the flurry of reports of broken apps at every update as an indication that they haven't stopped yet.
No, their boxes get cracked mostly because they don't do security updates.
Your analogy to a weapon was a good one. When the experts tuning the distribution still can't keep it from blowing up in peoples's faces some of the time, normal people should keep their distance. When the fedora and Centos lists go several months without a mysterious app failure caused by SELinux it will be time to reconsider.
That is, of course, you choice.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
It is not enabled by default ... unless you mindlessly click through
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
---- you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit from both.
Craig
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
Thats the point Brian was making, the essence of the reply to that was "its not enabled by default because you can turn it off"
Which is, as we all know, is a rather absurd statement....which had to be remedied by, yes if you like, a pedantic reply, but a nonetheless valid one...
Craig White wrote:
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
It is not enabled by default ... unless you mindlessly click through
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit from both.
Craig
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
Thats the point Brian was making, the essence of the reply to that was "its not enabled by default because you can turn it off"
Which is, as we all know, is a rather absurd statement....which had to be remedied by, yes if you like, a pedantic reply, but a nonetheless valid one...
I disagree ... to me enabled by default would be like the core and base default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
SELinux would be enabled by default if it were turned on that way.
Also, even if your more liberal definition of "Enabled by default" is used ... what is enabled is the "permissive" mode - SELinux prints warnings instead of enforcing. There is an "Enabling" mode that must be specifically selected.
So, why is no one complaining that LVM2 is enabled by default ... or that your C: drive is formatted by default?
Because, you are expected to read and take action during an install. That includes whether or not you include a firewall or enable SELinux.
Craig White wrote:
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
It is not enabled by default ... unless you mindlessly click through
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
But ... SELinux (at least in a mode that does anything) is not set to be enabled by default ... it is in permissive and not enabling.
you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit from both.
true
Please go and look up "default" on the dictionary....
Johnny Hughes wrote:
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
Thats the point Brian was making, the essence of the reply to that was "its not enabled by default because you can turn it off"
Which is, as we all know, is a rather absurd statement....which had to be remedied by, yes if you like, a pedantic reply, but a nonetheless valid one...
I disagree ... to me enabled by default would be like the core and base default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
SELinux would be enabled by default if it were turned on that way.
Also, even if your more liberal definition of "Enabled by default" is used ... what is enabled is the "permissive" mode - SELinux prints warnings instead of enforcing. There is an "Enabling" mode that must be specifically selected.
So, why is no one complaining that LVM2 is enabled by default ... or that your C: drive is formatted by default?
Because, you are expected to read and take action during an install. That includes whether or not you include a firewall or enable SELinux.
Craig White wrote:
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
It is not enabled by default ... unless you mindlessly click through
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
But ... SELinux (at least in a mode that does anything) is not set to be enabled by default ... it is in permissive and not enabling.
you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit
from both.
true
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-11-21 at 14:41 +0000, Peter Farrow wrote:
Please go and look up "default" on the dictionary....
It isn't the word default that I have a problem with ... it is enabled.
Nothing is enabled until you click past it without taking action.
You "Enable" the things that you want.
Now ... I would agree that the "Default" selection is having SELinux in "Permissive Mode" ... and that user action and knowledge is required when deciding what they want to do concerning SELinux.
Johnny Hughes wrote:
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
Thats the point Brian was making, the essence of the reply to that was "its not enabled by default because you can turn it off"
Which is, as we all know, is a rather absurd statement....which had to be remedied by, yes if you like, a pedantic reply, but a nonetheless valid one...
I disagree ... to me enabled by default would be like the core and base default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
I still stick to my definition of "Enabled by default". Enabled, in my mind, requires some actions by the person doing the install.
Though, I will agree that SELinux (in "permissive mode" and not "enforcing mode") is the default selection.
SELinux would be enabled by default if it were turned on that way.
Also, even if your more liberal definition of "Enabled by default" is used ... what is enabled is the "permissive" mode - SELinux prints warnings instead of enforcing. There is an "Enabling" mode that must be specifically selected.
So, why is no one complaining that LVM2 is enabled by default ... or that your C: drive is formatted by default?
Because, you are expected to read and take action during an install. That includes whether or not you include a firewall or enable SELinux.
Craig White wrote:
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
>It is not enabled by default ... unless you mindlessly click through > >
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
But ... SELinux (at least in a mode that does anything) is not set to be enabled by default ... it is in permissive and not enabling.
you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit
from both.
true
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Johnny Hughes wrote:
On Mon, 2005-11-21 at 14:41 +0000, Peter Farrow wrote:
Please go and look up "default" on the dictionary....
It isn't the word default that I have a problem with ... it is enabled.
Nothing is enabled until you click past it without taking action.
You "Enable" the things that you want.
Now ... I would agree that the "Default" selection is having SELinux in "Permissive Mode" ... and that user action and knowledge is required when deciding what they want to do concerning SELinux.
If you are doing a Server Install, on 4.2, "Enabled" is highlighted (by default ;) ). One has to select permissive (warn only) or off to keep it from being enabled (unless warn and permissive are different?). Just did this Saturday. It does seem that it was not this way during some other install process, way back in some other time... long, long ago (as if this has been around that long).
It was about that same time that I started figuring out suexec. That made some radical changes to many of our user's setups (yes, one could argue they 'needed to be fixed'). Doing an install is a bit of an arduous task. I haven't liked the direction RedHat has taken in recent years and actually preferred the select each package method from back in the 7.2 days. It seems that the 'list' shown now is nowhere near complete. But, I'll trade these issues for the RPM system and the great updating proceedures. Things like selinux do get in the way... another stall to go figure out. And with something as raw as selinux, I'm not all that happy that it is the default selected item on the way in. The attitude of if you don't know, Redhat knows best just doesn't seem to fit here.
Anyway, I guess this all is a mute point. CentOS is supposed to 'follow the upstream provider as closely as possible' right down to Anaconda.... This 'default' thread really belongs on 'de fault' Redhat list. Then again, most of us can't complain there because we don't pay them anything.
I am however glad that the selinux issues have been posted, as it helped me decide that my stuff isn't ready for it. I have been enabling it under warn mode, just so I can see/learn what issues it feels are potential security holes.
Best, John Hinton
Johnny Hughes wrote:
On Mon, 2005-11-21 at 14:41 +0000, Peter Farrow wrote:
Please go and look up "default" on the dictionary....
It isn't the word default that I have a problem with ... it is enabled.
Nothing is enabled until you click past it without taking action.
You "Enable" the things that you want.
No. If someone clicks through the install, it's enabled and locked/loaded. Now you may say "who the hell does an install and doesn't actively choose each and every option?"....well, that would be a lot of people....perhaps even most people. So the end result is that you wind up with quite a few people with "broken" computers (broken meaning the owner can't do what they expected with it) because the default action of the installer is to turn SELinux on. There really isn't any grey area here. As shipped, without user intervention, SELinux is ON. I consider that a bug. The end user should have to explicitly ask to turn SELinux on.
Now ... I would agree that the "Default" selection is having SELinux in "Permissive Mode" ... and that user action and knowledge is required when deciding what they want to do concerning SELinux.
I really don't think that's acceptable until SELinux has been around the track a bit longer.
Best regards,
Additionally,
EVERY install I have done (and thats quite few) has it in Enforcing mode by default unless you turn it off.... Not permissive, not disabled, but indeed without a shadow of doubt, in "enforcing".
Don't cloud the issue with a fuzzy definition of what [you think] default means, it doesn't do the discusssion justice.
"Default" has a fixed definition in the English language, and I have already covered that.
And that really is the end of this thread I believe...
Johnny Hughes wrote:
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
Thats the point Brian was making, the essence of the reply to that was "its not enabled by default because you can turn it off"
Which is, as we all know, is a rather absurd statement....which had to be remedied by, yes if you like, a pedantic reply, but a nonetheless valid one...
I disagree ... to me enabled by default would be like the core and base default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
SELinux would be enabled by default if it were turned on that way.
Also, even if your more liberal definition of "Enabled by default" is used ... what is enabled is the "permissive" mode - SELinux prints warnings instead of enforcing. There is an "Enabling" mode that must be specifically selected.
So, why is no one complaining that LVM2 is enabled by default ... or that your C: drive is formatted by default?
Because, you are expected to read and take action during an install. That includes whether or not you include a firewall or enable SELinux.
Craig White wrote:
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
It is not enabled by default ... unless you mindlessly click through
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
But ... SELinux (at least in a mode that does anything) is not set to be enabled by default ... it is in permissive and not enabling.
you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit
from both.
true
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-11-21 at 14:45 +0000, Peter Farrow wrote:
Additionally,
EVERY install I have done (and thats quite few) has it in Enforcing mode by default unless you turn it off.... Not permissive, not disabled, but indeed without a shadow of doubt, in "enforcing".
You may be right about in "Enforcing" mode, I have done more than a thousand CentOS installs, and I thought the default was "Permissive" ... I'll actually have to check and see.
Don't cloud the issue with a fuzzy definition of what [you think] default means, it doesn't do the discusssion justice.
"Default" has a fixed definition in the English language, and I have already covered that.
And that really is the end of this thread I believe...
Johnny Hughes wrote:
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
Thats the point Brian was making, the essence of the reply to that was "its not enabled by default because you can turn it off"
Which is, as we all know, is a rather absurd statement....which had to be remedied by, yes if you like, a pedantic reply, but a nonetheless valid one...
I disagree ... to me enabled by default would be like the core and base default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
SELinux would be enabled by default if it were turned on that way.
Also, even if your more liberal definition of "Enabled by default" is used ... what is enabled is the "permissive" mode - SELinux prints warnings instead of enforcing. There is an "Enabling" mode that must be specifically selected.
So, why is no one complaining that LVM2 is enabled by default ... or that your C: drive is formatted by default?
Because, you are expected to read and take action during an install. That includes whether or not you include a firewall or enable SELinux.
Craig White wrote:
On Mon, 2005-11-21 at 13:56 +0000, Peter Farrow wrote:
>It is not enabled by default ... unless you mindlessly click through > >
"Default" means, unless you do something to specify otherwise it will be this way,
SElinux IS enabled by default, as doing an install without specifically searching for it and changing it will result in it being enabled.
http://isp.webopedia.com/TERM/D/default.html
screens without reading them.
But ... SELinux (at least in a mode that does anything) is not set to be enabled by default ... it is in permissive and not enabling.
you are being a bit pedantic here.
Defaults, installation options, etc. are set by upstream provider.
If someone were to simply click-through the install without customization, it would indeed be turned on as would a firewall without holes and no doubt in that event, said unthinking user would benefit
from both.
true
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
---- not that it's going to change this discussion, but the characterization that SELinux is 'very much beta quality' might be yours, definitely is Brian Brunner's and perhaps some others but certainly isn't the characterization of the upstream provider whose intent is to only include 'stable' services in their Enterprise product.
In that respect, that characterization is out of line with the upstream provider.
My own experiences with many servers running RHEL & CentOS with SELinux set to enforcing mode is that 'audit2allow' lacks a man page. Beyond that, I have seen nothing to suggest that it is not ready for prime time.
The only 'beta quality' I am seeing is sysadmins who simply turn it off because they fear having it enabled since they know absolutely nothing about it which means that there is a lack of informed people capable of answering questions. Thus the beta quality tag probably refers more to the participants of this list than the security services provided from upstream provider.
Craig
furthermore from Hughsjr:
I disagree ... to me enabled by default would be like the core and base
default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
ummm, err, that would be "mandatory" then and not "default"
Thats another nail in the coffin, tighter in the corner, up to your chin in it now I reckon....
Craig White wrote:
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
The point was, as its very much beta quality, it should be up to the user to ask for it, not have it dropped on them by default.
not that it's going to change this discussion, but the characterization that SELinux is 'very much beta quality' might be yours, definitely is Brian Brunner's and perhaps some others but certainly isn't the characterization of the upstream provider whose intent is to only include 'stable' services in their Enterprise product.
In that respect, that characterization is out of line with the upstream provider.
My own experiences with many servers running RHEL & CentOS with SELinux set to enforcing mode is that 'audit2allow' lacks a man page. Beyond that, I have seen nothing to suggest that it is not ready for prime time.
The only 'beta quality' I am seeing is sysadmins who simply turn it off because they fear having it enabled since they know absolutely nothing about it which means that there is a lack of informed people capable of answering questions. Thus the beta quality tag probably refers more to the participants of this list than the security services provided from upstream provider.
Craig
Peter Farrow peter@farrows.org wrote:
ummm, err, that would be "mandatory" then and not "default" Thats another nail in the coffin, tighter in the corner, up to your chin in it now I reckon....
Not to agree or disagree with Johnny, but I think what he's comparing the alleged "beta-quality" SELinux to is something like a GCC or GLibC change.
I.e., if Red Hat changes the GCC or GLibC of a kernel, you're stuck with it, you can't change it. But SELinux can be put into another mode, or just disabled.
So in comparison, by adding SELinux, regardless of what you think of it, you're not stuck with it. Whereas Red Hat has a long history of early GCC and GLibC adoption, and you _are_ stuck with their decision.
Not trying to agree/disagree, just point out what I think he's comparing it to. Please take it in that view, and not that I'm disagreeing/agreeing with anyone.
On Mon, 2005-11-21 at 07:57 -0800, Bryan J. Smith wrote:
Peter Farrow peter@farrows.org wrote:
ummm, err, that would be "mandatory" then and not "default" Thats another nail in the coffin, tighter in the corner, up to your chin in it now I reckon....
Not to agree or disagree with Johnny, but I think what he's comparing the alleged "beta-quality" SELinux to is something like a GCC or GLibC change.
I.e., if Red Hat changes the GCC or GLibC of a kernel, you're stuck with it, you can't change it. But SELinux can be put into another mode, or just disabled.
So in comparison, by adding SELinux, regardless of what you think of it, you're not stuck with it. Whereas Red Hat has a long history of early GCC and GLibC adoption, and you _are_ stuck with their decision.
Not trying to agree/disagree, just point out what I think he's comparing it to. Please take it in that view, and not that I'm disagreeing/agreeing with anyone.
---- actually, he's giving a clinic on how to antagonize one of the CentOS developers...don't intercede...he's doing a really terrific job of it.
I guess that's why this thread includes 'one-upmanship' in the title.
Craig
On Mon, 2005-11-21 at 15:38 +0000, Peter Farrow wrote:
furthermore from Hughsjr:
I disagree ... to me enabled by default would be like the core and base
default packages .... they are turned on, and one can not turn them off. They are enabled by default, whether you need them or not.
ummm, err, that would be "mandatory" then and not "default"
Thats another nail in the coffin, tighter in the corner, up to your chin in it now I reckon....
ok, I'm wrong :)
SELinux, the Firewall, all package selection, auto disk druid formatting, LVM2 and any other check box are all enabled by default.
It's not worth fighting over.
To me, "Enabled by default" means you get it whether you want it or not ... and "Recommended" or "Selected" by default means you can choose, and bear all the responsibility for that choice.
Obviously I am completely ignorant of the nuances of the English language ... heck, my wife tells me I can't communicate all the time :)
I do not agree that SELinux is Beta quality ... nor would RedHat. It does cause issues if not properly configured, as does iptables, or any other package which requires configuring.
I think we can all agree that CentOS follows the upstream provider in this (and almost all) instances.
On Monday 21 November 2005 07:38, Brian T. Brunner wrote:
What I read is that SELinux is still 'beta',
The SELinux kernel module itself is beyond beta. The policies might be beta quality, and the documentation needs work for sure; but, pray tell, what in the typical Linux distribution is NOT beta? Think carefully before you answer, and think about what is meant by beta (since some here enjoy splitting hairs; I'll split them, too, as I have actually taught college-level English (even to the point of teaching that there is no such thing as 'correct' English; there are conventions, styleguides, and the like, but there is no such thing as 'perfect' English; the hardest things for a student to learn is that the dictionary is not an authority on word meaning, and that the basic unit of English meaning is not the word, but the sentence)).
and while the need for good security is decades old, we (CentOS/RHEL folks) should not be presumed to be willing beta testers. "Enabled by default" presumes I'm willing.
Assuming SELinux is beta. But, again, what else are you running that really is beta? Are you using Open SSL (for ssh or sasl or https)? Guess what: OpenSSL is not only beta but has an API that changes within minor releases (and with the facial expressions of its developers... or, at least, that's how it looks). And a crypto bug in SSL would be much worse than any imagined bug in SELinux.
Further, the package that started all this, dbus, is also beta (judging by version number, as that is a standard metric, or at least the most standard of the metrics available).
Run GNOME? The esound system under GNOME is still at a version less than 1.0.
YOUR BOOTLOADER, GRUB, IS BETA (version 0.95). And GRUB has produced the single largest volume of complaints about the upstream distributor's policies, that is, of getting rid of LILO, which was not beta.
The hardware abstraction layer, hal, is beta.
The hotplug interface appears to be a particular CVS snapshot, not even a beta.
Using ipsec-tools? It's beta too.
Using ethereal? The libpcap underneath is beta (again, by the version number of 0.8.3), and security bugs have been found in libpcap of a serious nature.
Humph, libusb is alpha, not even beta (I use this heavily when using my Universal Software radio Peripheral (USRP), part of the GNUradio project).
The Omni print driver subsystem is beta.
YOUR AUTHENTICATION SUBSYSTEM, PAM, IS BETA (again, judging by the version number)!
The prelink subsystem, which touches every single executable file on the system as root, is BETA.
There are others, but these are important, and could impact security in a big way.
And you're worried about SELinux being beta?
Lamar Owen has pointed out to me that the humour angle on my replies may have been lost in the email process, indeed certainly so by the email Lamar has sent me off list.
So just to get this straight, my emails have never intended to be rude or putting people down, to that end I will extend an aology to you "Johnny hughes", if I offended you.
And thanks for your latest comment on the SElinux.
Regards
Pete
Lamar Owen wrote:
On Monday 21 November 2005 07:38, Brian T. Brunner wrote:
What I read is that SELinux is still 'beta',
The SELinux kernel module itself is beyond beta. The policies might be beta quality, and the documentation needs work for sure; but, pray tell, what in the typical Linux distribution is NOT beta? Think carefully before you answer, and think about what is meant by beta (since some here enjoy splitting hairs; I'll split them, too, as I have actually taught college-level English (even to the point of teaching that there is no such thing as 'correct' English; there are conventions, styleguides, and the like, but there is no such thing as 'perfect' English; the hardest things for a student to learn is that the dictionary is not an authority on word meaning, and that the basic unit of English meaning is not the word, but the sentence)).
and while the need for good security is decades old, we (CentOS/RHEL folks) should not be presumed to be willing beta testers. "Enabled by default" presumes I'm willing.
Assuming SELinux is beta. But, again, what else are you running that really is beta? Are you using Open SSL (for ssh or sasl or https)? Guess what: OpenSSL is not only beta but has an API that changes within minor releases (and with the facial expressions of its developers... or, at least, that's how it looks). And a crypto bug in SSL would be much worse than any imagined bug in SELinux.
Further, the package that started all this, dbus, is also beta (judging by version number, as that is a standard metric, or at least the most standard of the metrics available).
Run GNOME? The esound system under GNOME is still at a version less than 1.0.
YOUR BOOTLOADER, GRUB, IS BETA (version 0.95). And GRUB has produced the single largest volume of complaints about the upstream distributor's policies, that is, of getting rid of LILO, which was not beta.
The hardware abstraction layer, hal, is beta.
The hotplug interface appears to be a particular CVS snapshot, not even a beta.
Using ipsec-tools? It's beta too.
Using ethereal? The libpcap underneath is beta (again, by the version number of 0.8.3), and security bugs have been found in libpcap of a serious nature.
Humph, libusb is alpha, not even beta (I use this heavily when using my Universal Software radio Peripheral (USRP), part of the GNUradio project).
The Omni print driver subsystem is beta.
YOUR AUTHENTICATION SUBSYSTEM, PAM, IS BETA (again, judging by the version number)!
The prelink subsystem, which touches every single executable file on the system as root, is BETA.
There are others, but these are important, and could impact security in a big way.
And you're worried about SELinux being beta?
hello all,
just don't forget that version numbering is not the same kind of animal as in the closed source world. If you want to sell your system you cannot say that version of MyGoodBilling System is 0.76.1. You have to say that's 1.0, or 1.1 or version 2005. Just think about Windows NT. It started with
And again: in the commercial and open source world everything should be considered as "beta". Just like the human body, nature and combinations of those, the humans are not the same. They can be "like the other" but not the same. Never. That's why there's a role in information sciense, called Sstem Architect. Who knows - or at least expected - to know which version number with which patchlevel and patches are working together as expected or knows the bugs and the workarounds for the systems.
And again: Linux, BSDs are not inferior to Windows system, Windows applications and windows has their kind problems. Just other problems. I know - or I think I know - that Lamar wanted to say this or similar. That's why you use distros and that's why distros doesn't contain the latest and greatest versions of softwares: lots of engineers, developers and architects test it and patch the system to be usable enough.
At last: could we close this thread? Or start an advocacy@centos.org list where everybody can dvert his/her point of view about things....
Bye, Ago
Lamar Owen lowen@pari.edu wrote:
Further, the package that started all this, dbus, is also beta (judging by version number, as that is a standard metric, or at least the most standard of the metrics available).
_Exactly_ my point! If you're worried about SELinux in the kernel, then you should be building your kernel with_out_ a lot of things! ;->
DBus is a rather interesting beast. And it's at the heart of many things Red Hat is planning for FC5+.
-
Brian T. Brunner -
Bryan J. Smith -
Chris Mauritz -
Craig White -
Deim Ágoston -
John Hinton -
Johnny Hughes -
Lamar Owen -
Peter Farrow