How's forever work for you? ;->
Absolutely FINE thank you! When your WizWonder package is housebroken, let me try it if I'm interested.
Until then, a (stubbornly) broken distro will persuade me to try something else. That's why I left Windows, I guess, if you prognosticate correctly, it will be why I leave RedHat/CentOS.
btw this has nothing to do with Firewalls at all. I bought a firewall (router) and use it.
If I had to upgrade firewall firmware versions, and the new versions broke running applications, I'd consider the new firewall firmware BROKEN.
As is, I don't mind SELinux, because I can disable it at installation time.
I will continue to do so until it is no longer broken.
Brian Brunner brian.t.brunner@gai-tronics.com (610)796-5838
thebs413@earthlink.net 11/14/05 11:24AM >>>
"Brian T. Brunner" brian.t.brunner@gai-tronics.com wrote:
How do we define Ready? I gave that answer in the text you replied to: when it doesn't break things.
How's forever work for you? ;->
NPTL, ANSI C++, GLibC 2 and many other adoptions Red Hat has made still break things. Heck, we're not even looking at recent things -- from 4K stacks to ACLs. ;->
You ask about applications not being SELinux aware. The proper things for SELinux to do in those cases is advise the operator that SELinux can't manage this app because it isn't SELinux aware, and that whatever security holes that application embodies are outside the scope of SELinux.
I think that's what the advisement is. You can start disabling some aspects of SELinux -- such as with permissive mode.
This is consistent with SELinux being a *service* to the operator, not a bully-boss to the operator and the authors/maintainers of every package Joe Operator might have on his system.
Actually, SELinux _is_ a "bully-boss" to the operator. It will _always_ be a "bully-boss" to the operator.
No, it doesn't.
I think _many_ people other than myself have seen _many_ viewpoints on this issue. Why many people seem to think that there must be no less than an absolutism on SELinux until it accomplishes no less than the _impossible_ is beyond me.
It's about ownership of control. Is this RedHats' system to break if they want to compel me to do things their way?
Yes. And you have these options.. 1. Learn it and see if it fits 2. Put it into another mode (e.g., permissive) 3. Disable it 4. Look to another distro choice
Red Hat has its reasons, and it's not going to change those reasons. Common Criteria is a major driver right now because of Linux can achive higher CC levels than Windows, while still running applications (which Windows virtually can_not_ do), then Microsoft will lose federal installations en masse.
If not, then distributing SELinux with a default of 'on' when it breaks running systems is distributing a broken software package.
SELinux will _always_ break running systems. Just like a "deny all outgoing" firewall will too.
Translate: Everybody is out of step except my boy! (and those who happen to be in step with him).
Exactly! SELinux by default is here to stay if you choose Red Hat.
I say Broken, and Disabled for Good.
Then that's your choice. Red Hat has made their default, but you still have choice.
The proper things for SELinux to do in cases of non-compliant apps is to advise the operator that SELinux can't manage this app because it isn't SELinux aware, and that whatever security holes that application embodies are outside the scope of SELinux. That's a *service*.
You seem to fail to understand what SELinux does. ;->
Breaking said applications is a broken application.
Then add outgoing firewalls to the same list. Oh, you just turn an outgoing firewall off? Well then, that's your solution. ;->
I don't know if I could make a better analogy.
-- Bryan
P.S. SELinux is _not_ a service. It is an _enforcement_ in the kernel. There are hundreds of rules. Applications either learn to make SELinux considerations, help write rules, or a combination of both. SELinux is basically the biggest change to Linux in a long, long time -- breaking the 30+ year legacy UNIX model.
"Brian T. Brunner" brian.t.brunner@gai-tronics.com wrote:
Until then, a (stubbornly) broken distro will persuade me to try something else. That's why I left Windows, I guess, if you prognosticate correctly, it will be why I leave RedHat/CentOS.
Actually, NT has some excellent RBAC/MAC. And it utterly breaks 99.9% of Windows apps.
btw this has nothing to do with Firewalls at all. I bought a firewall (router) and use it.
Once again, you made my point for me!
You're using an "allow all outgoing" firewall. If you reconfigure it for a "deny all outgoing" firewall, like a corporate LAN, DMZ, etc... would be "broken" in your terms.
That is the most relevant analogy I can think of. Apparently, you didn't understand that analogy at all.
If I had to upgrade firewall firmware versions, and the new versions broke running applications, I'd consider the new firewall firmware BROKEN.
Damn, you just make my point again!
Some SOHO firewalls just allowing protocols to open up service ports for compatibility, which basically allows remote systems to open arbitrary ports to your network. The firewalls that turn this off by default, in your terms, are "broken" and wouldn't sell.
Especially if the firewall config was proper -- and would take you through dozens (if not hundreds) of confusing prompts on why you shouldn't enable various protocols. You just want it to "work dammit!" But you don't want to know one thing why you shouldn't enable something -- even though it's a _massive_ hole!
There is the farce out there that protocols are well behaved. Do you know how many protocols allow things to come right into your network? Especially because the firewall doesn't want to be thought of as "broken" so it just allows things in?
SELinux is _not_ an "upgrade." SELinux is a new set of kernel-enforce _policies_.
It's just like going beyond just shutting off problematic clients from getting out -- but changing your _entire_ firewall policy to _deny_ all outgoing traffic by default.
From there, you will allow only select traffic out. And you
can be damn sure that a crapload of clients will _not_ work no matter what you do -- because their protocols were piss-poor designed in the first place.
As is, I don't mind SELinux, because I can disable it at installation time.
But don't make broad statements like you are. Your statements go beyond preference, but are technically _false_!
I will continue to do so until it is no longer broken.
Just like deny all outgoing firewalls are _just_as_broken_. Again, you just made my case for me better than anything I could have said.
You don't seem to know why deny all outgoing firewalls exist either. Hence why don't know why SELinux exists either.
The reality is that with SELinux, we don't trust software _until_ they are explicitly allowed to access things. Modes like "permissive" use the opposite that logic, and are more compatible.
Just like deny all outgoing firewalls block _all_ outbound traffic, _until_ they are explicitly allowed. And why most people just enable allow all outgoing (including every single SOHO device you'll find at the superstore).
Do you understand now?
On Mon, 2005-11-14 at 11:41, Bryan J. Smith wrote:
The reality is that with SELinux, we don't trust software _until_ they are explicitly allowed to access things. Modes like "permissive" use the opposite that logic, and are more compatible.
Just like deny all outgoing firewalls block _all_ outbound traffic, _until_ they are explicitly allowed. And why most people just enable allow all outgoing (including every single SOHO device you'll find at the superstore).
Do you understand now?
I think the point you are both making is that you can't use either of these tools unless you have someone with not much else to do but baby-sit them or you can get along without the services they deny (and that you may not know about yet).
On Mon, 2005-11-14 at 12:28 -0600, Les Mikesell wrote:
On Mon, 2005-11-14 at 11:41, Bryan J. Smith wrote:
The reality is that with SELinux, we don't trust software _until_ they are explicitly allowed to access things. Modes like "permissive" use the opposite that logic, and are more compatible.
Just like deny all outgoing firewalls block _all_ outbound traffic, _until_ they are explicitly allowed. And why most people just enable allow all outgoing (including every single SOHO device you'll find at the superstore).
Do you understand now?
I think the point you are both making is that you can't use either of these tools unless you have someone with not much else to do but baby-sit them or you can get along without the services they deny (and that you may not know about yet).
---- I would have sworn the point was that these people just love the debate and no one knew enough to answer the question that I originally asked.
Thanks to the fedora-selinux mail list, where answers seem to be more topical than philosophical debate, I got an answer.
Craig
On Mon, 2005-11-14 at 11:35 -0700, Craig White wrote:
I would have sworn the point was that these people just love the debate and no one knew enough to answer the question that I originally asked.
I'm just antagonizing my next UT2004 opponent. ;->
Thanks to the fedora-selinux mail list, where answers seem to be more topical than philosophical debate, I got an answer.
In all honest, you'll find the Fedora SELinux list to be _far_ more helpful than this list in that regard -- especially since the Fedora userbase is addressing more and more issues everyday.
On Mon, 2005-11-14 at 17:41 -0600, Bryan J. Smith wrote:
On Mon, 2005-11-14 at 11:35 -0700, Craig White wrote:
I would have sworn the point was that these people just love the debate and no one knew enough to answer the question that I originally asked.
I'm just antagonizing my next UT2004 opponent. ;->
---- you can't lose if you debate him first, you will wear him out before you even start. ;-) ----
Thanks to the fedora-selinux mail list, where answers seem to be more topical than philosophical debate, I got an answer.
In all honest, you'll find the Fedora SELinux list to be _far_ more helpful than this list in that regard -- especially since the Fedora userbase is addressing more and more issues everyday.
---- I did and they were.
I gather with Bill Nottingham and Stephen Smalley the most active on the list, there isn't likely to be the chest beating debates of the value of SELinux there.
and btw (sorry about html - wanting to keep link from wrapping)... https://www.redhat.com/archives/fedora-selinux-list/2005- November/msg00099.html
;-)
Craig
-
Brian T. Brunner -
Bryan J. Smith -
Craig White -
Les Mikesell