confused somewhat. It's my understanding that there is a free version for us out there.
....been goin blind googling.
...need little direction to get started w/vmware and what we are running.
thx
John Rose
On Sun, 2006-09-17 at 11:39 -0500, rado wrote:
confused somewhat. It's my understanding that there is a free version for us out there.
....been goin blind googling.
...need little direction to get started w/vmware and what we are running.
thx
John Rose
Johnny Hughes wrote:
BTW, RHEL5 (and therefore CentOS 5 too) should have Xen as part of distribution. Theoretically, it should offer better performance (less virtualization overhead). However, to run Windows guests you'd need to have newer Intel or AMD processors with hardware virtualization support.
On Sun, 2006-09-17 at 21:32, Aleksandar Milivojevic wrote:
Johnny Hughes wrote:
BTW, RHEL5 (and therefore CentOS 5 too) should have Xen as part of distribution. Theoretically, it should offer better performance (less virtualization overhead). However, to run Windows guests you'd need to have newer Intel or AMD processors with hardware virtualization support.
Has anyone measured the performance loss under vmware to see what the theoretical improvement might be?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, Sep 17, 2006 at 09:32:19PM -0500, Aleksandar Milivojevic wrote:
Johnny Hughes wrote:
BTW, RHEL5 (and therefore CentOS 5 too) should have Xen as part of distribution. Theoretically, it should offer better performance (less virtualization overhead). However, to run Windows guests you'd need to have newer Intel or AMD processors with hardware virtualization support.
Anyone know if AMD Athlon 64 3800+ X2 has it ?
[]s
- -- Rodrigo Barbosa "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Mon, 2006-09-18 at 12:41 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, Sep 17, 2006 at 09:32:19PM -0500, Aleksandar Milivojevic wrote:
Johnny Hughes wrote:
BTW, RHEL5 (and therefore CentOS 5 too) should have Xen as part of distribution. Theoretically, it should offer better performance (less virtualization overhead). However, to run Windows guests you'd need to have newer Intel or AMD processors with hardware virtualization support.
Anyone know if AMD Athlon 64 3800+ X2 has it ?
AFAIK only the new socket AM2 ones do.
Paul
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
Peter Farrow wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
Heh. Thank goodness it's so easy to turn off. :)
Cheers,
yo yo yo my man!!!!
you are truly going to heaven...
:-)
chrism@imntv.com wrote:
Peter Farrow wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
Heh. Thank goodness it's so easy to turn off. :)
Cheers,
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
see points for 12 and 13 to substantiate my previous post....
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
:-P
Peter Farrow wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
oops forgot the link, if I was using SELinux I could have blaming it for removing it....
http://www.nsa.gov/selinux/info/faq.cfm#I2
Peter Farrow wrote:
see points for 12 and 13 to substantiate my previous post....
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
:-P
Peter Farrow wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
Peter Farrow wrote:
oops forgot the link, if I was using SELinux I could have blaming it for removing it....
Look. The evening is nice. The weather is warm and sunny. Why don't you go out and play a little with yourself on the freeway?
Thanks,
Ralph
Its midnight....
Ralph Angenendt wrote:
Peter Farrow wrote:
oops forgot the link, if I was using SELinux I could have blaming it for removing it....
Look. The evening is nice. The weather is warm and sunny. Why don't you go out and play a little with yourself on the freeway?
Thanks,
Ralph
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2006-09-18 at 22:48 +0100, Peter Farrow wrote:
oops forgot the link, if I was using SELinux I could have blaming it for removing it....
http://www.nsa.gov/selinux/info/faq.cfm#I2
Peter Farrow wrote:
see points for 12 and 13 to substantiate my previous post....
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
:-P
hmmm
SELinux is in CentOS-4 and the upcoming CentOS-5 ... Novell has AppArmor (a similar technology).
SELinux is different ... but it is certainly more secure than not running it.
Johnny Hughes wrote:
SELinux is different ... but it is certainly more secure than not running it.
Biggest problem with selinux is that it is so badly integrated into the toolchain. You have to remember to alter selinux for every little thing you do, you have to remember to goups and policies you made.
SElinux is just another tool. System security involves the entire system. It is not possible to install some software product and then have everything secure.
Most blame SElinux when the problem is really pebkac. :)
see points for 12 and 13 to substantiate my previous post....
12. So it's not 'trusted', big deal neither is linux. That doesn't mean that it doesn't provide security benefit to the people who want mandatory access controls.
13. Note the nod here to physical security and personnel security. Selinux adds mandatory access control support to linux. This will help prevent some script kiddie from exploiting a hole in php code and using you for a spam proxy. It will not however stop someone from walking up and ripping out the hard drive to get to your files, or protect you from an unguarded shell in the event someone walks off while logged in as root.
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
16. It's not the NSA's job to debug the linux kernel. They did what every other developer does and patches it to support their own code. If you don't like this one, you should probably stop using computers altogether, everyone does this, and its OS agnostic. Hell, for some environments, you can't even get the source to attempt to debug it.
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
17. This one is stale, because the FAQ you're linking to hasn't been updated since around 2003. RHEL 4 is very much authorized, and very much has selinux included, and enabled by default. The second half is mostly accurate, as selinux does not give added 'acceptability' to the OS, though it does add to the overall security metric used to judge system risk.
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
Please refrain from yelling fire in crowded venues, or starting flamewars on this mailing list.
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
You're misinterpreting some of this. SELinux is not a silver bullet to secure everything and be easy to use. It has a limited scope, and a limited focus. That's the point the 'authors' were making. Lets also not forget the that 'authors' here are the NSA. They are professionally paranoid, and are amazingly careful and astute when it comes to security. Now quit trying to incite a flamewar.
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
On Mon, 2006-09-18 at 20:32 -0400, Jim Perrin wrote:
see points for 12 and 13 to substantiate my previous post....
- So it's not 'trusted', big deal neither is linux. That doesn't
mean that it doesn't provide security benefit to the people who want mandatory access controls.
- Note the nod here to physical security and personnel security.
Selinux adds mandatory access control support to linux. This will help prevent some script kiddie from exploiting a hole in php code and using you for a spam proxy. It will not however stop someone from walking up and ripping out the hard drive to get to your files, or protect you from an unguarded shell in the event someone walks off while logged in as root.
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
- It's not the NSA's job to debug the linux kernel. They did what
every other developer does and patches it to support their own code. If you don't like this one, you should probably stop using computers altogether, everyone does this, and its OS agnostic. Hell, for some environments, you can't even get the source to attempt to debug it.
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
- This one is stale, because the FAQ you're linking to hasn't been
updated since around 2003. RHEL 4 is very much authorized, and very much has selinux included, and enabled by default. The second half is mostly accurate, as selinux does not give added 'acceptability' to the OS, though it does add to the overall security metric used to judge system risk.
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
Please refrain from yelling fire in crowded venues, or starting flamewars on this mailing list.
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
You're misinterpreting some of this. SELinux is not a silver bullet to secure everything and be easy to use. It has a limited scope, and a limited focus. That's the point the 'authors' were making. Lets also not forget the that 'authors' here are the NSA. They are professionally paranoid, and are amazingly careful and astute when it comes to security. Now quit trying to incite a flamewar.
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
very good, Jim. I believe you laid it all out where this thread should be a done deal. I don't use selinux only because it's one of those "rountoit" thangs.. It seems that if sel* was that bad that RH would never have it in the os pkg. I don't think I am that far out of line by stating that most people that don't run it are probably in the same situation I'm in. I have not studied it yet. And it seems like it's one of those deals that if you want to run it...you damn sure better understand it or you are going to find yourself in lots of trouble.
John Rose
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
-- when really it should be an option to enable it, which a warning that it wasn't tested for vulnerabilities, does not add any official security value to Linux and will of course slow the system down. Furthermore it adds a layer of security obfuscation which will in itself lead to administrators making mistakes and inadvertently lowering security as it is such a PITA.
Unices were configurable to be secure by many a competant administrator before this addition of bloat to the OS.
I choose not to use it, but ocassionally on some of my RHEL installs I forget to turn it off, if it is off by default I wouldn't need to keep removing it!
What I find most curious is, despite the authors of it claiming nothing of any note about it in terms of security, and in fact in the link I originally posted the authors go quite some way to distance themselves from claiming it adds any actual security, and hasn't been tested for vulnerabilities as such, that some people still swear by it as the gospel truth and the only one true path. Whilst such religious commitment to an unproven cause undoubtedly shows good faith, I would add that such blind practices are best left to sunday school or the church sermon.
P.
rado wrote:
On Mon, 2006-09-18 at 20:32 -0400, Jim Perrin wrote:
see points for 12 and 13 to substantiate my previous post....
- So it's not 'trusted', big deal neither is linux. That doesn't
mean that it doesn't provide security benefit to the people who want mandatory access controls.
- Note the nod here to physical security and personnel security.
Selinux adds mandatory access control support to linux. This will help prevent some script kiddie from exploiting a hole in php code and using you for a spam proxy. It will not however stop someone from walking up and ripping out the hard drive to get to your files, or protect you from an unguarded shell in the event someone walks off while logged in as root.
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
- It's not the NSA's job to debug the linux kernel. They did what
every other developer does and patches it to support their own code. If you don't like this one, you should probably stop using computers altogether, everyone does this, and its OS agnostic. Hell, for some environments, you can't even get the source to attempt to debug it.
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
- This one is stale, because the FAQ you're linking to hasn't been
updated since around 2003. RHEL 4 is very much authorized, and very much has selinux included, and enabled by default. The second half is mostly accurate, as selinux does not give added 'acceptability' to the OS, though it does add to the overall security metric used to judge system risk.
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
Please refrain from yelling fire in crowded venues, or starting flamewars on this mailing list.
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
You're misinterpreting some of this. SELinux is not a silver bullet to secure everything and be easy to use. It has a limited scope, and a limited focus. That's the point the 'authors' were making. Lets also not forget the that 'authors' here are the NSA. They are professionally paranoid, and are amazingly careful and astute when it comes to security. Now quit trying to incite a flamewar.
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
very good, Jim. I believe you laid it all out where this thread should be a done deal. I don't use selinux only because it's one of those "rountoit" thangs.. It seems that if sel* was that bad that RH would never have it in the os pkg. I don't think I am that far out of line by stating that most people that don't run it are probably in the same situation I'm in. I have not studied it yet. And it seems like it's one of those deals that if you want to run it...you damn sure better understand it or you are going to find yourself in lots of trouble.
John Rose
On Wed, Sep 20, 2006 at 06:10:43PM +0100, Peter Farrow enlightened us:
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
-- when really it should be an option to enable it, which a warning that
Complain to RedHat.
QED.
------------< snip <------< snip <------< snip <------------
Matt
-> -> Complain to RedHat. -> -> QED. -> -> ------------< snip <------< snip <------< snip <------------ -> -> Matt ->
Or better yet, make or use that after install completed script that you will or have created already that double checks your work when you are done with a Centos or Redhat install that tells you if all your install criteria and needs have been taken care of or informs you that you were forgetful and in regards to what.
Thanks and kind regards!
- rh
-- Robert - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net
Quoting Peter Farrow peter@farrows.org:
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
That's how the Linux started as well. Maybe you should think about reinstalling Windows on all your servers.
Really, most of your arguments can be applied to every single piece of open source out there. If things you complain about are really that important to you, you should start using commercial closed source operating systems. Unlike Linux, some of them are at least C2 certified. Some even higher. Unlike Linux which started as "intern type project", all of those commercial operating systems started as "make profit type project". I don't see anything wrong with either approach.
Really, most of your arguments can be applied to every single piece of open source out there. If things you complain about are really that important to you, you should start using commercial closed source operating systems. Unlike Linux, some of them are at least C2 certified. Some even higher. Unlike Linux which started as "intern type project", all of those commercial operating systems started as "make profit type project". I don't see anything wrong with either approach.
He should just give up on the PC entirely. I mean seriously, the home computer was started in some dude's garage as a hobby. That's way below 'intern project' in my book.
On Wed, 2006-09-20 at 18:10 +0100, Peter Farrow wrote:
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
-- when really it should be an option to enable it, which a warning that it wasn't tested for vulnerabilities, does not add any official security value to Linux and will of course slow the system down. Furthermore it adds a layer of security obfuscation which will in itself lead to administrators making mistakes and inadvertently lowering security as it is such a PITA.
---- it is a PITA to those who make little or no effort to understand it. Good
it is but an additional layer of security - nothing more and only less for those who make little or no effort to understand it and disable it. ----
Unices were configurable to be secure by many a competant administrator before this addition of bloat to the OS.
---- unfortunately, not all of us possess your extreme skill set that ensures security so some of us welcome additional layers of security by spending the effort to learn it. ----
I choose not to use it, but ocassionally on some of my RHEL installs I forget to turn it off, if it is off by default I wouldn't need to keep removing it!
---- you should contact upstream provider and convince them that you know better ----
What I find most curious is, despite the authors of it claiming nothing of any note about it in terms of security, and in fact in the link I originally posted the authors go quite some way to distance themselves from claiming it adds any actual security,
---- that is your interpretation and I don't agree with your interpretation ----
and hasn't been tested for vulnerabilities as such, that some people still swear by it as the gospel truth and the only one true path. Whilst such religious commitment to an unproven cause undoubtedly shows good faith, I would add that such blind practices are best left to sunday school or the church sermon.
---- you seem to frequently grab a soap box and shout your thoughts here but of course, since CentOS tracks the upstream as closely as possible, as long as upstream is committed to this layer of security, it will be thus on CentOS. Therefore, your commentary is merely pissing in the wind. It is apparent that you enjoy such activity. ----
P.
---- Craig
you seem to frequently grab a soap box and shout your thoughts here but of course,
-- Inaccurate....
that is your interpretation and I don't agree with your interpretation
It was not an interpretation it was a statement quoted verbatim from the authors of SELinux, you are reading more into SElinux than the persons who created it!
unfortunately, not all of us possess your extreme skill set that ensures security so some of us welcome additional layers of security by spending
the effort to learn it.
Uusing SELinux in the hope that it will make a poorly setup box secure is another limitation you appear not to have realised. From the authors themselves "it was not tested for vulnerabilities", sorry guys you still have your heads in the sand (or is it somewhere else?)
Therefore, your commentary is merely pissing in the wind. It is apparent that you enjoy such activity.
-- You've missed the point again...
Having set the SELinux debate running again, I'll leave you to discuss it further, I am glad I made you all think about it, but you still want to waste your time with it thats great for you, I'll wait until its complete and finalised.
Finally yes you're right that Linux was an Intern project to start with, its taken well ten years to become useful and mature, SELinux is still immature and not [yet] usefull...
P.
Craig White wrote:
On Wed, 2006-09-20 at 18:10 +0100, Peter Farrow wrote:
If selinux helps you, then use it. If it doesn't, then don't. No one is twisting your arm and forcing you at gunpoint to use it.... yet. The beauty of open source is that it's all about choice. Do what you want, so long as you're smart enough to do it.
-- when really it should be an option to enable it, which a warning that it wasn't tested for vulnerabilities, does not add any official security value to Linux and will of course slow the system down. Furthermore it adds a layer of security obfuscation which will in itself lead to administrators making mistakes and inadvertently lowering security as it is such a PITA.
it is a PITA to those who make little or no effort to understand it. Good
it is but an additional layer of security - nothing more and only less for those who make little or no effort to understand it and disable it.
Unices were configurable to be secure by many a competant administrator before this addition of bloat to the OS.
unfortunately, not all of us possess your extreme skill set that ensures security so some of us welcome additional layers of security by spending the effort to learn it.
I choose not to use it, but ocassionally on some of my RHEL installs I forget to turn it off, if it is off by default I wouldn't need to keep removing it!
you should contact upstream provider and convince them that you know better
What I find most curious is, despite the authors of it claiming nothing of any note about it in terms of security, and in fact in the link I originally posted the authors go quite some way to distance themselves from claiming it adds any actual security,
that is your interpretation and I don't agree with your interpretation
and hasn't been tested for vulnerabilities as such, that some people still swear by it as the gospel truth and the only one true path. Whilst such religious commitment to an unproven cause undoubtedly shows good faith, I would add that such blind practices are best left to sunday school or the church sermon.
you seem to frequently grab a soap box and shout your thoughts here but of course, since CentOS tracks the upstream as closely as possible, as long as upstream is committed to this layer of security, it will be thus on CentOS. Therefore, your commentary is merely pissing in the wind. It is apparent that you enjoy such activity.
P.
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
that is your interpretation and I don't agree with your interpretation
It was not an interpretation it was a statement quoted verbatim from the authors of SELinux, you are reading more into SElinux than the persons who created it!
It strikes me as a bit odd that you seem to be the only one who sees it this way. Perhaps you need to adjust your views on reality.
Uusing SELinux in the hope that it will make a poorly setup box secure is another limitation you appear not to have realised. From the authors themselves "it was not tested for vulnerabilities", sorry guys you still have your heads in the sand (or is it somewhere else?)
Is that really called for? So far everyone's been polite here. Please stop trying to incite a flamewar on this mailing list. This statement is blatantly inaccurate, and a misquote. They said that the linux kernel was not tested for vulnerabilities while they added their code. I'm quite certain that the NSA tests their own code... HEAVILY. Trust me on this one. Again we also have to come back to the fact that this FAQ you reference hasn't been updated since sometime in 2003. You're using stale documentation. Since then this project has been picked up by several major commercial vendors, and is quite thorougly tested.
Therefore, your commentary is merely pissing in the wind. It is apparent that you enjoy such activity.
-- You've missed the point again...
No, I think he's dead on the money. Your opinions don't matter here one bit, as Centos will continue to reproduce as closely to upstream as possible.
Unless you can provide RH with SUBSTANTIAL sums of money to remove it, selinux is going to stay in RHEL, and by proxy centos. Quit crying, and quit trying to start flamewars.
Having set the SELinux debate running again, I'll leave you to discuss it further, I am glad I made you all think about it,
You haven't 'set the SELinux debate running again', so quit having delusions of adequacy. So far this thread has been you whining about how you don't like selinux, and everyone else pointing out that no one's making you use it, and that your version of reality is disturbingly different from that shared by sane people.
but you still want to waste your time with it thats great for you, I'll wait until its complete and finalised.
If you're waiting for 'complete and finalised' then give up now. NOTHING is ever complete and finalised in the software world, and any 3rd grader knows this. A project that is 'finalised' is dead. There are always new innovations, developments, bugfixes, and improvements. I assume/hope that you mean you're waiting for it to stabilize. As we've stated several times already, feel free. Use it or don't. WE DON'T CARE.
Finally yes you're right that Linux was an Intern project to start with, its taken well ten years to become useful and mature, SELinux is still immature and not [yet] usefull...
Quit mixing concepts. Useful and mature are independent of each other. SELinux is immature, but it's quite useful to those who take the time to learn it. Every new technology is this way. Now for the last time, please cease this attempt at stirring up trouble.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jim Perrin wrote:
SELinux is immature, but it's quite useful to those who take the time to learn it. Every new technology is this way. Now for the last time, please cease this attempt at stirring up trouble.
I usually keep my mouth shut on things like this, mainly because I'm a peon compared to many folks on the list. But after reading this thread I felt the need to speak.
Jim hits this nail completely on the head. Thanks, Jim, for setting the record straight so well on this matter for those of us who aren't as well versed in these things. I turn SELinux off on mostly all internal boxes, and yes it's a pain in the butt to me....BUT that's because I've yet to take the time to learn the technology. That doesn't mean it's a piece of crap or even non-useful, it means that I'm ignorant of how SELinux is supposed to work.
In return, I don't turn around and scream and whine about how useless the technology is, and I especially don't turn around and be rude to people on the list whom provide you, I, and everyone else in this forum with absolutely free software, bandwidth, and technical support for CentOS products.
So, from someone who doesn't find SELinux useful in his IT scheme (yet), please turn it off and don't use it if it doesn't suit your needs. Most importantly, stop wasting bandwidth with messages that are rude and unnecessary.
Max
On Wed, 2006-09-20 at 18:10 +0100, Peter Farrow wrote:
<snip>
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
FUD #1
It is not an interim project for RH ... it will be supported for 7 years in RHEL4 and also if it stays in RHEL5, for 7 years there as well.
-- when really it should be an option to enable it, which a warning that it wasn't tested for vulnerabilities, does not add any official security value to Linux and will of course slow the system down.
FUD #2
It does add security value to the OS ... you have misquoted the site.
By limiting the access of certain processes to do things outside certain directories, you mitigate the damage caused by almost any exploitable remote root vulnerability ... it does not, however, FIX the vulnerability. So, it does not make your system less likely to be compromised ... it does limit the damage.
Also, the upstream provider does test SELinux ... much like they do for apache, mysql, etc. They will patch and feed back problems to that, just like they do any other package.
Furthermore it adds a layer of security obfuscation which will in itself lead to administrators making mistakes and inadvertently lowering security as it is such a PITA.
FUD #3
It can not lower anything ... if it is misconfigured, it is not any worse than being off (from a security perspective). All the standard system setting will apply.
Unices were configurable to be secure by many a competant administrator before this addition of bloat to the OS.
I choose not to use it, but ocassionally on some of my RHEL installs I forget to turn it off, if it is off by default I wouldn't need to keep removing it!
Well ... do you forget to add your database to a database server or httpd to your web server and have it functino properly? Probably not.
What I find most curious is, despite the authors of it claiming nothing of any note about it in terms of security, and in fact in the link I originally posted the authors go quite some way to distance themselves from claiming it adds any actual security, and hasn't been tested for vulnerabilities as such, that some people still swear by it as the gospel truth and the only one true path. Whilst such religious commitment to an unproven cause undoubtedly shows good faith, I would add that such blind practices are best left to sunday school or the church sermon.
You are just flat out wrong in your assertions ... what they are saying is that it is not a magic bullet. It, when used properly in a layered approach, does make your machines more secure. chown and chmod do not add "security" to your server if installed ... however, as tools, when used properly they certainly can make your server operate more securely.
Choose to use selinux or not ... but stop with the FUD please.
Thanks, Johnny Hughes
<snip>
On Wednesday 20 September 2006 13:10, Peter Farrow wrote:
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
NSA doesn't do 'intern type' projects.
Your objections have no relevance to what goes into or does not go into CentOS; that is pretty well already determined, and, if you don't like it, either use something else or grin and bear it.
Lamar Owen wrote:
On Wednesday 20 September 2006 13:10, Peter Farrow wrote:
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
NSA doesn't do 'intern type' projects.
Your objections have no relevance to what goes into or does not go into CentOS; that is pretty well already determined, and, if you don't like it, either use something else or grin and bear it.
Even though I agree with the sentiment that SElinux should be off by default, I have to say that I also don't find it terribly useful (for anyone) to bitch about it on this list. It is VERY easy to turn off for those that don't want or don't need it. Life's too short....
Cheers,
On Thu, 2006-09-21 at 09:15 -0400, chrism@imntv.com wrote:
Lamar Owen wrote:
On Wednesday 20 September 2006 13:10, Peter Farrow wrote:
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
NSA doesn't do 'intern type' projects.
Your objections have no relevance to what goes into or does not go into CentOS; that is pretty well already determined, and, if you don't like it, either use something else or grin and bear it.
Even though I agree with the sentiment that SElinux should be off by default, I have to say that I also don't find it terribly useful (for anyone) to bitch about it on this list. It is VERY easy to turn off for those that don't want or don't need it. Life's too short....
Cheers,
That's a start Chris...you know, this has nothing at all to do w/centos at all! It's bs! you have this big of a problem w/selinux then either take it to selinux or redhat! Not here, What would you expect Centos to do about this? Do you realize what centos is? You should...Is your bottom line intention that you want to see centos to vere away from redhat because you are too damn lazy to just disable selinux during an install? This is really absurd. You know, I don't run selinux only because I don't know it yet but back around the circle, why are we here? because we like redhat. why would you run centos if you don't like redhat? you like redhat because they do a lot of things right. Redhat chooses to set the default option to active or whatever it is. They must have their reasons, I bet that outside the team, I perform centos installs more than 99% of this msg. list and everytime I set selinux to disable I guess I should stop, get all pissed off, get the stomach acids pumping because I had to click it to disabled..Wow what a hoot!!! let the dead rest!
john rose
On Sep 21, 2006, at 9:15 AM, chrism@imntv.com wrote:
Even though I agree with the sentiment that SElinux should be off by default, I have to say that I also don't find it terribly useful (for anyone) to bitch about it on this list. It is VERY easy to turn off for those that don't want or don't need it.
More to the point, this is an excellent argument for automating installs with kickstart rather than doing them by hand. if your ks.cfg has "selinux --disabled", you will never "forget to turn it off". :)
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
On Thu, 2006-09-21 at 09:08 -0400, Lamar Owen wrote:
On Wednesday 20 September 2006 13:10, Peter Farrow wrote:
<snip>
Your objections have no relevance to what goes into or does not go into CentOS; that is pretty well already determined, and, if you don't like it, either use something else or grin and bear it.
I believe he followed your advice, albeit while misunderstanding the difference (in meaning or spelling?) between "bear" and "bare". He certainly did "bare it" here.
At least he joins an illustrious group that preceded him! ;-)
MHO -- Bill
William L. Maltby wrote:
I believe he followed your advice, albeit while misunderstanding the difference (in meaning or spelling?) between "bear" and "bare". He certainly did "bare it" here.
Without wishing to perpetuate the thread, he didn't 'bare it' ;)
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
IRC most if not all of the features of SELinux (essentially fine-grained access control systems), Were already up and running in version of UNIX [Domain-IX] used/built by Apollo Computer in
# ### ### ### ## # # # # # # # # # # # # # # ### ### #### # # # # # # # # # # # # ##### # ### ###
and earlier.
Apollo was absorbed by HP a few years later and HP added all their stuff to HP-UX.
Also other OS'es Like VMS and Multics had some of the same capabilities.
SELinux is NOT an intern project. Its features are needed to give Linux a competitive stance in todays much more security aware market.
Most of the ideas in SELinux have been up in running for more than 20 years on various platforms and as much as 30 on some.
I don't use SELinux on many of my servers, But I never forget to turn it off at installation. (not yet anyway :) )
Perhaps the kickstart option that was mentioned is the way for you to go.
BTW, several list members indicated that Linux itself was an intern project.
Well actually that's not true either!
P.
Jeff Kinz wrote:
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
IRC most if not all of the features of SELinux (essentially fine-grained access control systems), Were already up and running in version of UNIX [Domain-IX] used/built by Apollo Computer in
# ### ### ### ## # # # # # # # # # # # # # # ### ### #### # # # # # # # # # # # # ##### # ### ### and earlier.Apollo was absorbed by HP a few years later and HP added all their stuff to HP-UX.
Also other OS'es Like VMS and Multics had some of the same capabilities.
SELinux is NOT an intern project. Its features are needed to give Linux a competitive stance in todays much more security aware market.
Most of the ideas in SELinux have been up in running for more than 20 years on various platforms and as much as 30 on some.
I don't use SELinux on many of my servers, But I never forget to turn it off at installation. (not yet anyway :) )
Perhaps the kickstart option that was mentioned is the way for you to go. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat, 2006-09-23 at 19:05 +0100, Peter Farrow wrote:
BTW, several list members indicated that Linux itself was an intern project.
Well actually that's not true either!
That is hair splitting at it's finest ... Linus may not have been an intern ... so it was not necessarily an intern project. He was a college student and wrote the OS as a hobby. Linux started as a hobby OS, nothing more.
Some quotes from Linus's first public post about Linux:
"I'm doing a (free) operating system (just a hobby, won't be big and professional like gnu) for 386(486) AT clones."
AND
"...it probably never will support anything other than AT-harddisks, as that's all I have :-("
http://groups.google.com/group/comp.os.minix/browse_thread/thread/76536d1fb4...
Peter, using your logic, Linux is not worthy to be installed ... I mean, the designer of the kernel says it is just a hobby.
Why on earth would anybody base their Enterprise on that?
I think we can all agree, except for maybe (Paul Allen, Steve Balmer, and Bill Gates) that the Linux kernel (and GNU / Linux OS) is a little more than that now.
Why? Because many people and companies (ie RedHat, Debian, SuSE, etc.) have taken the Linux kernel produced enterprise level software with it.
Part of that Enterprise level software is a hobby designed kernel ... another part is a former intern project for ACL security called SELinux. How does either of those facts make either the Linux kernel or SELinux an less enterprise ready or make either of them bad?
On Sat, 2006-09-23 at 13:52 -0400, Jeff Kinz wrote:
<snip>
# ### ### ### ## # # # # # # # # # # # # # # ### ### #### # # # # # # # # # # # # ##### # ### ###<snip>
All *real* *IX systems have a banner command! Where's the "banner" command for CentOS?
-- Bill
William L. Maltby wrote:
All *real* *IX systems have a banner command! Where's the "banner" command for CentOS?
banner is in the kbs-CentOS-Extras repository ...
Cheers,
Ralph
On Sat, 2006-09-23 at 21:39 +0200, Ralph Angenendt wrote:
William L. Maltby wrote:
All *real* *IX systems have a banner command! Where's the "banner" command for CentOS?
banner is in the kbs-CentOS-Extras repository ...
Awright! Thx. I have not enabled the other repos yet... waiting till I have a stable kernel. Might take awhile.
Cheers,
Ralph
<snip>
-- Bill
Jeff Kinz wrote:
Since SElinux seems to spawned as an intern type project and nothing more, what I object to is it being enabled by default.
IRC most if not all of the features of SELinux (essentially fine-grained access control systems), Were already up and running in version of UNIX [Domain-IX] used/built by Apollo Computer in
# ### ### ### ## # # # # # # # # # # # # # # ### ### #### # # # # # # # # # # # # ##### # ### ### and earlier.Apollo was absorbed by HP a few years later and HP added all their stuff to HP-UX.
And also version of AIX for ES9000 mainframes. On that thing you could completely safely do things like "chown root /usr/bin/vi; chmod 4755 /usr/bin/vi" (or on any other command). Yeah, the process would run as root. But with privileges of user that started it ;-)
Peter Farrow wrote:
see points for 12 and 13 to substantiate my previous post....
so its not secure and its not trusted and its not going to be B1 and C2 evaluated and point 16 is a killer,
point 17 is icing on the cake, (I think SElinux is about 6 feet under by now)
so bring on the flames, your gonna have to do really well to justify it now.... (lol)
And all these points are from the authors of SELinux, so save yourself the trouble and disable it...
I'm not defending nor attacking SELinux here. I'm kind of indifferent.
However, there's one comment I'm going to make. The "killers" and "icings on the cake" exist only in your head. All that that FAQ is saying is "we made this tool, we gave it to you, end of story". It is not NSA's job to audit Linux kernel for free. Or any other piece of open source code.
On 18/09/06, Peter Farrow peter@farrows.org wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
Heh. I really wanted that to be a t-shirt*.
Will
* n.b. I don't think it's shit, just misunderstood. :)
Peter Farrow wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-shi...
At least he explained his point down to the last damn smallest detail. Really. I do like constructive critisism. And that's about as good and detailed as anyone can get.
Love it. Really. That's just great. I think everyone deploying SELinux is just shivering. Where would we be without people like him. Except further.
Ralph
On Monday 18 September 2006 23:39, Peter Farrow wrote:
http://pietrovischia.altervista.org/blog/index.php/2006/09/14/selinux-is-sh it/
_do not_ hijack threads! that is, don't have your MUA include "In-Reply-To: ..." on a new post. People with serious MUAs could end up never seeing your valuable constructive post if they marked the previous thread as read.
/Peter
On 9/17/06, rado rado@rivers-bend.com wrote:
confused somewhat. It's my understanding that there is a free version for us out there.
....been goin blind googling.
...need little direction to get started w/vmware and what we are running.
thx
John Rose
Vmware Server works out of the box for me, and it is free.
-
Aleksandar Milivojevic -
chrism@imntv.com -
Craig White -
D Steward -
Email Lists -
Jeff Kinz -
Jim Perrin -
Johnny Hughes -
Lamar Owen -
Leonardo Vilela Pinheiro -
Les Mikesell -
Matt Hyclak -
Max H. -
Morten Torstensen -
Paul -
Peter Farrow -
Peter Kjellström -
rado -
Ralph Angenendt -
Rodrigo Barbosa -
Steve Huff -
Will McDonald -
William L. Maltby