[CentOS] selinux stuff - I just don't get -- "outgoing firewallsare broken"

Mon Nov 14 17:22:07 UTC 2005
Brian T. Brunner <brian.t.brunner at gai-tronics.com>

> How's forever work for you?  ;->

Absolutely FINE thank you!  
When your WizWonder package is housebroken,
let me try it if I'm interested.

Until then, a (stubbornly) broken distro will persuade me to 
try something else. That's why I left Windows, I guess, if 
you prognosticate correctly, it will be why I leave 
RedHat/CentOS.

btw this has nothing to do with Firewalls at all.  I bought a 
firewall (router) and use it.

If I had to upgrade firewall firmware versions, and the new 
versions broke running applications, I'd consider the new 
firewall firmware BROKEN.

As is, I don't mind SELinux, because I can disable it 
at installation time.

I will continue to do so until it is no longer broken.

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838

>>> thebs413 at earthlink.net 11/14/05 11:24AM >>>
"Brian T. Brunner" <brian.t.brunner at gai-tronics.com> wrote:
> How do we define Ready?  I gave that answer in the text you
> replied to: when it doesn't break things.

How's forever work for you?  ;->

NPTL, ANSI C++, GLibC 2 and many other adoptions Red Hat has
made still break things.  Heck, we're not even looking at
recent things -- from 4K stacks to ACLs.  ;->

> You ask about applications not being SELinux aware.  The
> proper things for SELinux to do in those cases is advise
> the operator that SELinux can't manage this app because it
> isn't SELinux aware, and that whatever security holes that
> application embodies are outside the scope of SELinux.

I think that's what the advisement is.  You can start
disabling some aspects of SELinux -- such as with permissive
mode.

> This is consistent with SELinux being a *service* to the
> operator, not a bully-boss to the operator and the
> authors/maintainers of every package Joe Operator might
> have on his system.

Actually, SELinux _is_ a "bully-boss" to the operator.
It will _always_ be a "bully-boss" to the operator.

> No, it doesn't.

I think _many_ people other than myself have seen _many_
viewpoints on this issue.  Why many people seem to think that
there must be no less than an absolutism on SELinux until it
accomplishes no less than the _impossible_ is beyond me.

> It's about ownership of control.  Is this RedHats' system
> to break if they want to compel me to do things their way?

Yes.  And you have these options..
1.  Learn it and see if it fits
2.  Put it into another mode (e.g., permissive)
3.  Disable it
4.  Look to another distro choice

Red Hat has its reasons, and it's not going to change those
reasons.  Common Criteria is a major driver right now because
of Linux can achive higher CC levels than Windows, while
still running applications (which Windows virtually can_not_
do), then Microsoft will lose federal installations en masse.

> If not, then distributing SELinux with a
> default of 'on' when it breaks running systems is
> distributing a broken software package.

SELinux will _always_ break running systems.
Just like a "deny all outgoing" firewall will too.

> Translate: Everybody is out of step except my boy!
> (and those who happen to be in step with him).

Exactly!  SELinux by default is here to stay if you choose
Red Hat.

> I say Broken, and Disabled for Good.

Then that's your choice.
Red Hat has made their default, but you still have choice.

> The proper things for SELinux to do in cases of
> non-compliant apps is to advise the operator that SELinux
> can't manage this app because it isn't SELinux aware, and
> that whatever security holes that application embodies are
> outside the scope of SELinux.  That's a *service*. 

You seem to fail to understand what SELinux does.  ;->

> Breaking said applications is a broken application.

Then add outgoing firewalls to the same list.
Oh, you just turn an outgoing firewall off?
Well then, that's your solution.  ;->

I don't know if I could make a better analogy.

-- Bryan

P.S.  SELinux is _not_ a service.  It is an _enforcement_ in
the kernel.  There are hundreds of rules.  Applications
either learn to make SELinux considerations, help write
rules, or a combination of both.  SELinux is basically the
biggest change to Linux in a long, long time -- breaking the
30+ year legacy UNIX model.



-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)
_______________________________________________
CentOS mailing list
CentOS at centos.org 
http://lists.centos.org/mailman/listinfo/centos
*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated