[CentOS] selinux stuff - I just don't get -- "outgoing firewalls are broken"

Mon Nov 14 17:41:55 UTC 2005
Bryan J. Smith <thebs413 at earthlink.net>

"Brian T. Brunner" <brian.t.brunner at gai-tronics.com> wrote:
> Until then, a (stubbornly) broken distro will persuade me
> to try something else. That's why I left Windows, I guess,
> if you prognosticate correctly, it will be why I leave 
> RedHat/CentOS.

Actually, NT has some excellent RBAC/MAC.  And it utterly
breaks 99.9% of Windows apps.

> btw this has nothing to do with Firewalls at all.
> I bought a firewall (router) and use it.

Once again, you made my point for me!

You're using an "allow all outgoing" firewall.  If you
reconfigure it for a "deny all outgoing" firewall, like a
corporate LAN, DMZ, etc... would be "broken" in your terms.

That is the most relevant analogy I can think of.
Apparently, you didn't understand that analogy at all.

> If I had to upgrade firewall firmware versions, and the new
> versions broke running applications, I'd consider the new 
> firewall firmware BROKEN.

Damn, you just make my point again!

Some SOHO firewalls just allowing protocols to open up
service ports for compatibility, which basically allows
remote systems to open arbitrary ports to your network.  The
firewalls that turn this off by default, in your terms, are
"broken" and wouldn't sell.

Especially if the firewall config was proper -- and would
take you through dozens (if not hundreds) of confusing
prompts on why you shouldn't enable various protocols.  You
just want it to "work dammit!"  But you don't want to know
one thing why you shouldn't enable something -- even though
it's a _massive_ hole!

There is the farce out there that protocols are well behaved.
 Do you know how many protocols allow things to come right
into your network?  Especially because the firewall doesn't
want to be thought of as "broken" so it just allows things
in?

SELinux is _not_ an "upgrade."
SELinux is a new set of kernel-enforce _policies_.

It's just like going beyond just shutting off problematic
clients from getting out -- but changing your _entire_
firewall policy to _deny_ all outgoing traffic by default. 
>From there, you will allow only select traffic out.  And you
can be damn sure that a crapload of clients will _not_ work
no matter what you do -- because their protocols were
piss-poor designed in the first place.

> As is, I don't mind SELinux, because I can disable it 
> at installation time.

But don't make broad statements like you are.  Your
statements go beyond preference, but are technically _false_!

> I will continue to do so until it is no longer broken.

Just like deny all outgoing firewalls are _just_as_broken_. 
Again, you just made my case for me better than anything I
could have said.

You don't seem to know why deny all outgoing firewalls exist
either.  Hence why don't know why SELinux exists either.

The reality is that with SELinux, we don't trust software
_until_ they are explicitly allowed to access things.  Modes
like "permissive" use the opposite that logic, and are more
compatible.

Just like deny all outgoing firewalls block _all_ outbound
traffic, _until_ they are explicitly allowed.  And why most
people just enable allow all outgoing (including every single
SOHO device you'll find at the superstore).

Do you understand now?


-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)