[CentOS] SELinux threads, cynicism, one-upmanship, etc. -- reality: Upstream defaults

Sat Nov 26 02:56:20 UTC 2005
Bryan J. Smith <thebs413 at earthlink.net>

Peter Farrow wrote:
> Some you seem to be drowning in the "complex=secure" scenario.
> SELinux adds complexity, the biggest dangers in computer hacking come
> from within your own network.
> 90% of hacking jobs are in house as the statistics show.

And SELinux's _main_ design is to combating people who have _some_
privileges to the system!  That's the primary purpose of RBAC/MAC!  As
someone who has spent half of his career security banks and defense
systems, please, _please_ stop this!  SELinux _massively_ improves
internal security.

So why did this come up, yet again?  Why does this have to continue?
Especially since the upstream provider sets the defaults, and these will
NOT change in SELinux!

> SELinux makes security complex and bloat like, the same thing that
> makes Windows insecure, this makes the admin job harder, which will
> lead to mistakes, which will make it hard to find holes, which will
> inevitably lead to a less secure system.... QED.

As I pointed out before, NT's based RBAC/MAC does _not_ cause its
security issues.  In fact, it's quite a good model to follow!  The
problem is 99% of the Windows applications, including various things
adopted into NT for "Chicago" compatibility that have caused this issue.

Why oh why did this come up again?  These defaults will NOT change!

Peter Farrow also wrote:
> Perhaps all of you that _LOVE_ SElinux so much should branch off to a new
> flavour of Linux,
> I propose that you name it BloatOS,
> Just keep it well away from me.

Collins Richey wrote:
> Excellent work, Peter!
> I've been deleting most of the posts in this thread unread, but I'm
> glad I read this one. This one's a keeper.

Instead of renaming the distro, maybe we should have a new list
entitled, "What we want to bitch about this week, but not stop and take
the time to understand and possible resolve?!"

It's pretty sad when all people like myself (and I'm not the only one)
wish to do is correct technical inaccuracies, _not_ to stop and shove
anything down anyone's throat.  You don't have to use what is included
or suggested, but not everything is "broken" or "not as good as distro
X."  Why don't we just start a thread on politics here -- because it
would be able to it would provide the same level of resolution for
"world peace" as it would for Red Hat Enterprise Linux defaults.

I.e., *NONE*!  ;->

_Nothing_ that has come out of e-mails has been "you must do this."
It's always been, "Have you considered this?  Do you understand what
this does?"  It's easy to bitch and moan about something when you don't
understand it -- and far worse yet -- it does _nothing_ because you
don't understand why things are the way they are (and no one can help
you)!  But these are the defaults.  Live with it however you want to!

But don't make CentOS a forum to expose your constant complaints of
something you don't want to deal with.  Stop pretending you even
remotely know how things like SELinux are "bad" (I mean, how many
different arguments are people going to make 2, 3 or even 4 times
over?!)  Or how distribution of CentOS+DAG has a purely "mechanical"
issue?  Or how YUM could be better?  Etc...

Craig White wrote:
> I'm not entirely sure why you decided to pick up this topic by
> replying to a message that is a week old.

I honestly thing some people just have to bitch about something they
don't want to deal with.  They can't step back and recognize why
something is designed or why something works the way it does.  They just
want it to "work my way dammit!"

> Personally, I would have thought you to be smart enough to let the
> thread die since you used it to insult one of the CentOS developers.

In case some of you aren't "getting it," Craig puts it out right there! 

You say you thank the CentOS developers for their hard work ... "But
this" and then there's another "But that".  And most of these "but"s
aren't really about giving _any_ care to what decisions are made with
CentOS, but just bitching about how you think it should work.

And in the overwhelming majority of cases, it's something these same
people don't know about or understand.  All I've tried to do, like a
broken record, is ask people to stop and understand things, and I've
been very futile in my attempts at times.  I honestly give up on this,
as well as the 

> Apparently you decided to revive the thread just to insult those of
> us that are actually trying to intelligently apply the security
> features adopted by the upstream provider. Personally, I find
> you offensive.

I'm not offended directly.  I rarely get offended.  Someone has to call
my employer or tell the FBI that I hacked their server to offend me (and
no one has stooped to that level here ;-).

What I find _indirectly_ offensive is how much the CentOS team is
bothered by these constant inquiries on things that WILL *NOT* CHANGE!
Let me say that again ... these things WILL *NOT* CHANGE!  That's why
it's *NOT* about finding solutions, but just "bitching."  Especially
when the same "round robin, blind analysis" comes up over and over and
over on RBAC/MAC, [re]distribution, etc...


-- 
Bryan J. Smith   b.j.smith at ieee.org   http://thebs413.blogspot.com
-------------------------------------------------------------------
For everything else *COUGH*commercials*COUGH* there's "ManningCard"