[CentOS] SELinux - way of the future or good idea but !!!

Thu Dec 9 04:13:15 UTC 2010
Warren Young <warren at etr-usa.com>

On 12/8/2010 3:55 PM, Lamar Owen wrote:
> On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
>> Let's not drag the desktop user into this discussion, too.
>
> Why not?

I thought my reason was clear, but apparently not.  You talk the talk of 
security, but I guess we hang in different security circles and so don't 
recognize the same shorthand.  Allow me to expand.

The reason I don't want to go off into a discussion of SELinux on the 
desktop is that I believe SELinux -- as shipped in current versions of 
CentOS -- will fail to stop 99% of the problems you talk about, purely 
due to the nature of 99% of desktop users.

Those in that vast majority blindly click on things that pop up and stop 
them from doing what they wanted to do.  If a popup message gives a way 
to make the popup stop appearing, these people will, almost without 
fail, do that, no matter how well-intentioned or helpful the message, or 
how inadvisable disabling it is.

These people do not especially enjoy computers -- many actually hate 
them -- and so do not wish to understand anything more about what they 
are doing than is required to complete the immediate task.  (You may 
perhaps have seen the current Windows Phone 7 ads?  They're aimed 
straight at this crowd.  I believe this ad campaign will be more 
effective than any Microsoft has had in years.)

Examples:

- UAC on Windows Vista/7.  It's done virtually nothing to stop the 
malware epidemic.  Why?  It trains users to click on the "yes I really 
meant to do that" button, regardless of whether the user actually 
understands what they have just agreed to.

- Hostageware and fake virus popups on the web.  The computer tells them 
they need to spend $X on something that will free their data or remove a 
virus they don't have.  People fall for this all the time.

- Email scams: bogus unsubscribe links, phishing links, false 
enticements for illicit material...

- How often have you seen this as prologue to a tale of woe: "Are you 
sure you want to format your operating system hard drive?"  "OK"

- Windows security software popups:

   -- Firewall: "Blocked connection to port X."  "Unblock"

   -- Antimalware: "Updated patterns for the sixth time this month"  "Go 
away."  Then next week: "Detected possible virus behavior"  "Go away." 
They're trained by then, y'see.

   -- Security update: "Apply"  Then next week, bogus security popup 
while surfing Facebook: "Apply"

- Evil EULAs.  Not even a technically competent user wants to read pages 
and pages of legalese.  But the point remains, people agree to things 
they don't bother to understand because they want to get past the 
annoying popup so they can do what they started out to do.

I am not disparaging this vast majority, merely reporting observed 
behavior.  We're unlikely to ever change them.  Many, in fact, are 
medically incapable of stopping this behavior; it's been studied, and 
some people are psychologically compelled to click things whenever they 
appear.  (I suppose it's some form of OCD.)

Bottom line, if the tables were flipped on Microsoft and CentOS were the 
dominant desktop operating system, I believe it would have the same 
security problems today as it had before SELinux was available.  Maybe 
not the same as Microsoft currently has, but no different than Linux 
without SELinux.

I wish I could do more than just offer vague, untestable supposition, 
but the current Linux user base is too small and technically competent 
to draw any real conclusions about how effective SELinux is at stopping 
the problems the normals get bit by.  It's my experience that the 
technically competent desktop user rarely needs much in the way of 
security apparatus.  Experience, attitude, and talent allow us to avoid 
problems most of the time, so the safety net rarely gets tested.

It is possible SELinux would help if seagent didn't exist and didn't 
show popups.  Then the vast majority would simply be frustrated, unable 
to do what they want, and unlikely find a workaround.  Some will manage 
to dredge up the fix with The Google and blindly type it into a Terminal 
window, but even that minor impediment would be enough to stop a lot of 
general users cold.  In that case, maybe you have a valid point.  Then 
again, many Windows users disable UAC, so there's no reason to believe 
that subset wouldn't disable SELinux if CentOS were dominant instead.

To go much deeper, you get into discussions of how (or whether) CentOS 
should change to prevent these things, but change is driven from 
upstream and won't happen for years anyway if past is prologue, so again 
we have a good reason to stop this subthread right here.