[CentOS] SELinux - way of the future or good idea but !!!

Sun Nov 28 19:18:29 UTC 2010
cpolish at surewest.net <cpolish at surewest.net>

1,000 pardons for aggressively trimming this post,
sorry if I have harmed the flow by being selective.

Bob McConnell wrote:
> Marko Vojinovic wrote:
> > Bob McConnell wrote:
> >> Marko Vojinovic wrote:
> >>> Nico Kadel-Garcia wrote:

Hypothetical: one admins a vended suite of applications that comprise
an ERP. Many layers of management going all the way up to elected
Board members, and by implication the public, have spent $millions to
acquire, install, and augment it until it runs every aspect of the
business. A thousand staff members and 20,000 customers have
been trained to use the system. Major components (LDAP, email, database)
come from a Fortune 50 company that was assimilated by another Fortune 50
company. Not one piece of the ERP comes in RPM form.

> >> You have completely missed his point. Every update of the application
> >> *his company* is writing to run on those CentOS servers. This has
> >> nothing to do with RedHat, CentOS, or any other FLOSS package. It is a
> >> management problem within his employer's organization. If the managers

In this (hypothetical) situation, managers don't have the right kind of power.
They can't dictate policy to major corporations. They could attempt to
bring a couple of dozen in-house applications into compliance,
but does that make sense when the ERP is not in compliance thus SELinux
is not an option?

> > Well, in that case he is dealing with a broken/badly coded app, and 
> > irresponsible managers and developers. It's a problem, yes, but this isn't a 

The ERP is (hypothetically of course) badly broken on many levels.
So, what can one constructively do? Complain at a Board meeting?
Write letters to the newspapers? Start a boycott against
the vendors? Open 1,000 service requests with the vendors? Buy the
"myERPsucks" domain name? It's a cumbersome, balky problem that AFAICT
has no easy answer. Some issues need attention at the governance level,
such as IT getting more involved in vendor selection.

> > given to people on this list to turn off SELinux because some devs in some 
> > company don't do their job right is also completely wrong.

Perhaps completely wrong but also thoroughly entrenched, as explained
above. 

> don't believe it can be considered a panacea either. Even with SE in 
> full protected mode, a simple SQL injection flaw can still expose much 
> of the sensitive data on your server.

An example: Crafty Person enters an account # as: 
   9000' OR true
and for the sake of argument, this retrieves 20,000 customer
records. Does SELinux "do" anything? I suspect the answer is no.
Tends to support the proceeding argument (it's not a panacea).

-- 
Charles Polisher