[CentOS] SELinux and access across 'similar types'
Bennett Haselton
bennett at peacefire.org
Sat Jan 7 13:39:15 UTC 2012
On 1/7/2012 5:25 AM, John R. Dennison wrote:
> On Sat, Jan 07, 2012 at 04:43:31AM -0800, Bennett Haselton wrote:
>> Virtually every hosting company I've ever bought a CentOS server from
>> has had SELinux turned off by default. (So, a partial list would
>> include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho),
>> AeroVPS (sells dedicated servers despite their name), Netelligent,
>> ServerBeach and I don't remember all the others). Don't hold me to that
>> list 100% since some might have changed their policies for new servers
>> but it's pretty universal.
> Then these companies should be universally boycotted as it's pretty
> evident that they don't place security at the top of the importance
> stack.
>
> People that don't run selinux deserve _everything_ they get and then
> some.
I remember the same attitude around 2000 and earlier, towards people who
spread viruses on Windows. The attitude was that people "should" just
learn about their OS (in particular, what types of actions were likely
to get you infected), and it wasn't anyone else's "responsibility" to
work around it. And the problem kept getting worse.
Then there seemed to be a sea change in attitudes toward the problem --
the realization that complaining about human nature was not going to do
any good, and if the marketplace favored selling machines to people who
were not highly computer-literate, it was going to happen. Making value
judgments about what people "should" and "should not" do, did about as
much good as complaining about the sun coming up in the morning.
So an effort was made to change *default* behaviors so that computers
would not do bone-headed things even in the hands of bone-headed users.
Email servers started scanning for viruses, email programs started
giving more and scarier warnings about opening executable attachments,
ISPs started bundling anti-virus software, etc. (All of these things
were already on the rise, of course.)
And that rolled the problem back a bit. Not complaining about what
people "should" know, which never had a chance of working, but changing
default behaviors to take into account the fact that most people did not
know what the gurus think everyone "should" know. (Of course attackers
didn't go away, but switched to trickier methods like browser exploits,
which will work even on sophisticated users.)
What you think people "should" know is a matter of opinion. However,
complaining about what people "should" know, usually doesn't do any
good, and that's an empirical fact, not an opinion.
Apparently the marketplace favors hosting companies turning SELinux off
because the failures it causes are too obscure and it causes too many
support headaches. A non-changing-human-nature solution might be to
notify the user directly when SELinux blocks something. The GUI
apparently already does this via a dialog box when viewing a desktop;
perhaps there's a way to do it on the command line too. (When the user
runs something that's blocked by SELinux, just send a message to the
terminal saying "SELinux blocked this", or something. Would be a start.)
> By the way, please learn how to properly respond to a public mailing
> list by trimming unnecessary response content.
Nobody else was trimming. When in Rome :) (By definition, a
quoted-quoted-quoted message can only keep getting longer if nobody else
is trimming either.)
Bennett
More information about the CentOS
mailing list