[CentOS] SELinux and access across 'similar types'

Bennett Haselton bennett at peacefire.org
Sat Jan 7 13:39:15 UTC 2012


On 1/7/2012 5:25 AM, John R. Dennison wrote:
> On Sat, Jan 07, 2012 at 04:43:31AM -0800, Bennett Haselton wrote:
>> Virtually every hosting company I've ever bought a CentOS server from
>> has had SELinux turned off by default.  (So, a partial list would
>> include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho),
>> AeroVPS (sells dedicated servers despite their name), Netelligent,
>> ServerBeach and I don't remember all the others).  Don't hold me to that
>> list 100% since some might have changed their policies for new servers
>> but it's pretty universal.
> Then these companies should be universally boycotted as it's pretty
> evident that they don't place security at the top of the importance
> stack.
>
> People that don't run selinux deserve _everything_ they get and then
> some.
I remember the same attitude around 2000 and earlier, towards people who 
spread viruses on Windows.  The attitude was that people "should" just 
learn about their OS (in particular, what types of actions were likely 
to get you infected), and it wasn't anyone else's "responsibility" to 
work around it.  And the problem kept getting worse.

Then there seemed to be a sea change in attitudes toward the problem -- 
the realization that complaining about human nature was not going to do 
any good, and if the marketplace favored selling machines to people who 
were not highly computer-literate, it was going to happen.  Making value 
judgments about what people "should" and "should not" do, did about as 
much good as complaining about the sun coming up in the morning.

So an effort was made to change *default* behaviors so that computers 
would not do bone-headed things even in the hands of bone-headed users.  
Email servers started scanning for viruses, email programs started 
giving more and scarier warnings about opening executable attachments, 
ISPs started bundling anti-virus software, etc. (All of these things 
were already on the rise, of course.)

And that rolled the problem back a bit.  Not complaining about what 
people "should" know, which never had a chance of working, but changing 
default behaviors to take into account the fact that most people did not 
know what the gurus think everyone "should" know.  (Of course attackers 
didn't go away, but switched to trickier methods like browser exploits, 
which will work even on sophisticated users.)

What you think people "should" know is a matter of opinion.  However, 
complaining about what people "should" know, usually doesn't do any 
good, and that's an empirical fact, not an opinion.

Apparently the marketplace favors hosting companies turning SELinux off 
because the failures it causes are too obscure and it causes too many 
support headaches.  A non-changing-human-nature solution might be to 
notify the user directly when SELinux blocks something.  The GUI 
apparently already does this via a dialog box when viewing a desktop; 
perhaps there's a way to do it on the command line too.  (When the user 
runs something that's blocked by SELinux, just send a message to the 
terminal saying "SELinux blocked this", or something.  Would be a start.)

> By the way, please learn how to properly respond to a public mailing
> list by trimming unnecessary response content.
Nobody else was trimming.  When in Rome :)  (By definition, a 
quoted-quoted-quoted message can only keep getting longer if nobody else 
is trimming either.)

Bennett



More information about the CentOS mailing list