|
BobHoward posted:lollin at this this takes literally 10 seconds to troubleshoot
|
# ? Feb 27, 2016 22:36 |
|
|
# ? Apr 17, 2024 21:09 |
|
ahmeni posted:selinux is actually pretty easy once you spend the time it takes to sort out how it works
|
# ? Feb 27, 2016 22:37 |
|
turning off security stuff because its preventing you from doing something is like throwing away your smoke detector bc the battery is low and it keeps beeping. even me an idiot was able to learn enough about selinux to do stuff.
|
# ? Feb 27, 2016 22:40 |
|
no one uses selinux
|
# ? Feb 27, 2016 22:42 |
|
lots of people use it, and more people should e.g listing all correct and permissible behaviors for your average web app is very easy. listen on a named high number port. read files and directories tagged with a certain context. write files and directories with a different context. read/write /tmp. make outbound connections to a database. constraining login shells, for example, is a pain in the balls. but selinux policy is easy as poo poo for 99% of desktop and server applications
|
# ? Feb 27, 2016 22:44 |
|
pram posted:no one uses selinux
|
# ? Feb 27, 2016 22:45 |
|
Notorious b.s.d. posted:lots of people use it, and more people should nope
|
# ? Feb 27, 2016 22:49 |
|
it isnt set to enforcing, or even installed, on basically every cloud image in existence. if you are janitoring selinux on your desktop linux then lol
|
# ? Feb 27, 2016 22:50 |
|
pram posted:if you are janitoring selinux on your desktop linux then lol
|
# ? Feb 27, 2016 22:53 |
|
pram posted:it isnt set to enforcing, or even installed, on basically every cloud image in existence. if you are janitoring selinux on your desktop linux then lol this is more commentary on how dumb EC2 users are than evidence of SElinux use
|
# ? Feb 27, 2016 22:57 |
|
why yes amazon i would love a frankenstein linux image unsupported by any vendor with selinux turned off that sounds great
|
# ? Feb 27, 2016 22:58 |
|
pram posted:if you are janitoring linux on your desktop then lol
|
# ? Feb 27, 2016 23:07 |
|
ahmeni posted:selinux is actually pretty easy once you spend the time it takes to sort out how it works i'm sure there are people who actually believe that this http://pkgs.fedoraproject.org/cgit/rpms/selinux-policy.git/tree/policy-rawhide-base.patch is "pretty easy"
|
# ? Feb 27, 2016 23:18 |
|
Suspicious Dish posted:i'm sure there are people who actually believe that this http://pkgs.fedoraproject.org/cgit/rpms/selinux-policy.git/tree/policy-rawhide-base.patch writing policy for your app is a lot easier than writing all the policy needed to operate a linux distribution (when you complain C is hard, do you paste the entirety of glibc's source code into the argument?)
|
# ? Feb 27, 2016 23:28 |
|
selinux is just one of those shibboleths that nerds adopt to signal their cred. like functional programming and ham radios. utterly meaningless and pointless
|
# ? Feb 27, 2016 23:30 |
|
no one has ever thought selinux was cool security is never cool it is, however, necessary
|
# ? Feb 27, 2016 23:31 |
|
Notorious b.s.d. posted:writing policy for your app is a lot easier than writing all the policy needed to operate a linux distribution except your app's policy heavily depends on the distro policy. being able to debug your policy requires you to understand a lot about the rest of the system's policy.
|
# ? Feb 27, 2016 23:32 |
|
Suspicious Dish posted:except your app's policy heavily depends on the distro policy. being able to debug your policy requires you to understand a lot about the rest of the system's policy. of course. which is much easier than re-creating it from scratch. i can consume libc a lot easier than i could re-write libc
|
# ? Feb 27, 2016 23:34 |
|
also really nobody has working selinux except the redhat family. so really "knowing selinux" is "understanding how to use the stuff defined in that giant blob you pasted" i'd rather chew my own arm off than try and get selinux working on ubuntu
|
# ? Feb 27, 2016 23:34 |
|
lol at the people uniroically trash talking selinux and the one chosing ubuntu over fedora do you guys also login with root to your servers with password y/n
|
# ? Feb 28, 2016 01:43 |
|
Notorious b.s.d. posted:also really nobody has working selinux except the redhat family. so really "knowing selinux" is "understanding how to use the stuff defined in that giant blob you pasted" "knowing selinux" is "understanding enough to pass the rhce"
|
# ? Feb 28, 2016 02:09 |
|
pram posted:"knowing selinux" is "understanding enough to pass the rhce" the rhce is well-designed. it is not a coincidence that knowing enough to pass the rhce is also enough to implement selinux successfully in 99% of scenarios nobody expects that you're gonna go out and implement selinux from scratch on ubuntu. it's entirely reasonable to expect folks to write a few lines of selinux policy to get their web app du jour to work properly on centos in enforcing mode.
|
# ? Feb 28, 2016 02:21 |
|
SELinux is cool and good and if you don't understand it you are functionally retarded.
|
# ? Feb 28, 2016 06:23 |
|
dont sign your posts
|
# ? Feb 28, 2016 06:37 |
|
Celexi posted:lol at the people uniroically trash talking selinux and the one chosing ubuntu over fedora fedora didn't work at all. i guess that's secure.
|
# ? Feb 28, 2016 06:38 |
|
trying to fix the insecurities of linux users sounds like some sort of halting problem imo
|
# ? Feb 28, 2016 06:59 |
|
Breakfast All Day posted:trying to fix the insecurities of linux users sounds like some sort of halting problem imo
|
# ? Feb 28, 2016 07:00 |
|
Notorious b.s.d. posted:because centos has mandatory access control, and openbsd never will xnu implements mandatory access control based on FreeBSD, and has contributed changes back to FreeBSD
|
# ? Feb 28, 2016 10:27 |
|
selinux just seems unnecessary if the os is designed with security in mind from the ground up
|
# ? Feb 28, 2016 16:21 |
|
Maximum Leader posted:selinux just seems unnecessary if the os is designed with security in mind from the ground up yup, that's why the most secure OS in common use, iOS, doesn't need it
|
# ? Feb 28, 2016 16:26 |
|
Maximum Leader posted:selinux just seems unnecessary if the os is designed with security in mind from the ground up seatbelts just seem unnecessary if your driving style is designed with safety in mind from the ground up
|
# ? Feb 28, 2016 16:29 |
|
Soricidus posted:seatbelts just seem unnecessary if your driving style is designed with safety in mind from the ground up
|
# ? Feb 28, 2016 16:42 |
|
Cocoa Crispies posted:yup, that's why the most secure OS in common use, iOS, doesn't need it true words. apple design for security from the ground up, and there's no way they'd ever make a dumb mistake like that "goto fail" bug that hit linux users a year or so back
|
# ? Feb 28, 2016 16:57 |
|
Soricidus posted:apple lol Soricidus posted:apple design for security from the ground up hard to design for security from the ground up when you are the one creating the vector that will be exploited.
|
# ? Feb 28, 2016 17:17 |
|
didn't OSX recently get owned by LD_PRELOAD poo poo of the sort that people knew how to deal with back in the 80s
|
# ? Feb 28, 2016 17:30 |
|
Cocoa Crispies posted:yup, that's why the most secure OS in common use, iOS, doesn't need it ???? OSX and iOS have MAC its just that iOS enables it and it's administered by apple mostly its what keeps apps sandboxed iirc e: in fact the issue w/ selinux is the linux part w/ lots of one-eyed people leading around the blind
|
# ? Feb 28, 2016 17:49 |
|
Malcolm XML posted:???? OSX and iOS have MAC its just that iOS enables it and it's administered by apple mostly What is MAC? It's hard to google ios and mac for obv reasons.
|
# ? Feb 28, 2016 17:52 |
|
|
# ? Feb 28, 2016 17:53 |
|
akadajet posted:What is MAC? It's hard to google ios and mac for obv reasons. mandatory access control
|
# ? Feb 28, 2016 17:53 |
|
|
# ? Apr 17, 2024 21:09 |
|
weird. chrome keeps trying to fetch this with https and failing.
|
# ? Feb 28, 2016 17:58 |