|
selinux is completely unfriendly to new sysadmins and unintuitive for anyone coming from any other OS it feels so bolted-on, since you have to pass in special flags for ls to get security labels and read a special man page for the service that you’re configuring.
|
# ? Apr 30, 2018 18:50 |
|
|
# ? Apr 25, 2024 08:08 |
|
so sorry doing things correctly required a modicum of effort
|
# ? Apr 30, 2018 18:51 |
|
el dorito posted:selinux is completely unfriendly to new sysadmins and unintuitive for anyone coming from any other OS it's 2018
|
# ? Apr 30, 2018 18:53 |
|
spankmeister posted:it's 2018 I’ve gotten used to selinux. I think it’s fine. But it could use more documentation.
|
# ? Apr 30, 2018 18:57 |
|
el dorito posted:I’ve gotten used to selinux. I think it’s fine. But it could use more documentation. There’s literally a GUI that shows you what’s wrong and how to fix it.
|
# ? Apr 30, 2018 19:00 |
|
el dorito posted:selinux is completely unfriendly to new sysadmins and unintuitive for anyone coming from any other OS you have to pass flags to ls to get file sizes
|
# ? Apr 30, 2018 19:04 |
|
fwiw, selinux is a confusing design. Red hat has figured out how to make it work pretty well, but it's pretty much a bunch of well-engineered workarounds for a crummy core design. containers are a lot more friendly. Instead of writing a policy that says nginx can only read things labeled for it, and writing a tool that'll easily relabel /var/www for you, you just only mount /var/www inside the nginx container. way simpler to understand, even easier to get right.
|
# ? Apr 30, 2018 19:04 |
|
ratbert90 posted:There’s literally a GUI that shows you what’s wrong and how to fix it. ah yes because linux servers have x running
|
# ? Apr 30, 2018 19:06 |
|
firewalld is easy though if you cant figure it out yr dumb as poo poo
|
# ? Apr 30, 2018 19:06 |
|
my favorite selinux thing is the feature tells you how to add an ignore rule for a process by grepping through audit.log and looking for a match on the first 8 characters of the process name. audit.log has attacker-provided strings in it. nsa level security here
|
# ? Apr 30, 2018 19:07 |
|
pram posted:ah yes because linux servers have x running Fine. https://www.youtube.com/watch?v=cNoVgDqqJmM&hd=1&t=6s That should be required watching for every single Linux sysadmin.
|
# ? Apr 30, 2018 19:08 |
|
also this thing is what makes your linux secure. so secure that github cannot even let you audit the whole thing. https://github.com/fedora-selinux/selinux-policy-contrib
|
# ? Apr 30, 2018 19:10 |
|
ratbert90 posted:There’s literally a GUI that shows you what’s wrong and how to fix it. What about people that install a minimal system and don’t have X? and yes, I understand that this is a linux desktop thread hifi posted:you have to pass flags to ls to get file sizes the flag I use, “-l”, gives me file sizes and owner/group and unix acls and dates, but not selinux labels I know why it doesn’t get added in there but my point still stands
|
# ? Apr 30, 2018 19:12 |
|
selinux seems to randomly log the helper error messages that give you the policy fixes or tell you to roll your own policy. i dunno why it sometimes doesn't but it does tell you what to do eventually.
|
# ? Apr 30, 2018 19:27 |
|
More like messy linux
|
# ? Apr 30, 2018 21:04 |
|
crazypenguin posted:containers are a lot more friendly. Instead of writing a policy that says nginx can only read things labeled for it, and writing a tool that'll easily relabel /var/www for you, you just only mount /var/www inside the nginx container. you know nothing in here is true right. if you compromise nginx badly enough inside a container, you compromised the entire system. an lxc container is just an enhanced chroot: as soon as uid=0, you are no longer restricted to the chroot. there's no security story on linux containers, unless you wrote selinux policy to contain your containers
|
# ? Apr 30, 2018 22:24 |
|
el dorito posted:What about people that install a minimal system and don’t have X? there is a command line utility that does the exact same log processing as the gui utility (there is no corner case too stupid for a red hat customer to have demanded it)
|
# ? Apr 30, 2018 22:26 |
|
el dorito posted:selinux is completely unfriendly to new sysadmins and unintuitive for anyone coming from any other OS i don't really care about new sysadmins, but if i did, i would point them at the vendor documentation https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/index
|
# ? Apr 30, 2018 22:27 |
|
Suspicious Dish posted:also this thing is what makes your linux secure. so secure that github cannot even let you audit the whole thing. https://github.com/fedora-selinux/selinux-policy-contrib it's a giant monorepo containing thousands of security policies no poo poo the repo has many files
|
# ? Apr 30, 2018 22:27 |
|
SELinux is like an undercover cop on a prostitution sting, u have to tell it what you want
|
# ? Apr 30, 2018 23:56 |
|
Gazpacho posted:SELinux is like an undercover cop on a prostitution sting, u have to tell it what you want I want a hawaiian pizza.
|
# ? May 1, 2018 00:21 |
|
sounds kinky
|
# ? May 1, 2018 00:27 |
|
ratbert90 posted:That should be required watching for every single Linux sysadmin. So thankful that I'm exempt.
|
# ? May 1, 2018 01:29 |
|
sorry, no its bad not good selinux is the worst possible thing, even worse than systemd which is also bad and not good
|
# ? May 1, 2018 02:33 |
|
i will fight you
|
# ? May 1, 2018 02:33 |
|
Poopernickel posted:sorry, no its bad not good never touch Linux again.
|
# ? May 1, 2018 02:36 |
|
(actually systemd is pretty ok for desktops when a distro packager is janitoring it for you)
|
# ? May 1, 2018 02:37 |
|
ratbert90 posted:never touch Linux again. i always touch a linux
|
# ? May 1, 2018 02:38 |
|
Poopernickel posted:i always touch a linux Not liking SELinux, or systemd is bad and not cool.
|
# ? May 1, 2018 02:40 |
|
oh poo poo im stuck in the middle of this war i hate selinux and like systemd although tbh my main beef with selinux is not the concept, it’s the execution and (lack of) adoption. nobody but red hate uses it and therefore lots of Linux software is not tested against it upstream. it’s on a single downstream distro to make sure tens of thousands of packages work under its draconian security paranoia, and lol if u think that is going to go smoothly all the time. (lol once more at the idea, pushed by some itt, that the linux distro ecosystem is a good thing) my other beef: the occasional breakage wouldn’t be so bad if it weren’t for the extreme obtuseness of the resulting errors, which, every time i forget about the last time i had to do it, results in me wasting a few hours just figuring out it’s selinux again, and then more time figuring out the right arcane incarnation to tell selinux to gently caress off re: that thing, assuming i don’t just shut it off to give it the finger
|
# ? May 1, 2018 03:01 |
|
always be (not) enforcing
|
# ? May 1, 2018 03:07 |
|
Notorious b.s.d. posted:you know nothing in here is true right. if you compromise nginx badly enough inside a container, you compromised the entire system. an lxc container is just an enhanced chroot: as soon as uid=0, you are no longer restricted to the chroot. nah, I'm right. "containers" have a fantastic security story, depending on what you mean by "containers". because of course, the linux kernel has no concept of a container, you build a container abstraction out of all the little parts. the same little parts are used to e.g. sandbox chrome processes. they're very much meant for security here. but what you say is absolutely untrue for, e.g., docker containers. if you believe otherwise, here's a root shell in a docker container: https://contained.af/ capture that flag
|
# ? May 1, 2018 03:37 |
|
selinux wasnt that hard to learn and im a huge dunce
|
# ? May 1, 2018 04:30 |
|
crazypenguin posted:nah, I'm right. "containers" have a fantastic security story, depending on what you mean by "containers". because of course, the linux kernel has no concept of a container, you build a container abstraction out of all the little parts. the same little parts are used to e.g. sandbox chrome processes. they're very much meant for security here. this is a root shell, sort of -- it's a user namespace. so your effective uid is 0 but you will fail all the uid=0 checks in the kernel betcha they keep a real close eye on zero days... you are a complete idiot if you do not enclose docker containers in an selinux context.
|
# ? May 1, 2018 04:44 |
|
Notorious b.s.d. posted:you are a complete idiot if you do not enclose docker containers in an selinux context. What if I run them with hyper-v isolation instead?
|
# ? May 1, 2018 04:50 |
|
Fiedler posted:What if I run them with hyper-v isolation instead? that is probably ok, at least in theory you need a priv escalation bug in hyperv instead of a priv escalation bug in the linux kernel. it is a smaller attack surface. of course, attackers are highly motivated. finding a good bug in hardware virt leads to mass compromises on aws and azure...
|
# ? May 1, 2018 04:56 |
|
Wasn't the last docker breakout in October?
|
# ? May 1, 2018 05:16 |
|
TimWinter posted:Wasn't the last docker breakout in October? there was a recent thing involving CAP_NET_RAW, that might have been it. wasn't really a root escalation though most of the time, when actually trying to use containers for security, that capability is removed too. its left on by default because they like being able to ping from containers to help people debug, heh like, the linux kernel is a big attack surface sure, but that's true for both containers and selinux, and containers routinely cut down the attack surface a lot with things like seccomp restricting syscalls, too...
|
# ? May 1, 2018 05:35 |
|
Notorious b.s.d. posted:betcha they keep a real close eye on zero days... lol "zero day" is so diluted now
|
# ? May 1, 2018 13:07 |
|
|
# ? Apr 25, 2024 08:08 |
|
they call them zero days because that is how long it will take you to decide to uninstall your Linux and use a real os
Best Bi Geek Squid fucked around with this message at 15:19 on May 1, 2018 |
# ? May 1, 2018 15:17 |