Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Notorious b.s.d.
Jan 25, 2003

by Reene


BobHoward posted:

lollin at this

but it's a bitter sort of lol because oh if only what you say were true

gently caress selinux, it is insane over-the-top literal nsa/cia paranoia that someone, somewhere might be using the computer to do something. permission denied! it never truly works "fine" and when it breaks poo poo it is often nigh impossible to tell that the reason why it broke was selinux. eventually you learn through repetition that most of the time the weird bizarre poo poo that breaks on a red hate system is often selinux's fault so you just start disabling the fucker

like that time ssh key files stopped working on one machine and i spent literal months trying to figure out why and ultimately it turned out that some selinux "profile" attribute mysteriously got set wrong on a home dir (by who? gently caress if i know, nobody working there -- myself included -- would have even known to gently caress with it) and selinux stopped allowing ssh to access a file and nothing on any level spit out any kind of diagnostic information that selinux was disallowing something so it was impossible to debug

this takes literally 10 seconds to troubleshoot

Adbot
ADBOT LOVES YOU

Notorious b.s.d.
Jan 25, 2003

by Reene


ahmeni posted:

selinux is actually pretty easy once you spend the time it takes to sort out how it works

Jerry Bindle
May 15, 2003


turning off security stuff because its preventing you from doing something is like throwing away your smoke detector bc the battery is low and it keeps beeping. even me an idiot was able to learn enough about selinux to do stuff.

pram
Jun 10, 2001


no one uses selinux

Notorious b.s.d.
Jan 25, 2003

by Reene


lots of people use it, and more people should

e.g listing all correct and permissible behaviors for your average web app is very easy. listen on a named high number port. read files and directories tagged with a certain context. write files and directories with a different context. read/write /tmp. make outbound connections to a database.

constraining login shells, for example, is a pain in the balls. but selinux policy is easy as poo poo for 99% of desktop and server applications

theultimo
Aug 2, 2004

An RSS feed bot who makes questionable purchasing decisions.


Pillbug

pram posted:

no one uses selinux

pram
Jun 10, 2001


Notorious b.s.d. posted:

lots of people use it, and more people should

nope

pram
Jun 10, 2001


it isnt set to enforcing, or even installed, on basically every cloud image in existence. if you are janitoring selinux on your desktop linux then lol

akadajet
Sep 14, 2003



pram posted:

if you are janitoring selinux on your desktop linux then lol

Notorious b.s.d.
Jan 25, 2003

by Reene


pram posted:

it isnt set to enforcing, or even installed, on basically every cloud image in existence. if you are janitoring selinux on your desktop linux then lol

this is more commentary on how dumb EC2 users are than evidence of SElinux use

Notorious b.s.d.
Jan 25, 2003

by Reene


why yes amazon i would love a frankenstein linux image unsupported by any vendor with selinux turned off

that sounds great

Soricidus
Oct 20, 2010
freedom-hating statist shill

pram posted:

if you are janitoring linux on your desktop then lol

Suspicious Dish
Sep 24, 2011

2020 is the year of linux on the desktop, bro


Fun Shoe

ahmeni posted:

selinux is actually pretty easy once you spend the time it takes to sort out how it works

i'm sure there are people who actually believe that this http://pkgs.fedoraproject.org/cgit/rpms/selinux-policy.git/tree/policy-rawhide-base.patch

is "pretty easy"

Notorious b.s.d.
Jan 25, 2003

by Reene


Suspicious Dish posted:

i'm sure there are people who actually believe that this http://pkgs.fedoraproject.org/cgit/rpms/selinux-policy.git/tree/policy-rawhide-base.patch

is "pretty easy"

writing policy for your app is a lot easier than writing all the policy needed to operate a linux distribution


(when you complain C is hard, do you paste the entirety of glibc's source code into the argument?)

pram
Jun 10, 2001


selinux is just one of those shibboleths that nerds adopt to signal their cred. like functional programming and ham radios. utterly meaningless and pointless

Notorious b.s.d.
Jan 25, 2003

by Reene


no one has ever thought selinux was cool

security is never cool

it is, however, necessary

Suspicious Dish
Sep 24, 2011

2020 is the year of linux on the desktop, bro


Fun Shoe

Notorious b.s.d. posted:

writing policy for your app is a lot easier than writing all the policy needed to operate a linux distribution


(when you complain C is hard, do you paste the entirety of glibc's source code into the argument?)

except your app's policy heavily depends on the distro policy. being able to debug your policy requires you to understand a lot about the rest of the system's policy.

Notorious b.s.d.
Jan 25, 2003

by Reene


Suspicious Dish posted:

except your app's policy heavily depends on the distro policy. being able to debug your policy requires you to understand a lot about the rest of the system's policy.

of course. which is much easier than re-creating it from scratch.

i can consume libc a lot easier than i could re-write libc

Notorious b.s.d.
Jan 25, 2003

by Reene


also really nobody has working selinux except the redhat family. so really "knowing selinux" is "understanding how to use the stuff defined in that giant blob you pasted"

i'd rather chew my own arm off than try and get selinux working on ubuntu

Celexi
Nov 25, 2006

Slava Ukraini!


lol at the people uniroically trash talking selinux and the one chosing ubuntu over fedora

do you guys also login with root to your servers with password y/n

pram
Jun 10, 2001


Notorious b.s.d. posted:

also really nobody has working selinux except the redhat family. so really "knowing selinux" is "understanding how to use the stuff defined in that giant blob you pasted"

i'd rather chew my own arm off than try and get selinux working on ubuntu

"knowing selinux" is "understanding enough to pass the rhce"

Notorious b.s.d.
Jan 25, 2003

by Reene


pram posted:

"knowing selinux" is "understanding enough to pass the rhce"

the rhce is well-designed. it is not a coincidence that knowing enough to pass the rhce is also enough to implement selinux successfully in 99% of scenarios

nobody expects that you're gonna go out and implement selinux from scratch on ubuntu.

it's entirely reasonable to expect folks to write a few lines of selinux policy to get their web app du jour to work properly on centos in enforcing mode.

FlapYoJacks
Feb 12, 2009


SELinux is cool and good and if you don't understand it you are functionally retarded.

pram
Jun 10, 2001


dont sign your posts

akadajet
Sep 14, 2003



Celexi posted:

lol at the people uniroically trash talking selinux and the one chosing ubuntu over fedora

do you guys also login with root to your servers with password y/n

fedora didn't work at all. i guess that's secure.

Breakfast All Day
Oct 21, 2004




trying to fix the insecurities of linux users sounds like some sort of halting problem imo

BobHoward
Feb 13, 2012

The only thing white people deserve is a bullet to their empty skull


Breakfast All Day posted:

trying to fix the insecurities of linux users sounds like some sort of halting problem imo

eschaton
Mar 7, 2007

Don't you just hate when you wind up in a store with people who are in a socioeconomic class that is pretty obviously about two levels lower than your own?


Notorious b.s.d. posted:

because centos has mandatory access control, and openbsd never will

see also: freebsd, solaris, aix, every other linux distribution. pretty much every unix in existence except netbsd, osx, and openbsd.

xnu implements mandatory access control based on FreeBSD, and has contributed changes back to FreeBSD

Maximum Leader
Dec 4, 2014


selinux just seems unnecessary if the os is designed with security in mind from the ground up

Cocoa Crispies
Jul 20, 2001

Vehicular Manslaughter!



Pillbug

Maximum Leader posted:

selinux just seems unnecessary if the os is designed with security in mind from the ground up

yup, that's why the most secure OS in common use, iOS, doesn't need it

Soricidus
Oct 20, 2010
freedom-hating statist shill

Maximum Leader posted:

selinux just seems unnecessary if the os is designed with security in mind from the ground up

seatbelts just seem unnecessary if your driving style is designed with safety in mind from the ground up

akadajet
Sep 14, 2003



Soricidus posted:

seatbelts just seem unnecessary if your driving style is designed with safety in mind from the ground up

:iiaca:

Soricidus
Oct 20, 2010
freedom-hating statist shill

Cocoa Crispies posted:

yup, that's why the most secure OS in common use, iOS, doesn't need it

true words. apple design for security from the ground up, and there's no way they'd ever make a dumb mistake like that "goto fail" bug that hit linux users a year or so back

nosl
Jan 17, 2015

CHIM, bitch!



lol

Soricidus posted:

apple design for security from the ground up

hard to design for security from the ground up when you are the one creating the vector that will be exploited.

Sapozhnik
Jan 2, 2005



Nap Ghost

didn't OSX recently get owned by LD_PRELOAD poo poo of the sort that people knew how to deal with back in the 80s

Malcolm XML
Aug 8, 2009

I always knew it would end like this.


Cocoa Crispies posted:

yup, that's why the most secure OS in common use, iOS, doesn't need it

???? OSX and iOS have MAC its just that iOS enables it and it's administered by apple mostly

its what keeps apps sandboxed iirc

e: in fact the issue w/ selinux is the linux part w/ lots of one-eyed people leading around the blind

akadajet
Sep 14, 2003



Malcolm XML posted:

???? OSX and iOS have MAC its just that iOS enables it and it's administered by apple mostly

its what keeps apps sandboxed iirc

e: in fact the issue w/ selinux is the linux part w/ lots of one-eyed people leading around the blind

What is MAC? It's hard to google ios and mac for obv reasons.

Malcolm XML
Aug 8, 2009

I always knew it would end like this.


Malcolm XML
Aug 8, 2009

I always knew it would end like this.


akadajet posted:

What is MAC? It's hard to google ios and mac for obv reasons.

mandatory access control

Adbot
ADBOT LOVES YOU

akadajet
Sep 14, 2003




weird. chrome keeps trying to fetch this with https and failing.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply