On Wednesday, December 08, 2010 10:28:38 am L A Hurst wrote:
From: Lamar Owen lo...@pari.edu
Alright, pray tell how I, a desktop Linux user, can, without VM's and
without having to switch users, protect my files from a PDF attack
through Adobe Reader?
Backups.
I looked in vain for a
On 12/08/2010 10:39 AM, Les Mikesell wrote:
Don't run software you don't trust. Keep the software you run up to
date. Don't open files you don't trust.
Agree here. We have very few issues at my company, because we stress the
issue of thinking before you click, especially when it comes to
On 12/8/2010 4:04 AM, David Sommerseth wrote:
Disabling SELinux is the same type of decision as disabling the firewall ---
it's there to protect you, yet you don't know how to properly configure it
and
use it, furthermore you don't want to bother to learn, so you simply disable
the thing
On 08/12/10 16:03, William Warren wrote:
On 12/8/2010 9:13 AM, Christopher Chan wrote:
On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
On 12/8/10 4:22 AM, David Sommerseth wrote:
On 30/11/10 03:52, cpol...@surewest.net wrote:
Christopher Chan wrote:
Les Mikesell wrote:
On Wednesday, December 08, 2010 10:39:50 am Les Mikesell wrote:
On 12/8/2010 9:21 AM, Lamar Owen wrote:
Alright, pray tell how I, a desktop Linux user, can, without VM's and
without having to switch users, protect my files from a PDF attack through
Adobe Reader?
Don't run software you
On 12/8/2010 11:02 AM, Lamar Owen wrote:
On Wednesday, December 08, 2010 10:39:50 am Les Mikesell wrote:
On 12/8/2010 9:21 AM, Lamar Owen wrote:
Alright, pray tell how I, a desktop Linux user, can, without VM's and
without having to switch users, protect my files from a PDF attack through
On Wednesday, December 08, 2010 12:17:40 pm Les Mikesell wrote:
But your question was what to do if you choose to ignore the simple and
available tools - things available and well understood on many platforms.
VM = complex. Not to mention proprietary (for all but KVM) and
resource-wasteful.
On 12/8/2010 11:38 AM, Lamar Owen wrote:
But your question was what to do if you choose to ignore the simple and
available tools - things available and well understood on many platforms.
VM = complex. Not to mention proprietary (for all but KVM) and
resource-wasteful.
Switch User =
; in the case of CentOS, SELinux is a de facto
standard as it's in the default install set. Linux != posix.
The inertia of the installed set means what you learn now will still be usable
in the future. Much like with Linux itself.
___
CentOS mailing list
On 12/8/2010 12:19 PM, Lamar Owen wrote:
Standards committees have their ways of breaking all previous existing
implementations with their final decrees. Let me know when they are
finished.
Standards committees are never finished.
Linux is not standardized, either; in the case of CentOS
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/08/2010 10:21 AM, Lamar Owen wrote:
On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
I think you've missed the point that 'all that stuff' (being traditional
unix
security mechanisms) are not all that insecure. It is only
On 08/12/10 17:10, Les Mikesell wrote:
On 12/8/2010 4:04 AM, David Sommerseth wrote:
[...snip...]
Agreed, and something that equally needs standardization.
iptables is a de-facto standard on all Linux distributions nowadays. It
is not ratified by ISO, IETF or similar ... but how does that
On Wednesday, December 08, 2010 01:47:07 pm Daniel J Walsh wrote:
Sandbox -X might help solve some of these problems. Available in RHEL6
http://danwalsh.livejournal.com/31146.html?thread=212906
Looks interesting, Dan. Thanks much. And thanks much for the sometimes
thankless work of trying
On 12/8/2010 12:55 PM, David Sommerseth wrote:
The real life situation is that iptables only works on linux and the way
it works is distribution-dependent. So what you learn may lock you into
a platform that may not always be your best choice.
Please educate me here. I've been using Novell
On 12/8/2010 7:13 AM, Christopher Chan wrote:
Such [periodic failures] are fairly common
I'd say the main reason someone chooses CentOS (or another Linux flavor
with similar policies, like Ubuntu LTS) is that the distro provider has
made a long-term support commitment with minimal churn
[I'm guessing from the dozens of quoted lines per reply that many of
y'all aren't as lucky as I am. I have a threading email reader with
backing store, so I can go back and read past messages in a thread if I
need more context than a brief quote can provide. I have been so lucky
since the
On 12/8/2010 3:04 AM, David Sommerseth wrote:
it is still not recommendable to trade security for simplicity.
Security is never an absolute, is *always* a tradeoff against simplicity.
We could store our servers 16 feet underground and encased in concrete
to prevent tampering and accidental
On 12/8/2010 8:21 AM, Lamar Owen wrote:
On Tuesday, December 07, 2010 06:29:44 pm Les Mikesell wrote:
And if you can't get the simple version right, how can you hope to
do it right with something wildly more complicated?
Alright, pray tell how I, a desktop Linux user,...
Let's not drag the
On 12/8/2010 3:41 PM, Warren Young wrote:
/That/ is my point. I could -- and sometimes do -- work around file
permissions errors manually, quickly. SELinux has a higher order of
complexity compared to Unix file permissions, so the associated fixes
don't fit into a small,
On 12/8/2010 3:26 PM, Les Mikesell wrote:
Is there any central reporting concept in SELinux so a multi-machine
admin doesn't have to go check each for all of the one-off cases and
knowledge can be shared about the fixes needed for 3rd party RPMs?
No. But then, there's not one for file
On 12/8/2010 4:48 PM, Warren Young wrote:
On 12/8/2010 3:26 PM, Les Mikesell wrote:
Is there any central reporting concept in SELinux so a multi-machine
admin doesn't have to go check each for all of the one-off cases and
knowledge can be shared about the fixes needed for 3rd party RPMs?
No.
On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
Let's not drag the desktop user into this discussion, too.
Why not? Are there no CentOS desktop users out there? Are the needs of the
desktop just to be ignored? I support desktop Linux users who are not power
users; works
On Wednesday, December 08, 2010 11:03 PM, William Warren wrote:
On 12/8/2010 9:13 AM, Christopher Chan wrote:
On Wednesday, December 08, 2010 09:31 PM, Les Mikesell wrote:
On 12/8/10 4:22 AM, David Sommerseth wrote:
On 30/11/10 03:52, cpol...@surewest.net wrote:
Christopher Chan wrote:
Les
On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
On 12/8/2010 7:13 AM, Christopher Chan wrote:
Such [periodic failures] are fairly common
I'd say the main reason someone chooses CentOS (or another Linux flavor
with similar policies, like Ubuntu LTS) is that the distro provider
On Thursday, December 09, 2010 02:55 AM, David Sommerseth wrote:
Second, iptables is a de-facto standard for Linux, just as pf is pretty
much the standard firewalling on BSD. Windows and Solaris got their own
firewalling methods as well. My point is, neither of them are any Posix
standards
On Thursday, December 09, 2010 03:40 AM, Les Mikesell wrote:
How many of those use the same commands to
start/stop/save-current-config? Where do they keep the configs? How If
you deployed applications on all of them, how much time would it take to
train the operators that do the install and
On Thursday, December 09, 2010 06:55 AM, Lamar Owen wrote:
On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
Let's not drag the desktop user into this discussion, too.
Why not? Are there no CentOS desktop users out there? Are the needs of the
desktop just to be ignored? I
On 12/8/2010 6:14 PM, Christopher Chan wrote:
On Thursday, December 09, 2010 03:40 AM, Les Mikesell wrote:
Or rather stop telling people not to use SELinux and iptables on this
list just because you don't want to use any of these tools because it is
too troublesome for you and your gang.
On Thursday, December 09, 2010 08:41 AM, Les Mikesell wrote:
On 12/8/2010 6:14 PM, Christopher Chan wrote:
On Thursday, December 09, 2010 03:40 AM, Les Mikesell wrote:
Or rather stop telling people not to use SELinux and iptables on this
list just because you don't want to use any of these
On 12/8/2010 5:00 PM, Christopher Chan wrote:
On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
I assume you mean to advocate running updates infrequently,
No, I advocate setting up SELinux properly which will take care of the
automatic updates.
That's great if you are wise enough
On 12/8/2010 3:55 PM, Lamar Owen wrote:
On Wednesday, December 08, 2010 05:11:23 pm Warren Young wrote:
Let's not drag the desktop user into this discussion, too.
Why not?
I thought my reason was clear, but apparently not. You talk the talk of
security, but I guess we hang in different
On 12/07/2010 05:11 PM, Rob Kampen wrote:
Daniel J Walsh wrote:
I wrote this paper to try to explain what SELinux tends to complain
about.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
I am having difficulty with the pdf file - both adobe and kpdf
On Thursday, December 09, 2010 11:06 AM, Warren Young wrote:
On 12/8/2010 5:00 PM, Christopher Chan wrote:
On Thursday, December 09, 2010 05:00 AM, Warren Young wrote:
I assume you mean to advocate running updates infrequently,
No, I advocate setting up SELinux properly which will take care
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
I agree, and would like to look at the AVC's to understand what could
have broken the labeling
Well - since it happened again this morning, here you go. On further
investigation in backups, I previously had the user account that I use
for the FTP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 10:36 AM, Benjamin Franz wrote:
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
I agree, and would like to look at the AVC's to understand what could
have broken the labeling
Well - since it happened again this morning, here you go.
On 12/07/2010 07:36 AM, Benjamin Franz wrote:
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
I agree, and would like to look at the AVC's to understand what could
have broken the labeling
Well - since it happened again this morning, here you go. On further
investigation in backups, I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 10:59 AM, Benjamin Franz wrote:
On 12/07/2010 07:36 AM, Benjamin Franz wrote:
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
I agree, and would like to look at the AVC's to understand what could
have broken the labeling
Well -
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts
files in non default directories, then they have to have to be told. In
the case of SELinux, this involves correcting the labeling. DAC has
similar problems, in that you need
The issue is similar to that of using passwords of more than
10 characters composed of random mixed-case alphanumeric
characters (ideally with special characters mixed in). Yes -
they are provably more secure in a technical sense than
virtually any easily remembered system.
However
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts
files in non default directories, then they have to have to be told. In
the case
Brunner, Brian T. wrote:
snip
My solution is to use complex passwords, and write them down wrong,
making my write-down a password hint, but not a password.
My task is to remember what is my transform from hint to fact: (examples
follow, choose your own)
snip
Yeah, I use hints, too... but do
Daniel J Walsh wrote:
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts
files in non default directories, then they have to have to be told.
In the case of SELinux, this involves
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
Daniel J Walsh wrote:
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
Yes SELinux and all MAC systems require that if the administrator puts
files in non
On 12/7/10 11:53 AM, Daniel J Walsh wrote:
We have attempted to work with them, setup default labeling for them
when we know about the problems, embarrass them when they say you need
to disable SELInux. Red Hat is working on new developer tools to help
third party developers work on RHEL
On Tue, 7 Dec 2010, m.r...@5-cent.us wrote:
I am not arguing that SELinux is easy, I am arguing that it is not
rocket science. I have worked for a several years to try to make
If rocket science means very difficult and obscure, yes, it is.
I've got to cry foul here. Difficult and obscure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/07/2010 01:13 PM, m.r...@5-cent.us wrote:
Daniel J Walsh wrote:
On 12/07/2010 12:46 PM, m.r...@5-cent.us wrote:
Daniel J Walsh wrote:
On 12/07/2010 11:59 AM, Benjamin Franz wrote:
On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
mvnch
What
Daniel J Walsh wrote:
I wrote this paper to try to explain what SELinux tends to complain about.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
I am having difficulty with the pdf file - both adobe and kpdf have
problems with the pages with screen shots
On 12/7/10 1:45 PM, Marko Vojinovic wrote:
And it isn't really rocket science. It's just an extension to the existing
classical permissions system --- it works in analogous way, just with greater
flexibility and power. If you know how to understand and use file permissions,
you will easily
On 12/7/10 8:28 PM, Marko Vojinovic wrote:
I think you've missed the point that 'all that stuff' (being traditional
unix security mechanisms) are not all that insecure. It is only when you
get them wrong that you need to fall back on selinux as a safety net.
And if you can't get the simple
Rob Kampen wrote:
Daniel J Walsh wrote:
I wrote this paper to try to explain what SELinux tends to complain
about.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
I am having difficulty with the pdf file - both adobe and kpdf have
problems with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2010 06:34 PM, Jerry Franz wrote:
On 11/28/2010 09:31 AM, Benjamin Franz wrote:
[...]
And then, one day, it won't work. Worse - it doesn't always *log* what
it is doing in a way that you can figure out. Occasionally not at all.
So you
On 12/06/2010 06:06 AM, Daniel J Walsh wrote:
Did you take a look at the AVC messages? Are you running setroubleshoot?
Yes to both.
Usually running something like restorecon -R -v /var/ftp would have
cleaned this up, if it is a simple mislabel in /var directory.
The point is *I shouldn't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/06/2010 09:45 AM, Jerry Franz wrote:
On 12/06/2010 06:06 AM, Daniel J Walsh wrote:
Did you take a look at the AVC messages? Are you running setroubleshoot?
Yes to both.
Usually running something like restorecon -R -v /var/ftp would have
On 11/28/2010 09:31 AM, Benjamin Franz wrote:
[...]
And then, one day, it won't work. Worse - it doesn't always *log* what
it is doing in a way that you can figure out. Occasionally not at all.
So you spend a few hours poking at the system until you try the magic of
turning off SELinux. And
On Wed, Dec 1, 2010 at 12:52 AM, Geoff Galitz ge...@galitz.org wrote:
I would guess no one knows. But all of my CentOS installs are OOB as
concerning SELinux, except the two scalix installs, which have some
custom
'stuff' thanks to the scalix instance naming.
All I know is at the last two
2010/12/1 Nico Kadel-Garcia nka...@gmail.com:
Anyone willing to contribute funds (or time) to such a study? It would be
educational experience and good PR, at the least.
Oh, I know the holes and which would be straightforward to get to.
There's generally enough lower hanging fruit with NFS
On this thread, I'm speaking with my manager, and the other admin comes
in, ranting about selinux, and that he's going to file a bug against it
with RH Seems he installed RHEL6, and had the misfortune of having an
older Sun keyboard, and may have hit the caps lock key when entering the
root
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/01/2010 10:19 AM, m.r...@5-cent.us wrote:
On this thread, I'm speaking with my manager, and the other admin comes
in, ranting about selinux, and that he's going to file a bug against it
with RH Seems he installed RHEL6, and had the
On Tue, Nov 30, 2010 at 10:28 PM, Marko Vojinovic vvma...@gmail.com wrote:
On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote:
And about apache... most of those attacks are preventable through
defensive configuration and coding for httpd itself. Looking to selinux to
protect you is
On Wednesday, December 01, 2010 11:37 AM, Nico Kadel-Garcia wrote:
On Tue, Nov 30, 2010 at 10:28 PM, Marko Vojinovicvvma...@gmail.com wrote:
On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote:
And about apache... most of those attacks are preventable through
defensive configuration
On 11/30/10 9:28 PM, Marko Vojinovic wrote:
On Tuesday 30 November 2010 20:54:37 m.r...@5-cent.us wrote:
And about apache... most of those attacks are preventable through
defensive configuration and coding for httpd itself. Looking to selinux to
protect you is very sloppy.
So a guy in a
I would guess no one knows. But all of my CentOS installs are OOB as
concerning SELinux, except the two scalix installs, which have some
custom
'stuff' thanks to the scalix instance naming.
All I know is at the last two companies I worked at - ATT, a small team
building software for the
From: Les Mikesell lesmikes...@gmail.com
why are you putting blind faith in the SELinux code?
Because it comes from the NSA!
The backdoor experts... ;P
JD
PS: joking of course, the NSA would never do anything bad...
___
CentOS mailing list
Hello Les,
On Mon, 2010-11-29 at 12:35 -0600, Les Mikesell wrote:
If you don't trust your software, run it under a uid that doesn't have
write access to anything important - or in a VM or a different machine
for that matter. X has no problem displaying programs running with
different uids
Hello John,
On Tue, 2010-11-30 at 02:12 -0800, John Doe wrote:
From: Les Mikesell lesmikes...@gmail.com
why are you putting blind faith in the SELinux code?
The SELinux restrictions are a much bigger hurdle to take for a buffer
overflow exploit than setting a safe uid.
Because it comes
On Tuesday, November 30, 2010 07:45 PM, Leonard den Ottolander wrote:
Hello Les,
On Mon, 2010-11-29 at 12:35 -0600, Les Mikesell wrote:
If you don't trust your software, run it under a uid that doesn't have
write access to anything important - or in a VM or a different machine
for that
On 30/11/10 10:54 PM, Leonard den Ottolander wrote:
On Tue, 2010-11-30 at 02:12 -0800, John Doe wrote:
Because it comes from the NSA!
The backdoor experts... ;P
PS: joking of course, the NSA would never do anything bad...
This of course was a serious concern by any of the early
Ben McGinnes wrote:
On 30/11/10 10:54 PM, Leonard den Ottolander wrote:
On Tue, 2010-11-30 at 02:12 -0800, John Doe wrote:
snip
As you say, it was eventually determined that the NSA did not insert
anything dodgy in the code to give them access. They only did two
I dunno, selinux is pretty
On 1/12/10 2:32 AM, m.r...@5-cent.us wrote:
Ben McGinnes wrote:
The reason for the second one is pretty obvious, though, they know
that SELinux would be (and is) used by non-Americans and they don't
want to protect foreign secrets, they want to discover them.
Um, not quite: there *are*
On Monday, November 29, 2010 02:24:14 pm m.r...@5-cent.us wrote:
Lamar Owen wrote:
My opinion is that I'm not going to run third party apps that break in that
way, and I'm going to let the developers know why.
snip
That's fine for you. When you're running in a larger environment, as many
On Monday, November 29, 2010 11:02:59 pm cpol...@surewest.net wrote:
Your enthusiasm for SELinux seems tied conceptually to a workstation
running the set of applications that come with the distribution.
Nothing wrong with that.
I have used a Linux as my primary desktop for 13 years; so, yeah,
On 11/30/2010 9:51 AM, Lamar Owen wrote:
If a particular app is so recalcitrant that SELinux needs to be turned off,
that's when I'd be doing some drastic things, much like windows lab
environments need done. Things like automatic revert to known-good snapshot
on the production boxes for
On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote:
Not so much a problem - I'm just saying that you should do the simple things
that have always worked first, then add SELinux if you want.
First, I hope everyone else is enjoying the thread as much as I; I always like
to see
I'll add to the large (often interesting, but large nonetheless) pile
of messages in this thread by remarking that even in permissive mode,
SELinux can be very useful as an audit tool.
Those AVC messages folks love to hate show deviations from expected
behavior. Sometimes those deviations are
Lamar Owen wrote:
On Monday, November 29, 2010 09:35:44 pm Les Mikesell wrote:
Not so much a problem - I'm just saying that you should do the simple
things that have always worked first, then add SELinux if you want.
snip
Now, I want to ask, given the two alternatives:
1.) Set up another uid
On Tuesday, November 30, 2010 05:12:17 am John Doe wrote:
From: Les Mikesell lesmikes...@gmail.com
why are you putting blind faith in the SELinux code?
Because it comes from the NSA!
The backdoor experts... ;P
Also the SCIF experts.
SCIFs are used by people other than intelligence
On Tuesday, November 30, 2010 11:21:46 am Les Mikesell wrote:
I'm not talking about a particular app. The thing I want quantified is
what it will cost to train some number of people to be able to
troubleshoot any problem that SELinux might cause with any app, given
potential changes in
On 11/30/2010 11:04 AM, Lamar Owen wrote:
On Tuesday, November 30, 2010 11:21:46 am Les Mikesell wrote:
I'm not talking about a particular app. The thing I want quantified is
what it will cost to train some number of people to be able to
troubleshoot any problem that SELinux might cause with
On Tuesday, November 30, 2010 11:38:24 am m.r...@5-cent.us wrote:
Lamar Owen wrote:
2.) Be able to tell my os 'PDF reader can only do X to these files, and no
others. Browser cannot read ~/Documents, and can only write in
~/.mozilla. Flash plugin cannot write anywhere without specific
Lamar Owen wrote:
On Tuesday, November 30, 2010 11:38:24 am m.r...@5-cent.us wrote:
Lamar Owen wrote:
2.) Be able to tell my os 'PDF reader can only do X to these files,
and no others. Browser cannot read ~/Documents, and can only write in
~/.mozilla. Flash plugin cannot write anywhere
On Tuesday, November 30, 2010 12:18:26 pm Les Mikesell wrote:
But [what it will cost to train some number of people to be able to
troubleshoot any problem that SELinux might cause with any app, given
potential changes in updates to both the distribution provided stuff and
the 3rd party coding
Lamar Owen wrote:
On Tuesday, November 30, 2010 12:18:26 pm Les Mikesell wrote:
But [what it will cost to train some number of people to be able to
troubleshoot any problem that SELinux might cause with any app, given
potential changes in updates to both the distribution provided stuff and
On 11/30/2010 10:42 AM, Lamar Owen wrote:
It boils down to balancing 'it breaks my app that I can't or won't fix'
against 'you've been pwned!'
Actually, it boils down to 'what causes more total costs to the
business'. Right now, in my experience, that is SELinux. Break ins to my
servers are
Benjamin Franz wrote:
On 11/30/2010 10:42 AM, Lamar Owen wrote:
It boils down to balancing 'it breaks my app that I can't or won't fix'
against 'you've been pwned!'
Actually, it boils down to 'what causes more total costs to the
business'. Right now, in my experience, that is SELinux. Break
On Tue, 30 Nov 2010, Les Mikesell wrote:
... troubleshoot any problem that SELinux might cause with
any app, ...
would you like a fixed price on that quote as well?
- R
___
CentOS mailing list
CentOS@centos.org
On Tuesday, November 30, 2010 02:04:12 pm Benjamin Franz wrote:
On 11/30/2010 10:42 AM, Lamar Owen wrote:
It boils down to balancing 'it breaks my app that I can't or won't fix'
against 'you've been pwned!'
Actually, it boils down to 'what causes more total costs to the
business'.
On Tuesday, November 30, 2010 01:55:11 pm m.r...@5-cent.us wrote:
Reality check time: selinux is a *tiny* portion of the entire Linux
market, though growing.
Reality check: IDC analysts have estimated Red Hat's share of the paid
commercial Linux market as 62%[1], [2], with Red Hat estimating
Lamar Owen wrote:
On Tuesday, November 30, 2010 01:55:11 pm m.r...@5-cent.us wrote:
snip
However, there are a ton of apps out there, and
almost no developers who have been earning their living as programmers,
who have any knowledge of selinux. Case in point: something here,
developed in-house
On Tue, Nov 30, 2010 at 03:11:24PM -0500, Lamar Owen wrote:
Reality check: IDC analysts have estimated Red Hat's share of the paid
commercial Linux market as 62%[1], [2], with Red Hat estimating higher
[3]. That's RHEL: which ships SELinux enabled, enforcing, targeted,
by default. And, this
Stephen Harris wrote:
On Tue, Nov 30, 2010 at 03:11:24PM -0500, Lamar Owen wrote:
Reality check: IDC analysts have estimated Red Hat's share of the paid
commercial Linux market as 62%[1], [2], with Red Hat estimating higher
[3]. That's RHEL: which ships SELinux enabled, enforcing, targeted,
On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote:
Reality check: how many of those installs are RedHat OOB installs with
default options?
No idea. How many aren't default OOB?
For that matter, how many CentOS installs are out there are set:
1.) OOB, SELinux enforcing/targeted;
Lamar Owen wrote:
On Tuesday, November 30, 2010 03:49:57 pm Stephen Harris wrote:
Reality check: how many of those installs are RedHat OOB installs with
default options?
No idea. How many aren't default OOB?
For that matter, how many CentOS installs are out there are set:
1.) OOB, SELinux
On Tuesday, November 30, 2010 03:31:44 pm m.r...@5-cent.us wrote:
Lamar Owen wrote:
CA should know better, and if they are targeting RHEL commercially they
should be supporting the default RHEL configuration.
Right. So, hey, do you have the rights to call CA and lean on them?
Nope, sorry.
Lamar Owen wrote:
On Tuesday, November 30, 2010 03:31:44 pm m.r...@5-cent.us wrote:
Lamar Owen wrote:
CA should know better, and if they are targeting RHEL commercially
they should be supporting the default RHEL configuration.
Right. So, hey, do you have the rights to call CA and lean on
On 11/30/2010 3:13 PM, Marko Vojinovic wrote:
P.S. I am just waiting for the day when SELinux is going to become locked in
enforcing mode by the kernel developers, much as the traditional permissions
system is a mandatory thing right now. :-D
I thought there was a security API in the kernel
Leonard den Ottolander wrote:
With the ever increasing complexity of software is there any software
you trust? I know I don't. Are you running your Flash plugin in Mozilla
as a different user than the one you logged into under X? Care to
elaborate how to accomplish such a feat? Or can you
On Tuesday, November 30, 2010 01:22:53 pm m.r...@5-cent.us wrote:
Right - change *local* policy for every iteration.
On the servers I would of course put policy into revision control and build it
into our customization package (I've built RPM's for a long time). Then
consistent contexts can
Lamar Owen wrote:
On Tuesday, November 30, 2010 01:22:53 pm m.r...@5-cent.us wrote:
snip
I'm talking about the real, outside world, *not* my own personal system.
..
As I said, I work in the real world with all this, and you seem to be
arguing, based on your own personal experience that
On Tuesday, November 30, 2010 04:52:42 pm Les Mikesell wrote:
I thought there was a security API in the kernel that was designed
specifically _not_ to lock it to an implementation.
Yes; Linux Security Modules (LSM). According to the wikipedia.org page on said
subject, the current
On Wednesday, December 01, 2010 04:54 AM, m.r...@5-cent.us wrote:
And about apache... most of those attacks are preventable through
defensive configuration and coding for httpd itself. Looking to selinux to
protect you is very sloppy.
The key word is most. If one bothered to go through all
501 - 600 of 771 matches
Mail list logo