CentOS - Nov 2005 - SELinux threads, cynicism, one-upmanship, etc.

After reading through the various SELinux threads, I really became quite 
perturbed.  I mean, really quite perturbed.

As an IT Director (and the entire IT department, currently), if I were hiring 
a sysadmin I know for a fact that someone whose first response to a question 
on why something doesn't work is 'turn it off' would not get a job
here.

Neither would a sysadmin with as much cynicism as has been displayed, or an 
automatic 'it broke things' when something new (and in fact improved)
comes
along get a job here.  Do realize that this list is archived, and that many 
people who are hiring might use Google to find your name (or mine, for that 
matter).

No, I would hire someone who would read enough of the friendly manual to know 
where to look and who to ask to find the fix for the real problem.  The real 
fix is there; thanks to the KMail developers for including a 'mark as 
important' feature so I can find that message amongst the drivel in that 
thread easily (well, actually I'll probably just delete everything but the 
real solution).  

It is the lazy sysadmin who just turns things off without an understanding as 
to why they are turned off; don't give me the 'overworked' line; you
had
enough time to post here on the brokenness of SELinux, so you had enough time 
to find the problem's real source.  I am not interested in hiring lazy 
sysadmins, once I get to hiring.  Bryan Smith, for all the verbosity he is 
known for, doesn't seem to be lazy and could likely hold the job; Craig
White
likewise, among many others here.  I won't name all the names to protect the
guilty. :-)

The main reason I think sysadmins in general seem to hate SELinux is the 
'Mandatory' part of 'Mandatory Access Control' : that is,
superuser power is
too addictive to get rid of, and SELinux can do away with 'superuser'
powers
entirely.  AND THAT IS A GOOD THING.  Yes, it really is.  The buffer overflow 
exploit for those root-running daemons doesn't stand a chance even if it 
gains root, as long as the selinux policies are set properly.

And, yes, it is possible to set the policies properly; any daemon whose 
developers feel that it needs to be exempt from such might have a problem 
running on my servers.  

In a nutshell, SELinux is on and enabled everywhere here; I can't seem to
find
any measureable speed difference between SELinux targeted, permissive or off;  
it is unobtrusive in my experience, and it does indeed help protect 
internet-facing systems from unknown buffer overflows.  This is a good thing, 
and I am convinced that the minor inconvenience of learning a new security 
tool's configuration is a great tradeoff; especially when the alternative is
a compromised system.  As there is no such thing as a 100% secure system, 
anything that improves security but, when properly configured, doesn't
impact
usability is a BIG WIN in a my book, and probably in many other IT
Directors'
books too.

I have been running Red Hat Linux on internet-facing servers for quite a 
while, now, and in my opinion and experience, SELinux is the best thing to 
happen to Linux since 0.13 was released.  It's about time the antiquated 
default Unix permissions system was overhauled.  Yes, it requires study, 
thought, and care.  I would expect nothing less of any sysadmins who would 
work under me.

Also, as one poster wrote, SELinux is NOT a *service* but is indeed the Bully 
Boss of the system.  This is also a good thing for internet-facing servers to 
have; how is the machine supposed to know that the Real Root has logged in, 
and that that process with euid 0 really was started by the Real Root?  

The Real Root should take the time to configure in to the policies those 
things the Real Root would normally do (you know, things like backups and the 
like, along with other normal activities), but then block those actions that 
the Real Root would not do (like install a rootkit; yes, a properly 
configured SELinux can prevent installation of a rootkit on your machine even 
if it gets 'rooted').  The power of the properly configured Mandatory
Access
Control system (The Bully Boss) is completely in the control of the Real 
Root, but untouchable by those Fake Roots who wish to do your system harm.  

This is again a good thing, and one I would think Diligent Sysadmins would be 
falling over themselves trying to learn and deploy.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu

Lamar Owen <lowen at pari.edu> wrote:
> As an IT Director (and the entire IT department,
currently),
> if I were hiring a sysadmin I know for a fact that someone
> whose first response to a question on why something doesn't
> work is 'turn it off' would not get a job here.
Don't read too much on what other people say on a list --
including the person I'm sure you're referencing here (It's
actually not me for once!  Whew! ;-).  Sometimes people just
don't like things, and their opinions would come off much
better in person than e-mail.  I _always_ think that, even
when I completely disagree with someone.

As far as "one-upmanship," in just the last 2 months, I have
catelogued no less than 21 separate incidents of
"one-upmanship" (yes, I was part of a number of them -- but I
was also not part of a _majority_ of them -- especially when
I wasn't posting for awhile), and the total is by _more_ than
1 dozen different people.

Anytime you get enough intelligent people in a group, you're
going to have differences and varying opinions.  Trying to
label someone based on them in e-mail is rather poor, so no
one should try.  Even in my own, local LUG, people vary in
e-mail from in-person, but at least we see each other
in-person.  God knows at a place of work, I go to someone's
office (if they are local) or pick up the phone and/or use
remote meeting capabilities (if they are not) to explain
something.

E-mail _sucks_ as a medium for explaining ideas clearly.  ;->
It's only good for log files and cut'n pasting things.  ;->

That's why question/summary-only mailing lists like Sun
Managers and Linux Managers are best when you reach a certain
level of subscribers who never see each other.  You can't
read sarcasm, sincerest humility and the fact that someone
might not be giving you their relevant credentials just to be
arrogant (especially not after you gave your own first! ;-).
> Neither would a sysadmin with as much cynicism as has been
> displayed, or an automatic 'it broke things' when something
> new (and in fact improved) comes along get a job here.  Do
> realize that this list is archived, and that many people
who
> are hiring might use Google to find your name (or mine, for
> that matter).
Then according to that logic, I should _never_ have a job. 
;->

REALITY:

Just because the majority disagrees with you doesn't mean
that you're necessarily wrong.  Ironically, I've gotten no
less than 2 salaried jobs and more than a dozen clients
because I was someone on a list _very_few_people_ openly
agreed with in a discussion.  This has happened time and time
again to me -- I'll get a call with an offer for a job
because I did not bow down to "popular view" on something!

So excuse me if I don't really care for this continued stream
of meta-discussions about what goes on here (I'm not saying
you're responsible for that -- many others have already
preceeded yourself).  People are right, people are wrong,
people are whatever from their viewpoints.  I don't like the
"absolutism" I see on SELinux, Red Hat, etc... and I'll sound
off, but I leave it there.  I don't "hate" anyone -- in fact,
the only things I really mind are the people that regularly
bring up the fact that they are blocking me, but feel the
need to comment on me (So you're blocking me so you see
anyting so you won't talk about me?  Or you just like making
a "big deal" about me? ;-).

In the end, I _never_ say people aren't entitled to their
opinions -- no matter how misguided or narrowminded I might
feel they might be.  Why?  Because I'm sure many others think
the same about me too -- so I can't fault people for doing
what I also do in the eyes of others.

Now if you're a hypocrite, then you'll get my scorn.  ;-> 
Don't try to lecture me about my commentary when you've done
the exact same things.  That's a sure-fire way to lose my
respect.  But as long as you aren't a hypocrite, I could
_care_less_ what you do in e-mail, because most of us have
_all_ done it too!
> Bryan Smith, for all the verbosity he is known for, doesn't
> seem to be lazy and could likely hold the job;
Others might disagree.  There have been several incidents in
my professional life where people got so disgusted with me in
e-mail that they call my employer or, in the case of one
person, even made criminal accusations against me to the
authorities.

Did I ever work with these people?  No.

Ironically enough, it's been the ones I show the most
chartity to in real-life (consulting for free, writing
scripts/programs for free, etc...) that I find get "fixated"
after I've "bailed them out.  Including the one who made a
criminal accusation, I helped him more than anyone in my
life.

[ Of course, in doing that, he cut his own throat, and very
few in our LUG will help him every again, and the few that
have tried now agree with me. ;-]
> The main reason I think sysadmins in general seem to hate
> SELinux is the 'Mandatory' part of 'Mandatory Access
Control'

Once again, you say it shorter and sweeter than I could ever.
 ;->

I really thought my analogy to a firewall with a deny-all
outgoing default policy was a good one.  Apparently not?
> Also, as one poster wrote, SELinux is NOT a *service* but
> is indeed the Bully Boss of the system.
Agreed, and that's how I responded as well.



-- 
Bryan J. Smith                | Sent from Yahoo Mail
mailto:b.j.smith at ieee.org     |  (please excuse any
http://thebs413.blogspot.com/ |   missing headers)

On Wed, 2005-11-16 at 14:12, Lamar Owen wrote:
> The main reason I think sysadmins in general seem to hate SELinux is the 
> 'Mandatory' part of 'Mandatory Access Control' : that is,
superuser power is
> too addictive to get rid of, and SELinux can do away with
'superuser' powers
> entirely. 
Not exactly.  In my case I just realize that there are 30 years of
history behind expecting all unix access control to be in the
filesystem in the owner, group and modes of the files.  It will
take a while to rewrite everything based on different assumptions,
and meanwhile things will mysteriously not work.
>  AND THAT IS A GOOD THING.  Yes, it really is.  The buffer overflow 
> exploit for those root-running daemons doesn't stand a chance even if
it
> gains root, as long as the selinux policies are set properly.
We are talking about bugs here.  Why are you so convinced that the
new code you just introduced to enforce this new policy does not
in fact introduce new bugs?  Remember that old code that you
are trying to protect has many, many years of finding and fixing
exploits.  They may in fact all be fixed now and you are just
setting up new ones that we don't know about yet with this change
regardless of how well-intentioned it is.
> I have been running Red Hat Linux on internet-facing servers for quite a 
> while, now, and in my opinion and experience, SELinux is the best thing to 
> happen to Linux since 0.13 was released.
Have you watched the changelogs to see if in fact any problems have been
found and fixed so far? 
> The Real Root should take the time to configure in to the policies those 
> things the Real Root would normally do (you know, things like backups and
the
> like, along with other normal activities),
Speaking of backups, have you tested the method you use to make sure
it restores the attributes SELinux needs to work? 

-- 
    Les Mikesell
      lesmikesell at gmail.com

> The main reason I think sysadmins in general seem to hate SELinux is
the
> 'Mandatory' part of 'Mandatory Access Control' : that is,
superuser
power
> is too addictive to get rid of, and SELinux can do away with
'superuser'
> powers entirely.
I disagree with this. The main reason I dislike SELinux is the way I was
introduced to it.

I wasted quite a bit of time on an issue before I even knew what SELinux
was because it was turned on by default on an FC2 machine. I was asked
by another admin to use FC2 on a particular job, and I never saw
SELinux.

I turn it on now for all machines, but if you were to have asked me at
any point in the week my feelings on SELinux they would have not been
pleasant.

At the time, I looked and there wasn't any real documentation for what I
was trying to do, and why it failed. Now after time has passed, I
realize what was going on but when you're in the middle of a job on a
time crunch, the last thing you want to do is learn a new security
system.

I turned the thing off. Got what I needed done, and came back to the
issue at a later date. 

The turning it on by default irked me. Superuser power as a trip is just
silly. What's the difference? 

All I want is enough power to do my job.

> Ummm, why were you installing Fedora Core 2 in a _production_
> environment?
> 
> I mean, I'm all for Fedora Core in a production environment,
> but _not_ the latest version that changes everything (which
> Fedora Core 2 did).  Yikes!
It was a request I had nothing to do with. I didn't say it was an
entirely reasonable argument, but those were my feelings.

I wouldn't have installed FC2 if that wasn't what was forced on me. I
have my domains, and this wasn't one of them. 

But yes, you're right.

>All I want is enough power to do my job...
and to not be distracted from *my* job to tackle what 
some stranger in Illinois thinks my job should be!

SELinux is my alligator, not my swamp.

CentOS4 allowed me to switch the thing off at install. Done.
When SELinux is my job, I'll figure it out.
Until then, I don't care who I irk, disappoint, or perturb
by switching it off.

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> noyler at khimetrics.com 11/16/05 05:05PM >>>
> The main reason I think sysadmins in general seem to hate SELinux is
the
> 'Mandatory' part of 'Mandatory Access Control' : that is,
superuser
power
> is too addictive to get rid of, and SELinux can do away with
'superuser'
> powers entirely.
I disagree with this. The main reason I dislike SELinux is the way I was
introduced to it.

I wasted quite a bit of time on an issue before I even knew what SELinux
was because it was turned on by default on an FC2 machine. I was asked
by another admin to use FC2 on a particular job, and I never saw
SELinux.

The turning it on by default irked me. Superuser power as a trip is just
silly. What's the difference? 

All I want is enough power to do my job.
_______________________________________________
CentOS mailing list
CentOS at centos.org 
http://lists.centos.org/mailman/listinfo/centos

*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

Brian: DON'T focus blame on "consultancy".  

The management style you lambaste is prevalent
to the point of being pandemic.  The problem is NOT lack of 
accountability, it is rather one of "to whom are we accountable?"
  
My products are NOT reviewed by geeks, theorists, and 
techno-pedants.  My products are accountable to testers
who are accountable to marketing who are accountable
to stock holders and well-drillers and factory owners.

They want a profit product, not a perfect product.

"Good, fast, cheap; pick two" says it well.

--the *other* pedantic Brian--

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> thebs413 at earthlink.net 11/17/05 01:08PM >>>
Peter Farrow <peter at farrows.org> wrote:
> running a consultancy business where time is money, tunring
> it off and configuring as we always did before represents
Consulting is why the IT infrastructure and security of this
country has gone to crap.  There is no accountability.  There
is only the pressure to complete things in unrealistic
timeframes.

Sound security policy has been put out-the-window by
consulting, support non-sense, etc...  You have to "tear it
down" so you can "dumb it down" for people.  And it happens
in the most crucial of our nation's networks.

Why?  Consultants aren't accountable in most cases.  And
that's typically because the clients want it done now.


*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

What I implied, that Brian deleted, is that my product
is in alien hands (some of whom can spell "Linux") and must
pass the muster of the testers who answer to the marketeers 
who answer to the stock holders and customers. My product
must fit the hands that work it. NONE of them know
what SELinux is (compared to Linux) and (properly) resent 
every extent of my making them learn Linux.  Their day job
has NOTHING to do with learning Linux, let alone SELinux.

Therefore, if SELinux breaks *anything* it gets switched off
and is not part of the product.  If it is a seamless fit, with
no regression, then it can be allowed.  Any self-important 
pedant who insists that this bully-boss attribute shall be 
catered to will be pedanted off the drilling platform.  
Walk home, twit!  Land is only 2 miles away (straight down).

"Ahhh but this is better and it is the future!"  When (if) it
doesn't break my stride, it will become the present.  Until
then it's already history.

This rant/diatribe is for the benefit of people making 
"improvements" in a running, deployed, supported 
product.

I think, at this point, I'll depart from the debate.

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> lesmikesell at gmail.com 11/17/05 01:40PM >>>
On Thu, 2005-11-17 at 12:29, Bryan J. Smith wrote:
> "Brian T. Brunner" wrote:
> > it is rather one of "to whom are we accountable?"
> 
> I'm accountable to myself.
> 
> I know I shock people, but if I'm to blame for anything, I'm
> the first to admit it.  I don't hide behind things, and I
> have refused to do things before.  And I've been let go by a
> client for it too.
Accepting the blame remotely isn't quite the same as working
at the same place for a decade or more and having to live
with what you built.  Your rants on the side of security
vs. convenience would be more believable if you added that
you did all of your own work under such conditions and
planned to continue for the foreseeable future.

-- 
  Les Mikesell
    lesmikesell at gmail.com 


_______________________________________________
CentOS mailing list
CentOS at centos.org 
http://lists.centos.org/mailman/listinfo/centos

*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

Lamar Owen wrote:
>After reading through the various SELinux threads, I really became quite 
>perturbed.  I mean, really quite perturbed.
>  
>
If you get perturbed over something so trivial, perhaps it's time to 
re-examine your priorities in life.  8-)
>As an IT Director (and the entire IT department, currently), if I were
hiring
>a sysadmin I know for a fact that someone whose first response to a question
>on why something doesn't work is 'turn it off' would not get a
job here.
>  
>
Thank goodness I'm not an SA then.  I also run, and have run in the 
past, rather large IT departments.  I also started out my unix life as a 
SA.  Now that we've gotten that out of the way...SELinux shouldn't be 
turned on by default and in many cases simply creates extra 
overhead/bloat on a system that doesn't really need it.  Building a 
firewall?  Building a hardened box that's going to be exposed to the net 
at a datacenter?  Great, then it might be worth your while to wrestle 
with it and take the time to figure out why it's breaking your 
applications.  All the really good SAs I've ever had, tended to be 
somewhat frugal with their time and tended not to waste it on things 
they didn't absolutely need or that didn't somehow make their lives
easier.
>Neither would a sysadmin with as much cynicism as has been displayed, or an 
>automatic 'it broke things' when something new (and in fact
improved) comes
>along get a job here.  Do realize that this list is archived, and that many 
>people who are hiring might use Google to find your name (or mine, for that 
>matter).
>  
>
Fantastic!  I'll also state for the record here that I won't dig 
ditches.  So any potential employer intending to hire me for ditch 
digging or sysadmining and is googling net archives can stop reading 
now.  *shrug*

Cheers,

Thanks, Mike.

What I read is that SELinux is still 'beta', and while the need for good
security is decades old, we (CentOS/RHEL folks) should not be presumed 
to be willing beta testers.  "Enabled by default" presumes I'm
willing.

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> lesmikesell at gmail.com 11/19/05 11:41AM >>>
On Fri, 2005-11-18 at 22:42, Lamar Owen wrote:
> Maybe I'm wrong, but I think any admin needs to experience having their
box
> cracked.  It will produce the humbleness necessary to the trade, because 
> overconfidence is dangerous.
Yes, but when the box gets cracked _because_ they are using the
latest new thing their distribution added under the guise of
increased security, as happened with ssh a while back, it
also produces the attitude that new stuff should soak a long,
long while in a distribution like fedora before going onto
production boxes.  You want to at least wait until the surprises
stop - and I take the flurry of reports of broken apps at
every update as an indication that they haven't stopped yet.

Your analogy to a weapon was a good one.  When the experts
tuning the distribution still can't keep it from blowing
up in peoples's faces some of the time, normal people should
keep their distance.  When the fedora and Centos lists go
several months without a mysterious app failure caused by
SELinux it will be time to reconsider.

-- 
   Les Mikesell
     lesmikesell at gmail.com 
 

_______________________________________________
CentOS mailing list
CentOS at centos.org 
http://lists.centos.org/mailman/listinfo/centos

*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

People ask how my life is going, I answer, 

"Like a basketball... repeatedly smashed to the floor, occasionally thrown
for a loop."

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> wmcdonald at gmail.com 11/21/05 05:49AM >>>
On 19/11/05, Lamar Owen <lowen at pari.edu> wrote:
> On Friday 18 November 2005 21:02, Preston Crawford wrote:
> > Your name is Lamar Odom?
>
> :-)
>
> No, see
> http://siusalukis.collegesports.com/sports/m-baskbl/mtt/owen_lamar01.html 
See also:

http://www.nba.com/draft2003/profiles/McDonaldWill.html 

:) I used to play too.

Will.
_______________________________________________
CentOS mailing list
CentOS at centos.org 
http://lists.centos.org/mailman/listinfo/centos

*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

I see we agree.

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> mailing-lists at hughesjr.com 11/21/05 08:00AM >>>
On Mon, 2005-11-21 at 04:38 -0800, Brian T. Brunner
wrote:
> Thanks, Mike.
> 
> What I read is that SELinux is still 'beta', and while the need for
good
> security is decades old, we (CentOS/RHEL folks) should not be presumed 
> to be willing beta testers.  "Enabled by default" presumes
I'm willing.
> 
> Brian Brunner
> brian.t.brunner at gai-tronics.com 
> (610)796-5838
It is not enabled by default ... unless you click through
screens 

*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated

Well, hughesjr, I'm using the *default* meaning of "default":
You'll get SELinux "on" on install if you don't take action to
select it off.

Automagic partitioning is also default, you have to take action to get into
DiskDruid.

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838

Brian Brunner
brian.t.brunner at gai-tronics.com
(610)796-5838
>>> mailing-lists at hughesjr.com 11/21/05 09:39AM >>>
On Mon, 2005-11-21 at 14:15 +0000, Peter Farrow wrote:
> The point was, as its very much beta quality, it should be up to the 
> user to ask for it, not have it dropped on them by default.
> 
> Thats the point Brian was making, the essence of the reply to that was 
> "its not enabled by default because you can turn it off"
> 
> Which is, as we all know, is a rather absurd statement....which had to 
> be remedied by, yes if you like, a pedantic reply, but a nonetheless 
> valid one...
I disagree ... to me enabled by default would be like the core and base
default packages .... they are turned on, and one can not turn them off.
They are enabled by default, whether you need them or not.

SELinux would be enabled by default if it were turned on that way.


*******************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept
for the presence of computer viruses.

www.hubbell.com - Hubbell Incorporated