Re: SElinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2006-04-02 at 20:08 -0300, Jacques B. wrote:
> > I see your point - that there are levels of system
> > administrators...those that invest the time and energy into obtaining
> > the knowledge necessary to maintain their systems and those that rely on
> > point and click tools and where lacking the point and click tools and
> > the knowledge, opt out for expedience.
> >
> > I agree that many opt out for expedience...too bad. Something inside
> > tells me that many of these people chide Windows systems for a lack of
> > security but I digress.
> 
> I'm not a sysadmin (but hope to develop my skills and become one in my
> next life).  But I can see why a sysadmin would want a user friendly
> interface and abundant (and clear) documentation to manage all aspects
> of SELinux.  I can imagine that many sysadmins are quite busy as it
> is.  Trying to wrap their heads around SELinux may be a challenge. 
> Certainly not rolling out security features for a customer could come
> back and bit us.  But also not being able to maintain the customer's
> system running smoothly (or can't get certain parts working at all)
> without investing more time than is available in a day is no doubt not
> an option for some sysadmins.  And if the downed system is costing the
> customer considerable loss of revenue then getting it up and running
> ASAP may be the first priority, not getting it up and running with
> maxium security features implemented.  Security is an afterthough in
> some cases, and of lesser concern unless it impacts the bottom line. 
> I suspect not many sales managers would tell you to take an extra 1/2
> day or longer to trouble shoot an application issue before resuming
> online sales if it can be resolved in a matter of seconds by simply
> disabling that application.  Risks vs benefits as it relates to the
> bottom line.
> 
> I may be totally off the mark here.  But that's my best guess at what
> some sysadmins are likely dealing with and why mastering SELinux is
> not a priority for them (or more accurately for their company).
----
It's not a question of 'rolling out' - it comes pre-installed. It's a
question of turning a security layer off.

If left in default mode, your interaction with selinux is simply
'reactive' making changes that allow activities denied by default
installation. This really is no different than in using iptables to
block everything and then adjusting the rule sets to permit things that
you want to allow.

Thus, the only real difference between iptables and selinux is that
people forced themselves to learn how to live with iptables but haven't
forced themselves to learn selinux. All of the discussion about gui
tools is self serving attempts to provide a smoke screen to the basic
issue...that the sysadmin doesn't want to commit the time and energy to
learning how to deal with it. The logical extension that I add to that
is this unwilling system admin is not professional and will take the
easy road, much like failure to implement password policies discussed a
few days ago, etc. as this behavior is endemic and not likely reserved
to just selinux.

Nice try though.

Craig


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux