On 9/21/07, Gene Heskett <gene.heskett@xxxxxxxxxxx> wrote: > On Friday 21 September 2007, Ed Greshko wrote: > >Gene Heskett wrote: > >> I have a firewall that has so far been bulletproof. Its called dd-wrt, > >> run on an old scrap x86 box, booting busybox from a cf card, no drives in > >> it & only 2 fans. > > > >I'm not sure why you are comparing the functions of SELinux with the > >functions of a firewall. It would be nice to hear your interpretation of > >the issues that SELinux targets v.s. what a Firewall targets. If you think > >they serve the same functions it would be nice if you would cite your > > source. > > Several people have referred to 'that hacker' getting into the system, which > is how I at least made the connection to a firewall. So you're firewalls are capable of protecting against 'that hacker' who _is_ on your box, ie. has gotten past your firewall somehow - getting past a firewall is by no means an impossible task > And to me, the firewall > function of standing guard between my stuff and the rest of the planet is at > least 10,000 times more important than silently, no log was generated, > blocking off any and all access to the hardware data ports (usb and serial) > even when that file says SELINUX=disabled. So umm, why do you think it was SELinux causing the problem? > In truth, and from the clues this old troubleshooter has detected, the only > thing disabled by the above line is the logging, selinux is still standing > behind the user, with a baseball bat hitting you in the back of the knee > joints but using a pillow to muffle the noise. But that will be denied > vociferously by those whose purpose it is to see to it that we run with it > enabled. If you don't believe that, just watch this space... I have several machines with SELinux disabled, and I see no messages from it. > Questions that need answered _here_, where the whole list will read them are: You make it sound like there is some attempted coverup going on > Why do the supposed selinux functions, if 10,000% less important than a > firewall (my personal estimation anyway) seem to take 10,000 times more > maintenance than the far more important firewall? Well besides the obvious possibility that your personal estimation is wrong, there is the fact that they provide very different functionality. Here's a bad metric, but one I think is still somewhat useful. The SElinux howto/tutorial is at least 50% the size of that Iptables howto, while providing all the necessary information > And why is it that any "refutation of my claims messages" all have little or > nothing to say except point the reader to other net locations where the > propaganda to be read was written by someone WITH an agenda. I haven't notice any specific claims. Please provide a list that we can go through, and/or join the fedora-selinux list. Please, it doesn't seem rational to be throwing around the word propaganda just yet. > And why is it that an error if logged, can't it be grepped for in the > man-pages and the correct command line option to fix it be found? There is a tool that gives you the exact command you need to fix an SElinux error, much simpler than grepping i believe. > I suppose the theory there is not to make it too simple for the hacker to fix, > but if the hacker has gotten to that point, I'll submit that you already have > a hell of a lot bigger problem than selinux is ever going to fix. That is not the theory as far as I know. With SELinux present, said hacker would likely not get far enough to disable SELinux. They didn't in my case. > Rant/Observation: > > Its a 'solution' looking for a 'problem' and if it can't find a problem, it > will make 10 problems just for spite. It solves problems for me, if you do not share this, that is understandable. But it does infact solve problems. -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )