Re: SELinux last straw

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Arthur Pemberton wrote:
On 10/18/07, Les Mikesell <lesmikesell@xxxxxxxxx> wrote:

The place it can hurt is if it causes enough problems that some number
of users don't don't upgrade to the versions that use it or don't do
timely updates because they have a history of introducing new problems.
  This drops your first and best line of defense.

Les, please... this is a public list. Do not spread FUD... there is no
history of SELinux updates causing problems.

I'm speaking of fedora updates in general - and over a reasonable period of time to call 'history'. If you look back to FC2 and FC3, you'll certainly see a lot of complaints about SELinux updates breaking things. I have personally had multiple instances of devices that were not supported in new versions, devices that changed names, breaking the configurations, updates that installed kernels that would not boot previously working systems, and the list is full of similar problems in addition to the ones mentioning SELinux.

In a corporate environment it's obviously very different.  Using
different means of access control, using other layers of security such
as SELinux, implementing physical security measures, are all things
that need to be done, and properly.
If you are introducing Linux as something new you can do that.
Otherwise you have to be very careful not to break existing programs and
infrastructure with changes and updates.

I don't see why there should be a requirement of being new.

When you install a new system you get time to test it and nothing to lose if it breaks. But assume your payroll system is running on something that fails to boot or can't access it's data after you do an update that is required for some security issue. Now what? Or worse, this could be some on-line, customer visible system that is the core of your business.

If you want a distribution to be more secure in actual use, you have to
make it painless to update and never break anything that previously
worked - otherwise some number of people just won't do it.

You do realise that there are different distros, and each has their
niche. Fedora's niche is being fast pace, some would argue not fast
enough.

Perhaps, but if you want to deliver a product that does not have a usable way to fix subsequently discovered security flaws after a sort time then it should have an actual expiration date and self-destruct instead of being left as easy prey for exploits that turn them into zombie spam relays or worse. I, and probably most of the list members here, understand the experimental nature of fedora and that it simply is not suitable for anything that needs to be reliable over long periods of time. However, I don't think everyone who has installed fedora understands that or the dangers of continuing to run any software beyond the time it is supported with security updates. And I am inclined to believe the claims like this: http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723 saying that there are large numbers of rootkitted linux boxes around being used for evil purposes thet their owners don't even notice. It makes sense just because of the difficulty of keeping the installation up to date over the life of a machine. Fedora isn't the only disto in this shape but it is probably one of the most popular with one of the most difficult upgrade paths. I wouldn't be surprised if there are still large numbers of FC1 through FC5 installations in use because the currently supported versions don't ensure (or even suggest) backwards compatibility, in place upgrades, or even a convenient way to back out to your previous version if you try an upgrade and find that it doesnt' work with your hardware or applications.

--
  Les Mikesell
   lesmikesell@xxxxxxxxx


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux