|
emacs is good
|
# ? Oct 29, 2020 01:31 |
|
|
# ? May 28, 2024 14:58 |
|
using emacs on fedora 33
|
# ? Oct 29, 2020 01:31 |
|
Sapozhnik posted:Describe a situation where selinux would prevent a security compromise. https://access.redhat.com/blogs/766093/posts/3557091 "For example, if the Apache HTTP Server is compromised, an attacker cannot use that process to read files in user home directories by default, unless a specific SELinux policy rule was added or configured to allow such access."
|
# ? Oct 29, 2020 01:38 |
|
hifi posted:emacs is good i've never used it so maybe it is. but it's rms software so it probably isnt
|
# ? Oct 29, 2020 01:41 |
|
For the curious, you can see the various selinux settings for services such as samba and httpd that are normally (on non selinux distributions or those that have not configured selinux to enforce) granted an incredible amount of access, but selinux adds the granularity to confine them to reasonable levels.
|
# ? Oct 29, 2020 01:41 |
|
ah yes all those home directories on the web server
|
# ? Oct 29, 2020 01:41 |
|
Selinux just needs to rebrand and use the word "container" or something.
|
# ? Oct 29, 2020 01:44 |
|
mystes posted:Selinux just needs to rebrand and use the word "container" or something. "SexyLinux" oooh baby! akadajet fucked around with this message at 01:49 on Oct 29, 2020 |
# ? Oct 29, 2020 01:45 |
|
Sapozhnik posted:Describe a situation where selinux would prevent a security compromise. ohhhhh. I see. You have no idea what the gently caress you’re talking about, nor do you know what SELinux actually does, so you’re just talking out of your rear end. Gotcha.
|
# ? Oct 29, 2020 02:56 |
|
i want to make everyone who posts the ed meme upload a screen recording of them writing a 1000 word essay about ed in ed
|
# ? Oct 29, 2020 03:34 |
|
hifi posted:emacs is good hifi posted:using emacs on fedora 33
|
# ? Oct 29, 2020 03:36 |
|
selinux is powerful and also incredibly difficult to set up correctly. if you’re just standing up web servers and the distro policy works then sure knock yourself out. over here in the world of every job I’ve ever had post 2012, static assets go in s3 and app servers are full of weird and lovely behavior that would need like, a full time selinux SME to keep on top of all the terrible poo poo the product teams push out. meanwhile the downside of not using selinux is “breaches are worse for my employer”, which, fair, but also if my employer dgaf why should i. so I’ve never used selinux at work
|
# ? Oct 29, 2020 04:01 |
|
Nomnom Cookie posted:selinux is powerful and also incredibly difficult to set up correctly. if you’re just standing up web servers and the distro policy works then sure knock yourself out. over here in the world of every job I’ve ever had post 2012, static assets go in s3 and app servers are full of weird and lovely behavior that would need like, a full time selinux SME to keep on top of all the terrible poo poo the product teams push out. meanwhile the downside of not using selinux is “breaches are worse for my employer”, which, fair, but also if my employer dgaf why should i. so I’ve never used selinux at work
|
# ? Oct 29, 2020 04:37 |
|
|
# ? Oct 29, 2020 05:10 |
|
Nomnom Cookie posted:one huge advantage of vi that no one mentioned yet is no matter what horrible thing your dipshit coworker did to the machine, it has vi. that alone is enough to make at least minimal vi knowledge worthwhile only if it’s new enough to have bits of BSD mixed in and to expect an addressable terminal instead of a teletype (printing or glass)
|
# ? Oct 29, 2020 05:26 |
|
Phobeste posted:one time i used a lovely embedded system that had the vi built into busybox somehow configured so there was no undo. so it’s actual vi rather than vim
|
# ? Oct 29, 2020 05:28 |
|
starbucks hermit posted:https://access.redhat.com/blogs/766093/posts/3557091 That's a terrible example, $HOME is chmod 0600, I don't keep my home on a webserver, and the web application's home is really not interesting. Also, was it SeLinux or Apparmor developers that created the following scenario? Bob: You should enable our security thing and you are bad if you don't! Alice: Okay, I'm enabling your security thing, but the tooling is terrible and now my application fails with cryptic error messages. Bob: You can put our amazing security thing into complain mode and see in the logs what is failing! Alice: I did but it still keeps failing and there's nothing in the logs. Bob, the loving imbecile: Oh yeah, some actions are so sensitive we just block them and don't log even in complain mode! Alice: … … … And that's how Alice disabled the thing entirely and Bob was found strung up by his own intestines.
|
# ? Oct 29, 2020 08:12 |
|
they discussed that issue recently on lwn, selinux failures not showing up in logs. i should find it again
|
# ? Oct 29, 2020 09:30 |
|
found it, check the "Silent denials" discussion here: Removing run-time disabling for SELinux in Fedora
|
# ? Oct 29, 2020 09:32 |
|
Antigravitas posted:That's a terrible example, $HOME is chmod 0600, I don't keep my home on a webserver, and the web application's home is really not interesting. are you being serious with this post? Do you know anything about SELinux? Because RedHat spent a lot of effort on developing tools and documentation to help people understand it. Did you know that the apache web server runs as root? Because it does! The initial process is root, which spawns workers. Did you know that root can do a lot of superuser things??? Like read user directories? Before you poo poo on these things, you should probably have a modicum of knowledge about them first.
|
# ? Oct 29, 2020 09:32 |
|
There's a lot of good posts here about SELinux's learning curve, how a lot of packages don't support it, how it's a pain in the rear end, how some of the protection may be considered irrelevant, etc. Valid points, don't get me wrong. But the system is a lot more complex than the simple paragraph I posted, which was just a reply to another person's comment. Tankakern posted:found it, check the "Silent denials" discussion here: Removing run-time disabling for SELinux in Fedora That's quite interesting. To be fair, these items weren't logged because they were annoying, not because they were sensitive. But there should be an all-caps notice for developers to disable dontaudit rules when making policies.
|
# ? Oct 29, 2020 09:42 |
|
defund the policies
|
# ? Oct 29, 2020 09:52 |
|
selinux's main problem, apart from the learning curve, is that the errors don't show up in journalctl or syslog by default. they're in some other log file and they don't really help you understand what needs changing to allow you to do your Thing. if you google how to use selinux everyone recommends watching a 2 hour youtube video which is really unhelpful too
|
# ? Oct 29, 2020 10:01 |
|
starbucks hermit posted:Did you know that the apache web server runs as root? Because it does! The initial process is root, which spawns workers. Did you know that root can do a lot of superuser things??? Like read user directories? Mine doesn't. Also, maybe one shouldn't be doing unsafe things instead of trying to paper over bad design with another complex system. If you have to bind to 80/443, perhaps use capabilities like a normal person? starbucks hermit posted:Before you poo poo on these things, you should probably have a modicum of knowledge about them first. I know enough about Selinux that I encountered the non-logged denials…and to discover that the tooling is garbage. I've written policies myself, and the entire process is terrible, ill thought out, and the documentation assumes everything does trivial things and that developers know the access they need (lmao on that one). If you don't know in advance what the thing does, you'll be chasing hard to debug failures in prod. Apparmor is extremely similar in its terribleness, but at least distro defaults are usually reasonable.
|
# ? Oct 29, 2020 10:53 |
|
ehh heh heheh heh KVM: Dirty ring interface sounds like a fun feature
|
# ? Oct 29, 2020 11:00 |
|
That thing threatens to collect my dirty bits. I don't feel qualified to review the code, but posting code for upstreaming without being able to demonstrate a clear advantage over the old approach is chancy. The numbers shown for a typical VM indicate a slowdown, so you'd have to provide a way to switch between approaches depending on which would be faster and that's a that has led to rejections in the past.
|
# ? Oct 29, 2020 12:11 |
|
Tankakern posted:found it, check the "Silent denials" discussion here: Removing run-time disabling for SELinux in Fedora LWN posted:Because Red Hat customers put the SELinux policy developers into no-win situations: they complain about AVC denials that don't actually significantly break anything in *their* app and often just disable SELinux in those scenarios. Red Hat wants customers to use it and not freak out all the time, so these kinds of things get added because it is very hard to come up with the right rules for all cases and there's not enough time to work on that. lmbo
|
# ? Oct 29, 2020 12:17 |
|
feedmegin posted:No cellphone reception in the data centre how will I fix my HP-Ux box now Almost every dc I have been in had had WiFi because no one is dumb enough to think you can computer without internet in tyool 2020. Sure, cell signal is blocked, but my laptop can still google even if I don't join my phone to the company network
|
# ? Oct 29, 2020 16:22 |
|
Nomnom Cookie posted:one huge advantage of vi that no one mentioned yet is no matter what horrible thing your dipshit coworker did to the machine, it has vi. that alone is enough to make at least minimal vi knowledge worthwhile or just use your local install of emacs
|
# ? Oct 29, 2020 17:05 |
|
https://ajaxnwnk.blogspot.com/2020/10/on-abandoning-x-server.html Xorg maintainer no longer wants to maintain Xorg as anything other than a Wayland compatibility or remoting layer.
|
# ? Oct 29, 2020 17:10 |
|
ooh does this mean it’s time for my irregular ritual of attempting to switch to wayland, finding a bunch of stuff still doesn’t work properly, and switching straight back to xorg? probably my opinion would be different if I cared about fractional scaling or accelerated video playback, or if I spent enough of my time dragging windows around to notice tearing, but I don’t
|
# ? Oct 29, 2020 17:21 |
|
Antigravitas posted:That's a terrible example, $HOME is chmod 0600, I don't keep my home on a webserver, and the web application's home is really not interesting. lmao. Your SELinux experience must be from RHEL4/5. SELinux is easy these days. Even on Buildroot it’s setup now to where you select the libraries in the package menu and the kernel and system are automatically setup for you. On modern RHEL or Fedora systems any rpm in the mainline repos are guaranteed to work ootb with SELinux. If you are setting up a server it’s as simple as setting SELinux to permissive, setting everything up, and then running “grep denied audit.log |audit2allow -aM mypolicy && semodule -i mypolicy.pp” and then setting SELinux back to enforcing. FlapYoJacks fucked around with this message at 17:29 on Oct 29, 2020 |
# ? Oct 29, 2020 17:26 |
|
DoomTrainPhD posted:lmao. Your SELinux experience must be from RHEL4/5. SELinux is easy these days. Even on Buildroot it’s setup now to where you select the libraries in the package menu and the kernel and system are automatically setup for you. Did you miss the part about denials that aren't being logged?
|
# ? Oct 29, 2020 17:38 |
|
man, an editing on remote machines discussion that spent pages before getting to tramp-mode, and then announcing the death of x11, if this does not make notorious bsd rereg i guess they're gone for good. btw i wear wooden clogs to work, i feel it reflects a certain kind of professionalism that is hard to get at otherwise.
|
# ? Oct 29, 2020 17:59 |
|
at my last job all the servers ran on Ubuntu and it was fine tbh
|
# ? Oct 29, 2020 18:09 |
|
RFC2324 posted:Did you miss the part about denials that aren't being logged? you can disable that, which is also in the part that you're referring to and more likely than not, the people running into that issue are people writing policies for their own apps or special use cases, not the system administrators running out-of-the-box services Nomnom Cookie posted:at my last job all the servers ran on Ubuntu and it was fine tbh I run a mix of CentOS and Ubuntu servers, and I'm trying to move to 100% CentOS. But if I'm preparing a system that someone else is going to be janitoring, believe you me I'm going to use Ubuntu. Besides nbsd's rant about security and support, it's not terrible.
|
# ? Oct 29, 2020 18:29 |
|
starbucks hermit posted:you can disable that the worst thing about linux, in 4 words. yes the config is poo poo, yes you'll be bitten in a hundred ways by idiotic cruft, but none of it is a real problem--there's a workaround!
|
# ? Oct 29, 2020 19:10 |
|
Nomnom Cookie posted:the worst thing about linux, in 4 words. yes the config is poo poo, yes you'll be bitten in a hundred ways by idiotic cruft, but none of it is a real problem--there's a workaround! yeah, I know. it takes patience and the right mindset and reams of documentation, all on the bedrock of years of experience If I ever inflict Linux upon my loved ones, it will be via a Chromebook. I don't even recommend Android to anyone (although I love my Pixel 3a)
|
# ? Oct 29, 2020 19:22 |
|
RFC2324 posted:Did you miss the part about denials that aren't being logged? If you are making your own custom bespoke policy sure.
|
# ? Oct 29, 2020 19:46 |
|
|
# ? May 28, 2024 14:58 |
|
ah yes the policy engine that sucks to write policies for
|
# ? Oct 29, 2020 20:00 |