[Novalug] October Talk -- SELinux for your (grand)parents

[Peter Larsen]

On Wed, 2010-09-29 at 22:00 -0400, James Ewing Cottrell 3rd wrote:
> On 9/29/2010 6:35 PM, Peter Larsen wrote:
> > On Wed, 2010-09-29 at 09:20 -0400, David A. Cafaro wrote:
> >> No problem, many object to complexity and there are strong arguments in
> >> favor of avoiding it.  Luckily you can not use SELinux as a choice, if
> >> that's what you prefer.
> > I wouldn't use the word "luckily" in that regard. If complexity is a
> > problem then you shouldn't be an IT tech in the first place. I think
> > it's more an issue of "sticking to your guns" so to speak and not
> > wanting to learn something new (and better).
> Oh Bull! UNIX was created as a Reaction to the Complexity of Multics.

Two different goals and issues. The simplification of Unix was on
completely different levels such as "everything is a file". Unix came
about to run on smaller and less comprehensive hardware than the larger
mainframes such as Multics. It was created primarily for academia and it
wasn't until late the commercial side took off.

> And if you read some of Bruce Tate's books (From Java to Ruby), a common 
> theme is how Java lost its way thru a series of ever-more increasingly 
> complex sets of frameworks, and by contrast you can Get Things Done SOOO 
> much faster in Ruby.

Sure - and as carpenter I would argue that creating a table with a
blow-torch will take too long and not work very well. I used to tell
people who wanted to learn how to program, that learning the programming
language was easy - learning the libraries and methodologies/framewords
is the hard part.  And the discussion would soon get to why use those
hard-to-use methodologies/frameworks instead of just coding the "little
pieces" you needed. And the answer would always be "depends". Larger
projects required a robust framework. A singleton smaller project could
afford to cut short-cuts. This is where I see languages/frameworks like
Ruby. They'll eventually grow to the same complexity as the ones in Java
- it's a matter of age/maturity. Just like Perl has gotten itself a good
set of complex/robust frameworks now to allow it to meet larger and more
complex requirements. At the cost of loosing the pioneers into
programming. 

> A wise man once said "Any fool can make something complicated. It takes 
> a genius to make it simple." Guess who that was?

But even E=mc2 has a lot of complexity built into it. And while those in
the know can tell it's huge impact, most people cannot see the complex
relationships between the beautiful simplistic formulas of physics. 

In other words, it's in the eye of the beholder. What E=mc2 leads to in
sets of very complex science/mathematics is the same idea as a simple
language leads to, when you create and add the many different
frameworks.

If your goal is to know every framework of languages like Java you're on
a "mission impossible". We used to be able to know a full language
including the libraries; not even with Perl can you do that anymore. It
hasn't been that way for a long time - and as a consequence we can now
create applications much much faster than we could 20 years ago. It's
due to the "complexity" that we have simplified it so much that even
novice programmers can make pretty complex applications.  Just like
E=mc2 leads to very complex formulars and theories. 

> >> Unfortunately I just find that though I don't like complexity, as I age,
> >> as the world evolves, it continually becomes more complex, and that's
> >> what I have to adapt too.
> > Change is always hard for all of us. It is those of us who best adapt to
> > change who seem to succeed the best.
> One way to "adapt" is to ignore. We can't do it all. We must pick and 
> choose what we deal with.

I would definitely agree that we have a choice. In this case, however, I
have a hard time NOT defending the choice of SELinux. Which was what
this thread was all about after all?

> > In my next life I want to be a security officer and get paid to be
> > paranoid and not have to argue why something is less secure :)
> > That said, you're quite right. Just like with backups, we don't realize
> > how important security is until it's too late. Or rather, we prefer not
> > to use any resources on implementing it.
> It also make no sense to expend more effort preventing something than it 
> would cost to fix it if it happened

You know as well as I do, that a box compromised means it's completely
compromised. It's not a matter of "he only got into system X". The whole
box is considered compromised. So like not taking backups, once failed
the expense is much much higher than not doing something. SELinux is a
toolset - you don't have to use all it's features at all - but just like
with your local firewall, having some basic measurements (the default
ones) gets you a long way down the road.

Choosing not to have it is like leaving the windows rolled down slightly
on your car but locking the doors.

> > The argument from simplification is what Microsoft took. By not making
> > the user be concerned about security we ended up with a lot of bad worms
> > and viruses.
> I am not suggesting we go THAT far...clearly they allow Executable 
> Content WAY too much freedom.

Glad that we agree there. So SELinux is part of a response to what we
are missing with the traditional security features of Linux/Unix. It's
matured so much now, that we should consider it a standard feature like
our XATTRs, access modifiers, users, groups etc.

> > The problem is the default settings are not sufficient in
> > such a world - not even close. The basic premise that you're protecting
> > your OS isn't enough anymore. You have multiple apps running under the
> > same OS authentication that should NEVER be able to cross over. Hacking
> > your IM should never allow the hacker to download your browser password
> > file for instance.
> Now we are talking about Clients once again. But since we are talking 
> about IM Clients....
> ...why exactly do I have to fear my IM client? Why is it opening files 
> unless maybe I ask it to send or receive a file?

You missed my point. Without SELinux you have no way to jail a program
in it's own space. If I have a compromise on my IM, by jailing it the
bad code I got would not be able to further compromise anything else on
my system. So it could any software that you use in user-space. It
doesn't matter.

> >> Anyways, as always you use what you are comfortable with and can
> >> implement correctly.  If SELinux is going to cause implementation
> >> problems, skip it, and make sure you follow the other standard security
> >> guidelines.
> > Absolutely not. Well, accept that the standard "security" settings are
> > not enough. I would compare it to proclaiming that /etc/shadow is too
> > hard to make work, so I want to store my md5 password in /etc/passwd.
> > Same type of argument. If I don't set it up right, I cannot login - so
> > why bother making it more secure?
> Of course they are. We got along for YEARS without them. DECADES even!

Man also lived fine without computers for centuries and even Millenia.
We have evolved, and so has the treats to our software and systems.

> Many systems STILL do fin without it

That's the scary part.

> You have just insulted almost every guru that walked the earth from (oh 
> let's say) 1985 thru 2005.

Rubbish. Not realizing that the world doesn't stand still and that
solutions that was sufficient 10 years ago isn't today is common sense.
I don't know a lot of architects and system people who doesn't realize
they have to stay current and evolve with the technologies.

> >>    But, if you ever have the time, please don't dismiss
> >> SELinux for a second chance later.  It does have some real benefit to
> >> it, and it will only get easier.
> > Disabling temporarily to get pass a "here and now" problem I don't think
> > is a problem. Disabling SELinux for good is and shouldn't be considered
> > at all. If setup right, you won't notice how beneficial SELinux is. You
> > WILL however notice things if you don't have it at all and things go
> > bad.
> You see, that is the kind of Unsupported Hype that I am railing against.

I think multiple people here has tried to explain that it's not
unsupported claims. 

-- 
Best Regards
  Peter Larsen

Wise words of the day:
We come to bury DOS, not to praise it.
	-- Paul Vojta, vojta at math.berkeley.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://calypso.tux.org/pipermail/novalug/attachments/20100930/ebf62e50/attachment.bin