What I HATE about F11

Tue Jun 16 09:13:45 UTC 2009

Lennart Poettering wrote:
> On Mon, 15.06.09 12:41, Thomas Woerner (twoerner at redhat.com) wrote:
> 
>>>> So, what should happen here? Should we leave the firewall enabled in  
>>>> these cases* by default and require admins to open them? If so, is 
>>>> there any way that we can make this easier in some 
>>>> Packagekit-oriented manner? If not, how should we define that 
>>>> packages indicate that they need ports opened? Should this be handled 
>>>> at install time or run time?
>>> Gah. Allowing packages to pierce the firewall just makes the firewall
>>> redundant.
>>>
>>> I still think that the current firewall situation on Fedora is pretty
>>> much broken. It's a bit like SELinux: it's one of the first features
>>> most people disable.
>>>
>> SELinux and the firewall configuration are trying to make the system  
>> secure before something happens. If your system is compromised, then it  
>> is far too late to react. If you do not care about security, then  
>> disable it and have fun with the results.
> 
> You know, there is one big difference between SELinux and the default
> Firewall. The former doesn't inhibit the use of an application (at
> least if the policy is written correctly) because it whitelists every
> operation an application should be able to use but nothing else. OTOH
> the default firewall actively breaks a lot of applications we ship by
> default. It most of the time it even does that silently, without
> reporting EPERM or suchlike back to the application.
> 
> Really, if SELinux is set up properly nobody should notice it. However
> the default firewall breaks a lot of services, and is hence very much
> noticeable.
> 
>> I wonder why other systems are getting more restrictive and secure over  
>> time and for Linux people request the opposite direction.
> 
> Oh my. I wonder why other systems work by default and Fedora doesn't.
> 
>>> Fedora is the only big distro that enables a firewall by default and
>>> thus creates a lot of trouble for many users. I think I mentioned that
>>> before, and I can only repeat it here: we should not ship a firewall
>>> enabled by default, like we currently do. If an application cannot be
>>> trusted then it should not be allowed to listen on a port by default
>>> in the first place. A firewall is an extra layer of security that
>>> simply hides the actual problem.
>>>
>> How do you want to get to "it should not be allowed to listen on a port  
>> by default"? Maybe with SELinux?
> 
> Yes, SELinux is fine for that. Or simply by not shipping the app at
> all if it's shit.
> 

According to your own statement SELinux is disabled for most users. 
Therefore this is not possible.

An other thing: How do you limit access to a network segment with 
SELinux? For this you need to have a firewall. Please remember that you 
might not want to share your database for use in your home office 
intranet with the world if you are connected to a internet wifi access 
point while waiting for a flight. Here it should be possible to specify 
the type of the connection and mark the wifi connection as non trusted. 
Changing the configuration of the service itself might lead to a 
configuration chaos, because you have to be able to configure every 
service properly according to your black and white lists.

Also do not forget to think about security holes in applications and 
services. They do exist. Saying that you do not need to have the system 
as secure as possible, because there is no risk is like ignoring 
reality. If you want to drop all packages, which have or had at minimum 
one security problem, then you will end up without any applications and 
packages.

> Lennart
> 
Thomas