ssh -X shop problem...

Craig White craigwhite at azapple.com
Tue Nov 28 12:45:13 UTC 2006 

On Tue, 2006-11-28 at 01:21 -0500, Gene Heskett wrote:
> On Tuesday 28 November 2006 00:32, Tim wrote:
> >On Mon, 2006-11-27 at 23:13 -0500, Gene Heskett wrote:
> >> Now get this!  I just totally disabled selinux (It was set permissive)
> >> and cron runs my script. WTF?
> >
> >There's been a few examples where running SELinux in permissive mode has
> >been found to still restrict things, looks like you found another.
> >
> I guess so Tim.  How can I go about ripping it out totally?  To me, this 
> is many times more trouble than ANY perceived security is worth.  I'm 
> already bulletproofed from the outside, and nothing selinux can do will 
> make it bulletproof against me.  All its doing is frustrating me to the 
> point of screwing things royally up just trying to figure out how to do 
> what I'e been doing for years when it decides to kill amanda, apparently  
> for no good reason that I can grok.
> 
> Time for some sleep I guess, thanks.
----
Security is never about single point and a firewall only protects
against attempts from the untrusted Internet to enter your LAN. For the
record, the only bulletproof method of protection from the Internet is
not a firewall...it's not to connect at all. Supposedly good firewall
schemes are frequently defeated by people with vast knowledge.

Most importantly, there are a vast array of threats to your systems that
won't/can't be blocked by a firewall such as: scripts that run on web
sites, e-mail, graphics, office-type programs, compiling programs from
source, installation of binary programs, etc.

Unless you fully audit each and every script and understand what it is
doing, you can never be certain which is virtually impossible to do -
this is why you don't compile programs, rpms as root, this is why you
don't run GUI as root because everything you do as root has root
privileges. This is why all programs from trusted sources have checksums
and GPG keys associated with them so to ensure that they haven't been
tampered with.

Security is about layers of which not running as root when not
absolutely necessary and SELinux are but 2 of those layers. There aren't
many left in your world.

Craig

More information about the fedora-list mailing list