SELinux last straw

Les Mikesell lesmikesell at gmail.com
Thu Oct 18 16:53:15 UTC 2007


Arthur Pemberton wrote:
> On 10/18/07, Les Mikesell <lesmikesell at gmail.com> wrote:
> 
>> The place it can hurt is if it causes enough problems that some number
>> of users don't don't upgrade to the versions that use it or don't do
>> timely updates because they have a history of introducing new problems.
>>   This drops your first and best line of defense.
> 
> Les, please... this is a public list. Do not spread FUD... there is no
> history of SELinux updates causing problems.

I'm speaking of fedora updates in general - and over a reasonable period 
of time to call 'history'. If you look back to FC2 and FC3, you'll 
certainly see a lot of complaints about SELinux updates breaking things. 
   I have personally had multiple instances of devices that were not 
supported in new versions, devices that changed names, breaking the 
configurations, updates that installed kernels that would not boot 
previously working systems, and the list is full of similar problems in 
addition to the ones mentioning SELinux.

>>> In a corporate environment it's obviously very different.  Using
>>> different means of access control, using other layers of security such
>>> as SELinux, implementing physical security measures, are all things
>>> that need to be done, and properly.
>> If you are introducing Linux as something new you can do that.
>> Otherwise you have to be very careful not to break existing programs and
>> infrastructure with changes and updates.
> 
> I don't see why there should be a requirement of being new.

When you install a new system you get time to test it and nothing to 
lose if it breaks.  But assume your payroll system is running on 
something that fails to boot or can't access it's data after you do an 
update that is required for some security issue.  Now what?   Or worse, 
this could be some on-line, customer visible system that is the core of 
your business.

>> If you want a distribution to be more secure in actual use, you have to
>> make it painless to update and never break anything that previously
>> worked - otherwise some number of people just won't do it.
> 
> You do realise that there are different distros, and each has their
> niche. Fedora's niche is being fast pace, some would argue not fast
> enough.

Perhaps, but if you want to deliver a product that does not have a 
usable way to fix subsequently discovered security flaws after a sort 
time then it should have an actual expiration date and self-destruct 
instead of being left as easy prey for exploits that turn them into 
zombie spam relays or worse.  I, and probably most of the list members 
here, understand the experimental nature of fedora and that it simply is 
not suitable for anything that needs to be reliable over long periods of 
time.  However, I don't think everyone who has installed fedora 
understands that or the dangers of continuing to run any software beyond 
  the time it is supported with security updates.  And I am inclined to 
believe the claims like this: 
http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723
saying that there are large numbers of rootkitted linux boxes around 
being used for evil purposes thet their owners don't even notice.  It 
makes sense just because of the difficulty of keeping the installation 
up to date over the life of a machine.  Fedora isn't the only disto in 
this shape but it is probably one of the most popular with one of the 
most difficult upgrade paths.  I wouldn't be surprised if there are 
still large numbers of FC1 through FC5 installations in use because the 
currently supported versions don't ensure (or even suggest) backwards 
compatibility, in place upgrades, or even a convenient way to back out 
to your previous version if you try an upgrade and find that it doesnt' 
work with your hardware or applications.

-- 
   Les Mikesell
    lesmikesell at gmail.com




More information about the fedora-list mailing list