Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Re: [opensuse] Re: What happened to dovecot?
On 11/29/2013 9:00 AM, Claudio Freire wrote:
On Fri, Nov 29, 2013 at 3:20 AM, L.A. Walsh <suse@xxxxxxxxx> wrote:
On 11/28/2013 1:13 PM, Claudio Freire wrote:
Standard or not, it's the kind of security mechanism that takes so
much effort and knowledge to properly set up, that it HAS to be set up
by the distribution, and by default, to be of any value.
Then why are firewalls 3rd party applications? They can be just
as hard to configure.

They're not. Linux firewalls live in the kernel, and default linux
installs (especially openSUSE) have included properly configured
firewalls for years.
Maybe you're thinking windows.
Sorry, firewall != packet routing. The kernel has packet routing.
It's not until it is configured to selectively reject or drop packets that
it becomes a firewall. Maybe you are forgetting, for example, shorewall?
There've been others before that.

Well, firing up yast and turning it off isn't rocket science, but
sure, an option somewhere on the advanced install procedure couldn't
How would they know it is on or where to go to turn it off if
they were new to OpenSuse?

So are you saying, or do you believe that if you don't force the
policy on users, it won't be of any value?

Pretty much.
Um again, difference between installing it on, or installing pre-
configured & off.

Ie: regular users, and that includes many developers, anyone not
specialized in linux security in fact, don't really know how to
configure something like AppArmor or SELinux, and if they know, they
don't want to have to spend the time to do it on every installation.
Well, firing up yast and turning it ON isn't rocket science...

For the ones that do not know, having it on by default is a necessity,
since they won't even think of turning it on. And those are probably
over 90% of the target audience.
For the ones that do not know opensuse has a non-default
security, they won't even know what to turn off, let alone where.

And in this field (security), statistics matter. Securing 1% of the
target audience is worth nothing, well, unless that 1% happens to work
on a nuclear reactor or something critical like that. But having a
good chunk of the install base vulnerable just encourages botnet
proliferation, and that's a problem for us all.
Documentation? Botnets have not been a problem on Linux --
especially those configured with firewalls. Maybe you are thinking
Windows? ;-)

SELinux is built-in by default. If they want SELinux, has it been
with AppArmor?

SELinux and AppArmor were developed in parallel IIRC, ie: they're two
technologies with the same aim.

I don't think they're exclusive technically speaking (ie: with a lot
of love they could be made to work together), but I do believe they're
not intended to coexist.

There's also the Biba+Bell La-Padula security models
embodied in
Smack. It has had the benefit of being a tried and true method for DOD
since the 80's.

I wouldn't use them as role models. Nor the others you mention.

Does apparmor support chksum based rules, or path only?

As for it possibly only protecting niche users -- maybe
only niche users need that level of protection -- vs. the accompanying problems of programs not working.

Most common error of those that don't know about security.
The most common error of those who think they know about security is
that they know about how to help everyone else.

Security isn't an individual thing.
First thing many product vendors could get right is to not assume
they know what is best for all users. Only notable problem I had with
a mixed linux/Windows environment, was the linux sendmail being misconfigured
upon upgrade to stop enforcing my access list.

It was caught before much damage happened, but apparmor wouldn't have
helped because it was right after an upgrade and no baseline for the new apps
had been set, so any new rules that were needed would likely have been missed
in setup-related approvals.

Generally, you don't let other people log onto your computer. If
they have gotten that far, that's bad. AppArmor, is more for internal
threats initiated from the computer
on parts of itself.

Nope, AppArmor is for damage contention. WHEN some of your apps'
security gets breached, AppArmor stops it from spreading harm.
If one app, inside your perimeter loses protection, isn't it stopping
the spreading by putting up a wall between apps on the same computer? -- i.e.
what is now an internal threat initiated internally (from the compromised app)
upon other parts of your computer or network?

That type of security policy might be more useful in
computers FROM the USERS... Turning it on by default, certainly indicates
an unwillingness
to even give users a choice of what security mechanisms they want on their

So making things clear and apparent to users is FUD, while doing
things without their consent is fine? You got FUD backwards.
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups