SElinux; rant about NAT

Sat Aug 16 18:51:10 UTC 2014

> That is not sufficient to make one "safe".  For example, a major vector
> for malware is client software: browsers and plugins (Flash, Java,
> Acrobat).  And unpredictable other things like OpenSSL.
>
> In theory, good defence includes defence in depth.  SELinux is another
> layer of protection.

Petty well said. Its petty common to hear people complaining about selinux
being unnecessary unfortunately.  Personally, I also don't turn it off but
try to fix mislabelled files and ports when it come in the way.

We should be grateful these forks have done a lot of work to make very
complicated security technology very friendly.  For example, I think it may
sometime solve the problem of apps on android messing around behind user's
knowledge.
>
> When I first heard of SELinux, I never thought it would fly.  Just too
> many entries to populate in the policy matrix.  But, with a lot of
> effort, they have made it work.
>
Really impressed with their effort. I am on their mailings list and they
are willing to include support of petty much every application out there.
You just need raise it with them and when it work, the solution goes into
Fedora distribution policy file however small the userbase for that
application is.
> SELinux works quite well for me.  That's because I don't stray far out
> of the things provided by Fedora or Red Hat.  They've done all the
> work.  But if you put up third-party services, I suspect you will have
> to start understanding the arcane details of SELinux.
>
Ya, if that happen, there are tools to generate a policy for your problem
without necessarily understanding too much of selinux. It work sort of
well, though sometimes it poke too big a hole. Better though than disabling
it altogether.

Alternatively, you can disable selinux for only that service. For example,
if you have oracle running, you can turn off selinux for anything oracle
related system wide while it remain enforcing on the rest of the system

> The IETF mostly thought that NAT would be behind us with IPv6 but the
> Bad Guys are thinking of worse stuff: "Carrier-Grade NAT".  Most of
> us have one real (routable) IP address at home, something we can
> leverage; with carrier-grade NAT, we will have no routable IP address.
> --
I am hoping it wouldn't workout as the last time I checked, it broke a lot
of services and not all carriers are moving that way.  So over time, those
who adopt IPv6 would have competitive advantage over carrier grade NATs.

I think in counties like China where they need to track their users,
carrier grade NAT wouldn't be acceptable as its harder to track a user
behind carrier NAT. Or is this assumption petty wrong? Do we have a carrier
that have successfully adopted carrier grade NAT at this moment?  Would be
nice to know so that we can track how their users are responding to it

William
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/legacy/attachments/20140816/1a2a8084/attachment.html>