Welcome to Friendica.Eskimo.Com
Home of Censorship Free Hosting
E-mail, Web Hosting, Linux Shell Accounts terminal or full remote desktops.
Sign Up For A Free Trial Here
Please tell your friends about federated social media site that speaks several fediverse protocols thus serving as a hub uniting them, hubzilla.eskimo.com, also check out friendica.eskimo.com, federated macroblogging social media site, mastodon.eskimo.com a federated microblogging site, and yacy.eskimo.com an uncensored federated search engine. All Free!
kureta
in reply to bleustenns • • •papercut
in reply to kureta • • •Soot [any]
in reply to papercut • • •Nanook
in reply to bleustenns • •fozid
in reply to bleustenns • • •hendrik
in reply to bleustenns • • •Thordros [he/him, comrade/them]
in reply to bleustenns • • •CallMeAl (like Alan)
in reply to bleustenns • • •boredsquirrel (he)
in reply to CallMeAl (like Alan) • • •dwt
in reply to bleustenns • • •AcornTickler
in reply to bleustenns • • •like this
Sickday likes this.
ChristchurchAsshole
in reply to bleustenns • • •Soot [any]
in reply to bleustenns • • •Linux permissions are obvious, straightforward, and very easy to change - They rule.
SELinux permissions are impossible to see, seemingly pointlessly more complex, and I don't know how to check them or change them i.e. They drool.
As a power user who is constantly changing system stuff, installing weird stuff, running weird servers, disabling SELinux is like, step 2 of installing Linux for me (and honestly, even if you're not a power user, I can assure you at least ONE issue you've faced was actually caused by SELinux under the hood). I have wasted whole days working out just that SELinux is causing my fucking issue, and then days more on how to fix the permissions, and then days more doing those again when those permissions RESET as it is wont to do and days more trying to make my needed changes permanent. And let's not even get started on how to transplant an SELinux permissions structure from one disk to another. So instead of a week's worth of frustrating work every year, I can spend one minute disabling SELinux.
Its implementation feels contradictory to the most basic principles of understandable and workable systems. It's like the NSA wanted to make software that was the diametric opposite of the Zen of Python. It's ugly, it's implicit, it's complicated, nested, dense, unreadable, full of special cases, and silent errors, it constantly guesses in the face of ambiguity (which is why I have to constantly correct it).
Basically, I have wasted too much of my life faffing with an opaque and ludicrously complex permissions layer that seems to be there solely as a 'just in case' my already existing permissions aren't good enough.
PEP 20 – The Zen of Python | peps.python.org
Python Enhancement Proposals (PEPs)like this
Badabinski likes this.
Formless Oedon
in reply to Soot [any] • • •Soot [any]
in reply to Formless Oedon • • •If you're just doing normal sheet, you should ideally basically not even notice SELinux. And in that sense it's good.
If you're doing any dev or running any server software or some kind of freaky setup, my advice is disable it. At least all you have to do is turn a true into a false.
atzanteol
in reply to bleustenns • • •It's awesome, but very complicated to use and overkill for most homegamer setups.
The first interaction most people have with it is when it stops something they want to do from working and it's not obvious why. Then the first selinux command they learn is how to disable it.
pinball_wizard
in reply to atzanteol • • •Spooky accurate.
DanceMomsSavedMe
in reply to bleustenns • • •It was made by the NSA so that's already minus 5 points right there.
I'm not kidding. Look it up on DDG.
zwekihoyy
in reply to DanceMomsSavedMe • • •chgxvjh [he/him, comrade/them]
in reply to zwekihoyy • • •Lemmert
in reply to chgxvjh [he/him, comrade/them] • • •chgxvjh [he/him, comrade/them]
in reply to Lemmert • • •Synestine
in reply to DanceMomsSavedMe • • •My dude, check this out (or don't, whatever), but the NSA has a Blue Team (defense) as well as a Red Team (the one you're irrationally angry at). The NSA Blue team is responsible for securing US computer systems. Look that up on DDG.
SELinix is a MAC layer built to supplement the DAC later (traditional UNIX permissions) intended to secure things the DAC doesn't.
With it, Apache can't read /etc/password or random locations like /opt/something/somewhere. Without it, we get the Equifax data breach of 2017.
Everyone saying "I can't stand up a simple web server with SELinux running" glosses over (or ignores) the fact that if they just put their files in the default location, which has the default contexts, it works. They just get pissed that they can't serve up /some/random/location/ without fixing the context so Apache is allowed to read the files.
Pommes_für_dein_Balg
in reply to bleustenns • • •The machine is behind a firewall anyway so it's safe.
boredsquirrel (he)
in reply to Pommes_für_dein_Balg • • •Pommes_für_dein_Balg
in reply to boredsquirrel (he) • • •chgxvjh [he/him, comrade/them]
in reply to bleustenns • • •uuj8za
in reply to bleustenns • • •swelter_spark
in reply to bleustenns • • •deadbeef79000
in reply to bleustenns • • •It surprises me. Rather it's not SELinux it's userland stuff that reports the wrong error.
Say I try to mount a directory into a podman container and try to read a file. I get some variety of file not found (it's right there, I can see it) or permission denied error (its permissions are 777) but in reality its label is wrong.
comfy
in reply to bleustenns • • •Excessive for my threat model, one more thing which could break something (even if by no fault of its own).
I like it as a concept, but many of my devices don't use it.