L'uso di questo sito
autorizza anche l'uso dei cookie
necessari al suo funzionamento.
(Altre informazioni)

Tuesday, March 24, 2015

The parable of SELinux - A sunday reading from the Book of Tar

From the Book of Tar, 1:14:

And it came to pass that, in a town in Galilee, a SysAdmin could not stomach SELinux.

And he went to talk to a security.guru, and he said unto him:

"Because of SELinux, there is much crashing amongst my daemons, and my log files are void and empty, and my data center is silent"

And the security.guru replied:

 "You have only your ignorance to blame, as SELinux will not yield  its enlightenment to those who do not pursue its intimate knowledge".

And the SysAdmin, chastened, hung his head in shame, and returned to his datacenter cave, and began studying the SELinux wisdom in earnest. But instead of enlightenment, he felt the study was growing the doubt in his heart. And it came to pass that one of the sacred books read:

"You will learn the details of the SELinux policy for your distribution". 

Ando so the SysadMin browsed its server policy and lo, the rules were thousands and their lot meaningless, and the kernel in its binary form was  crystal clear by comparison.

And the SysAdmin, with much doubt in his heart, returned to the security.guru dwelling and said unto him:

 "Surely you knew that intimate knowledge of thousands of rules is not possible and you were trying to test my resolve. Pray tell me what should I do now."

And the security.guru smiled, and told him, sternly:

 "You fool! Why do concern yourself with questions that are beyond thee? Don't you know that SELinux policies are brought to you by higher powers which you never may hope to stare upon? Return therefore to your keyboard, and relax."

But the sysadmin was sad in his heart, thinking:

"The guru advises me to study, but when study brings chaos and nonsense, he tells me to relax. But still my servers are down, and my logs are void and my datacenter suffers."

And  turning in anger to the security.guru he saith unto him:

"Surely you have been smoking bad stuff, or ate the weed that brings madness"

But the guru replied:

"Your heart is evil and your soul is now lost, because you did not abide to the Principle of least privilege." 

But the SysAdmin arose and explained to the guru, with several interesting details, what he should do with the Principle of least privilege and SELinux and its accursed lot, and advised him that returning to write windows ACLs would have brought several blessings unto him.

And the guru left with great anger and disdain, but as he left he fell in the group policies Gehenna, were there was much wailing and teeth grinding.

But the SysAdmin returned to his console and typed:

# for h in $(serverlist) ; do ssh $h setenforce 0; done 

And lo, he felt a great peace in his heart, and a soft light shone on his black and green monitor, and a sweet scent filled the cave and the buzz of the servers was loud, and the daemons were running and the logs were full and the diagnostics again meaningful, and joy returned to the datacenter.

No comments: