Threads for discovery

    1. 2

      I wasn’t aware of those two utilities. Both system-config-selinux and selinux-polgengui is managed by the SELinux project but barely mentioned in any documentation.

      system-config-selinux can show you labels and path mappings. It can display and manipualte SELinux policy booleans. That’s useful! You can even add your own labels and path maps. However, it can’t display or manipulate the policy modules themselves. It can list them, but it won’t tell you what they do.

      selinux-polgengui is a step-by-step wizard (with no explanation of what any of the fields mean) for creating new policy modules.

    1. 8

      I remember my first contact with SELinux about 2007 when I wanted to use XEN virtualization on Fedora.

      I put ISO images and systems ‘disks’ at my /home/vermaden dir - then specified path to these file at XEN configs and wanted to start the machine.

      I could not. I only got Permission Denied errors. Nothing more. I checked all the chmod(8)/chown(8) permissions but still no luck.

      After loosing half a day and searching for the solution on the net I find out that the default SELinux policy requires that all of these files need to be under /var/lib/xen/images path … and SELinux error Permission Denied tells NOTHING about this. Its just shit. Omit like all other shitty ‘technologies’.

      1. 14

        The system call that opens the files are unaware of why access was denied. It doesn’t say it’s because of permissions or MAC. journald has made this a bit easier by displaying the program error log next to the audit messages. However, even if you realize that it’s SELinux there’s still no easy path or documentation on how to properly resolve the problem.

        1. 14

          There’s a related problem, which is the inverse of your specific case and which has been the root cause of some Chrome vulnerabilities on Linux.

          • If you get the policy wrong by making it too restrictive (your case), debugging the root cause is hard.
          • If you get the policy wrong by making it too permissive, you don’t get error messages of any kind, you just get security vulnerabilities.

          The root cause of both of these is that the policy is completely decoupled from the application. SELinux is designed as a tool for system administrators to write policies that apply globally to software that they’re managing but it’s used as a tool for software to enforce defence-in-depth sandboxing policies. Capsicum is a much better fit for this (the Capsicum code for the Chrome sandbox was about a 10th of the SELinux code, failed closed, and was easier to debug) but the Linux version was never upstreamed.

          1. 11

            But as the article expresses, system administrators typically don’t feel in control of SELinux policies. I think this is an agency problem. The developers are most familiar with the needs and potential vulnerabilities of a program. The administrators are most aware of the requirements the users of the software have. But the policies are written by the distributor (Fedora/Red Hat), who is aware of neither.

            The usability of SELinux isn’t great either (and as a developer I much prefer a capabilities-based system), but I think that’s almost secondary to the way it is used in practice.

            1. 7

              And app documentation is generally completely missing about the environment the app is expected to run in, i.e. they say “linux” but never goes into more depth. Stuff like the default is to read from these directories and write to these, I require these ENV variables, etc.

              None of that is ever documented in any program I’ve ever found(that I remember). Shoot, just getting a list of ports a network app runs on for FW rules can be like pulling teeth sometimes.

              It’s super hard to write a reasonable SELinux policy without this information, so you run stuff like audit2allow and just hope for the best, and then randomly flip on extra permissions here and there until it seems to run, call it good and move along. To do it right you need to have developer experience and sysadmin experience and be willing to do deep dives for every installed instance.

              I’m a fan of Capsicum, and the pledge stuff that OpenBSD is doing, as at least the developers have a much better chance of getting it right @ runtime.

              1. 5

                Another thing developer-managed capabilities facilitate is dynamically dropping them at runtime. The administrator has disabled the admin interface? Drop network privileges. Did you finish reading your config file? The developer knows the process never needs to read another file again.

                On the other hand, these policies are not easy to audit. They sit embedded in the code, opaque to administrators and auditors. Knowing what they are requires you either trust the developer, or have access to the source code.

                SELinux is a good policy system for an ecosystem where there’s an adversarial relation between the people implementing the software, and the people who run it. I don’t think it’s a natural fit for most FLOSS operating systems.

              2. 3

                So to summarize, no-one likes selinux because it’s hard for everyone

            2. 5

              I only got Permission Denied errors. Nothing more.

              This is the typical “first contact” with SELinux. You might be super well versed in Linux/Unix security with years of experience in several distros, but if you’ve never used a system with SELinux (ie RedHat), this is what you’ll see and it’s absolutely maddening. None of your regular Linux skills and knowledge transfer to an SELinux-enabled Linux, and the errors make no sense. And to ask someone to spend weeks or months studying this crap that’s typically only used in the context of one distro? I don’t think so.

              1. 1

                try to put some libvirt virtual machine images outside of /var/lib/libvirt/images if you have apparmor enabled (for example on debian). Great fun ahead. I can understand that pain, not only related to SELinux :/

              1. 3

                I’m slightly disappointed that there’s no demonstration of the technique in the post.

                1. 3

                  The sidenotes (desktop only) use it. The hero image (above the headline) demonstrates the effect.

                1. 10

                  I use .lan only because it was the default in openwrt, but I like that this exists.

                  1. 2

                    You should avoid that and other made-up TLDs unless you’ve configured your DNS server/root with a .lan top-level domain zone file.

                    1. 4

                      Confused by this comment. Wouldn’t they have to do that to even use any made up TLD like .lan?

                      1. 2

                        I believe openwrt just uses that as the default name, but doesn’t do any DNS setup to handle it.

                        1. 4

                          That’s not true. dnsmasq in openwrt is configured to route foo.lan to whichever device advertised their name as foo with DHCP (or the ipv6 equivalent).

                          1. 1

                            Got it. I meant that if you did start using it, it wouldn’t work anyway so you’d have to set it up correctly. So you can’t use (or avoid) made up TLDs without DNS configuration.

                            I guess I’m just being particular about the language but the OP to me communicated there’s a way to use a made up TLD without configuring DNS and that you should avoid doing so which doesn’t make sense.

                            1. 1

                              Is this a bug in openwrt that could be fixed with a submitted patch?

                      1. 4

                        This reminds me of this other recent story: https://lobste.rs/s/0ihysv/tlds_putting_fun_top_dns

                        After a short period of initial experimentation, all current ARPA-Internet hosts will select some domain other than ARPA for their future use. The use of ARPA as a top level domain will eventually cease.” – RFC920

                        1. 4

                          That quote is from October 1984. Things change.

                        1. 3

                          You can look at the whole history over the last 10 years, and 1Password has never been down for more than 3 hours. Most outages are <1 hour, scheduled ahead of time for maintenance in the middle of the night. :shrug:

                          I feel really good about giving them money!

                          1. 5

                            1password is a proprietary service, one day they will no longer exist.

                            1. 4

                              There are many solid businesses that have been around since before the notion of free software even existed. And the average open source project doesn’t exactly have a long maintenance lifetime. I think I’ll take my chances.

                              1. 3

                                Pass is simple enough that it could be reimplemented in an afternoon if its ‘maintenance lifetime’ ended and it was (magically, for some reason, but I’ll play along) no longer available to decrypt my passwords.

                              2. 3

                                Is it more probable that I’ll stop existing first, though?

                                1. 4

                                  Recent history is full of technology companies that have gone under, or were acquired and their services shuttered.

                                2. 1

                                  However the 1Password apps store a local copy of the data so even if the servers go offline (or down forever) you can still access the data and the desktop app lets you export the data.

                                  1. 3

                                    That’s how it works today, but there’s no guarantee it’ll work like that tomorrow. And since it’s proprietary, you’re just along for the ride.

                                    1. 0

                                      That’s a little too cynical for my liking.

                                    2. 1

                                      LastPass and Bitwarden does this too. However, you can’t access it in situations when you’re online and they have a problem with their logon servers. Their apps reach out to the server to verify the login and get a fault condition. Their apps don’t then allow you to access the password vaults even though you have all you need to decrypt it locally. The local copy only works if you go offline first and then try to login.

                                1. 5

                                  I’m just waiting for Google to break uBlock Origin. It’ll be a lot easier to coax people into installing Firefox once it has some real, unavoidable, tangible benefits.

                                  I’ve already got people running Firefox for Android because of it.

                                  1. 1

                                    They have no privacy anyway, though. They’re already running Firefox within Android. Do you realize how tightly Chrome is integrated into Android?

                                    1. 1

                                      Firefox has First-Party Isolation. That’s its killer feature.

                                      1. 1

                                        First-Party Isolation is cool, but it’s basically invisible. It doesn’t have the kind of quality-of-life improvement that uBlock can provide on some sites.

                                        1. 1

                                          It doesn’t have to be invisible. Up to you.

                                    1. 6

                                      The author cites Zstandard compression as a reason for using Caddy. However, no web browser supports it. (Test tool.) He doesn’t mention Brotli which is supported just about everywhere. I feel like I’m missing something here.

                                      1. 3

                                        I also got the impression that not much research has gone into this, especially from that part. I’m pretty intrigued by Caddy, but I was surprised when the article abruptly ended as I expected it to go deeper into the reasoning and experience/result of the switch.

                                      1. 9

                                        It’s good to see another article like this. I remember reading his other post. I’ve been hosting my own e-mail for years; currently running on an opensmtpd/openbsd stack, and I’ve run into a lot of the same issues.

                                        coming from the same country (currently led by a lunatic who abuses power and probably suffers from NPD)

                                        I really dislike these little quips at political commentary. I’m no fan of the Orange Man either, but stuff like this ignores what he’s trying to say in the article – the big players: big tech, big defence, big pharma and big oil are the ones who call a lot of the shots.. The Big E-mail the author talks about is the core issue, not the orange puppet, and talking about his mental state without examining him personally is problamatic.

                                        I like how the author dives into sanctions though. Not only Github, but Adobe and other major platforms have cut off people from essential tools due to a mix of sanctions and shitty subscription models. This stuff alone should encourage people to setup their own infrastructure using open source projects (e.g. run Gogs, Gitlab, etc.). In the case of Adobe … well since you can’t actually buy their software anymore, either buy a used CS6 license or .. I think we’re just going to see more piracy really.

                                        I don’t think that either one of the Big Mailer Corps are evil or bad, I use some of their services on a daily basis

                                        I get what he’s trying to say: if you’re in tech, do the work to help build out a diverse Internet ecosystem .. but most people are going to use the big stuff cause it’s easy and cheap or free. I dunno how I feel about this. I don’t like the big players and I’m not sure I agree with the author that most of them are operating for the greater good. .. They might have good people working there, but companies end up having emergent goal-setting that is more than the sum of its parts; and that is focused on infinite growth and domination in a way the individuals may not be.

                                        1. 10

                                          Sanctions apply to everyone, not just big corporations. It’s just as illegal for J. Random Hacker to make their tarballs available to users from Iran from a server hosted in their basement as it is for Github. Distributed infrastructure may make it more difficult to enforce, but then a sufficiently lunatic government can build a Great Firewall of $country to make distributed infrastructure impossible.

                                          There are many reasons to build a diverse, distributed Internet infrastructure, but it’s not a way to keep governments from enacting more control over the people.

                                          1. 1

                                            Sanctions apply to everyone, not just big corporations. It’s just as illegal for J. Random Hacker to make their tarballs available to users from Iran from a server hosted in their basement as it is for Github.

                                            This is true, and is a valid point.

                                            Distributed infrastructure may make it more difficult to enforce, but then a sufficiently lunatic government can build a Great Firewall of $country to make distributed infrastructure impossible. There are many reasons to build a diverse, distributed Internet infrastructure, but it’s not a way to keep governments from enacting more control over the people.

                                            This, I disagree with partially. Making a bad law more difficult to enforce changes the incentives of the government trying to enforce it in favorable ways. It forces governments to either spend more political capital and money on enforcement, or decide that it’s not worth it to enforce and give up. This was the case with alcohol prohibition in the United States and also marijuana prohibition in many jurisdictions. A diverse distributed Internet infrastructure might not prevent governments from enacting laws that are designed to give them more control over the people, but it will make it easier for people to break those laws, and that matters.

                                          2. 4

                                            I really dislike these little quips at political commentary. […] [Companies] are the ones who call a lot of the shots.

                                            It’s a very timely comment. Russia blocked StartMail and ProtonMail this week. Mailbox.org is next. Tutanota provide the same type of services as the three others so they may be a liekly target after that.

                                          1. 4

                                            Thanks for sharing. I had no idea these directives existed.

                                            1. 4

                                              They are really underrated. I often configure them for services packaged for Debian. Most upstream developers are unaware of those or even unaware of sandboxing in general.

                                              1. 3

                                                There are a lot more than the ones mentioned in the article. It’s meant as an introduction to make more people aware that these exist. Check the systemd.exec man page for more directives.

                                                1. 1

                                                  Many thanks!

                                              1. 1

                                                Another concern I have with these TLDs is that many of them are run by private companies. What if they decide that they no longer want to host .ninja because it’s not a good ROI? Or what if the company goes belly-up?

                                                1. 2

                                                  Almost every single TLD is run by a private company. This problem isn’t unique to the newer TLDs.

                                                  1. 1

                                                    They will probably sell off their existing customer base (i.e. the domain name holders) to another company with better operating margins.

                                                    1. 2

                                                      probably

                                                      Personally, I’d rather not stake my business’ stability on that.

                                                      1. 1

                                                        That’s a valid concern, I was for some reason thinking about personal domains only.

                                                  1. 9

                                                    I’ve independently reproduced the results for .com and .blog, and identify CentralNic, a TLD infrastructure service provider, as the common backend for some of the slowest TLDs.

                                                      1. 4

                                                        I am using Brave for what seems like close to 3 years now. Started back when they were not based on Chromium. And have had nothing but a pleasurable experience with them.

                                                        What I don’t get is when some users complain that they are doing something “unethical” by removing ads and showing their own ads. The things is that all of this is custom. As a user using Brace you can: 1) opt-out of adblock and see all the adds; 2) block all the adds; 3) choose to see the ads displayed by Brave.

                                                        The choice is yours according to your own ethical standards.

                                                        1. 1

                                                          The “defaults” is agree, agree, replace all ads with “braver ads”, however. You may customize your browser, but the tyranny of the default suggests most people just stick with the default.

                                                          1. 2

                                                            But that is not so! There are a couple things wrong with this impression. 1st - in order to receive Brave ads you have to opt-in to Brave rewards. Before that you will not see any ads from them. And 2nd - you say “replace all ads with brave ads” - this never happens. Brave does not replace html ads, Brave ads are shown via OS notifications, not even in the browser. So you can see both sets of ads if you want, there is no “replacing”. 3rd - one important point that is missing is that you get revenue for seeing Brave ads if you choose to do so, and whatever you get is redistributed to websites you visit, based on click-counts.

                                                            I am not sure how so many people can have the same distorted impression at the same time. I saw this repeated on hacker news over and over. At first I suspected that google or some other corp is behind this misinformation, with the purpose of saving their ad revenue. But seeing this on lobste.rs - it’s probably not the case.

                                                        1. 2

                                                          Is t here any way to protect your site if it’s being served through a CDN? Not just the site’s resources but the pages and everything.

                                                          1. 5

                                                            A proxying CDN like Cloudflare? No, they’re a voluntary man-in-the-middle for your website.

                                                            1. 2

                                                              If you’re using something like CloudFlare for your pages, then as far as the browser is concerned CloudFlare is your site.