SELinux insanity
Leon Goldstein
metapsych at earthlink.net
Mon Dec 14 19:01:35 PST 2020
> Truth is also under attack.
In a former reincarnation - US Army officer - I monitored Communist bloc
propaganda. So I have a bit more "sensitivity" to the art and science
of manipulation of fact.
What bothers me more than anything else about the way mainstream media
goes about its business is the utter artlessness of their manipulation
of fact - propaganda. If you are going to lie to me, at least
demonstrate some creativity and artistry for me to appreciate.
The big manipulation we are subjected to is incomplete reporting. This
is the unfortunate consequence of the media's shift from reporting the
news to making it.
Another example: another UK study examined the Wuhan/Covid 19 infection
rates among Lupus patients. Since everyone in the UK is under the
government-run National Health scheme, everyone's medical records are
accessible in their computerized records.
In the UK and elsewhere Lupus is often treated with hydroxychloroquine.
So the study examined if Lupus patients receiving hydroxychloroquine
were less susceptible to infection. The study found that these patient
were just as subject to infection whether they took hydroxychloroquine
or not. So this study was immediately seized upon as proof that
hydroxychloroquine is worthless as a prophylactic.
Well, for one thing, hydroxychloroquine has been used, in combination
with zinc and other medications, to treat - therapy - Wuhan/Covid 19
patients. Its desired effect is to prevent or reduce pulmonary edema.
Getting back to the aforementioned Lupus patient study. Lupus is
typically treated with steroids. Once again the study carefully
excluded the collateral effect of steroids prescribed in addition to
hydroxychloroquine. It did not take into account all of the medications
taken by the Lupus patients. So this study was contaminated by
deliberately ignoring a significant factor - steroids. So much for
open-minded scientific study.
On 12/14/20 9:18 PM, Matthew Carpenter wrote:
> Science is not the only thing that has come under attack.
> Truth is also under attack.
>
> So are we. Whether you lean left or lean right, we have been assaulted by a
> brand of truth that pits us against each other, and none of us seem to have
> the grounding and ability to bridge the gap between us.
>
> The dehumanization and utter nonsense we've seen fueled by liberal and
> conservative political entities has left us with nothing but to fight or meet
> each other.
>
> I recommend we choose the latter. We've spent too much time building the
> respect to burn it on marketing.
>
> My 2 cents.
>
> Matt
>
> On Monday, December 14, 2020 5:48:54 PM EST Lonni J Friedman via Linux-users
> wrote:
>> I know not what this "Danish Science" is.
>>
>> There's science, and then there's everything else which is abused to
>> support one's agenda. If all you've got to support a fringe
>> conspiracy theory are scientific discoveries from hundreds of years
>> ago, then you're grasping, desperately at straws.
>>
>> On Mon, Dec 14, 2020 at 2:46 PM Leon Goldstein <metapsych at earthlink.net>
> wrote:
>>> Right, Lonni; Danish science is bunk. Tycho Brahe knew nothing about
>>> astronomy and Niels Bohr knew nothing about making an atomic bomb.
>>>
>>> On 12/14/20 5:43 PM, Lonni J Friedman wrote:
>>>> Just because you proclaim something as "science" does not make it so.
>>>> It never ceases to amaze me how many people are self declared public
>>>> health experts based on racism, unsubstantiated rumors and widely
>>>> debunked conspiracies.
>>>>
>>>> Its quite sad how COVID19 has exposed the worst impulses of so many.
>>>>
>>>> On Mon, Dec 14, 2020 at 2:20 PM Leon Goldstein via Linux-users
>>>>
>>>> <linux-users at linux-sxs.org> wrote:
>>>>> I don't know if any of you guys run SuSE these days, but it too has its
>>>>> very annoying quirks. I just run Mint Mate and am very satisfied with
>>>>> it.
>>>>>
>>>>> Re Wuhan virus aka Covid 19: make sure you are getting the full daily
>>>>> recommended dose of vitamin D. That is science. Face masks, "social
>>>>> distancng," lock downs etc. are political science. The Danes already
>>>>> demonstrated that face masks are of very doubtful value.
>>>>>
>>>>> On 12/14/20 5:11 PM, Matthew Carpenter via Linux-users wrote:
>>>>>> Hey Lonnie, I hope you'll let this one pass, it's been a while since
>>>>>> I've flung a distro-war comment: Perhaps you need to get off RH
>>>>>> stuff ;)
>>>>>>
>>>>>> jk! I know that to each their own. I get enough flack from running
>>>>>> Ubuntu. RH is a solid choice as well. Each distros come with their
>>>>>> own pain points.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Anyway, more seriously...
>>>>>>
>>>>>> 1) Why do you have *anything* writing random temp files to /etc?
>>>>>>
>>>>>> 2) You can enable permissions by command. So if you *want* sed to
>>>>>> have write access to /etc, I guess...
>>>>>>
>>>>>> 3) I'm guessing you may want to rewrite whatever tool/script you're
>>>>>> using to use a real temporary file.
>>>>>>
>>>>>> 4) I might consider trying /etc/hosts.deny as a symlink to a different
>>>>>> location (eg. /var/tmp/shitcan/hosts.deny), where you can give
>>>>>> complete access to sed without any real concerns.
>>>>>>
>>>>>> SELinux and AppArmor do serve a good purpose. They *do* stop a lot of
>>>>>> exploits... and when they don't, they've pushed the attacker to be
>>>>>> creative
>>>>>> and do a lot more work writing their exploit. Believe me.
>>>>>>
>>>>>> I hope you are well, Lonnie. I miss "hanging out" with you and the
>>>>>> rest of
>>>>>> the gang. It seems we've all grown up, as has Linux. Still great to
>>>>>> know you are still here.
>>>>>>
>>>>>> Matt
>>>>>>
>>>>>>
>>>>>> On Monday, December 14, 2020 3:58:29 PM EST Lonni J Friedman via
>>>>>> Linux-users> >>>
>>>>>> wrote:
>>>>>>> The problem is that the file is a sed generated temp file when its
>>>>>>> editing (note the randomly generated /etc/sedIYn1RO in the error
>>>>>>> msg),
>>>>>>> so I have no way of knowing the file name in advance.
>>>>>>>
>>>>>>> Thanks for the tip regarding audit2allow. Unfortunately, its
>>>>>>> recommending making all of /etc/ writable with:
>>>>>>>
>>>>>>> allow fail2ban_t etc_t:dir write;
>>>>>>>
>>>>>>> I guess that's better than disabling SELinux altogether, but still
>>>>>>> kinda
>>>>>>> crappy.
>>>>>>>
>>>>>>> On Mon, Dec 14, 2020 at 12:54 PM James McDonald <james at toggen.com.au>
> wrote:
>>>>>>>> I'm reticent to make dumb suggestions as I know you are way more
>>>>>>>> experienced with this stuff then me but....
>>>>>>>>
>>>>>>>> Sounds like you need to change the policy or context of the file you
>>>>>>>> are
>>>>>>>> doing the in place edit to to allow fail2ban to do it's thing.
>>>>>>>>
>>>>>>>> Have you tried audit2allow?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 15 Dec. 2020 7:16 am, Lonni J Friedman via Linux-users
>>>>>>>> <linux-users at linux-sxs.org> wrote:
>>>>>>>>
>>>>>>>> Hi folks,
>>>>>>>> Hope you're staying safe during these crazy times. Happy holidays
>>>>>>>> too
>>>>>>>> (if possible)!
>>>>>>>>
>>>>>>>> Remember SELinux? That thing that Redhat forced upon the (linux)
>>>>>>>> world so many years ago? It was supposed to make things more
>>>>>>>> secure.
>>>>>>>> Its been a thing for such a long time, surely all the rough edges
>>>>>>>> have
>>>>>>>> been smoothed out by now, right?
>>>>>>>>
>>>>>>>> Wrong. I'm in the process of building out a new production
>>>>>>>> environment, and I keep tripping over random stuff that doesn't work
>>>>>>>> because SELinux isn't configured correctly out of the box. I've
>>>>>>>> managed to tweak most of the issues, but there's one remaining bit
>>>>>>>> of
>>>>>>>> SELinux pain that I'm struggling to fix.
>>>>>>>>
>>>>>>>> I've got fail2ban configured to manage /etc/hosts.deny for the bots
>>>>>>>> trying to brute force their way in via ssh. I don't even permit
>>>>>>>> password auth, so this is really just to reduce the noise of auth
>>>>>>>> failures in my logs. The problem is that SELinux is preventing
>>>>>>>> fail2ban from calling sed to manage /etc/hosts.deny. Every time it
>>>>>>>> tries, it fails with this fun mess:
>>>>>>>>
>>>>>>>> 2020-12-13 03:20:32,938 fail2ban.utils [2312]: ERROR
>>>>>>>> 7fe1d018cc00 -- exec: IP=$(echo "45.238.121.134" | sed
>>>>>>>> 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /etc/hosts.deny
>>>>>>>> 2020-12-13 03:20:32,938 fail2ban.utils [2312]: ERROR
>>>>>>>> 7fe1d018cc00 -- stderr: "sed: warning: failed to set default file
>>>>>>>> creation context to unconfined_u:object_r:net_conf_t:s0: Permission
>>>>>>>> deniedsed: couldn't open temporary file /etc/sedIYn1RO: Permission
>>>>>>>> denied"
>>>>>>>> 2020-12-13 03:20:32,938 fail2ban.utils [2312]: ERROR
>>>>>>>> 7fe1d018cc00 -- returned 4
>>>>>>>> 2020-12-13 03:20:32,938 fail2ban.actions [2312]: ERROR
>>>>>>>> Failed
>>>>>>>> to execute unban jail 'ssh-tcpwrapper' action 'hostsdeny' info
>>>>>>>> 'ActionInfo({'ip': '45.238.121.134', 'family': 'inet4', 'fid':
>>>>>>>> <function Actions.ActionInfo.<lambda> at 0x7fe1d06a2b80>,
>>>>>>>> 'raw-ticket': <function Actions.ActionInfo.<lambda> at
>>>>>>>> 0x7fe1d06a7280>})': Error unbanning 45.238.121.134
>>>>>>>>
>>>>>>>> sed system_u:system_r:fail2ban_t:s0 0 dir write
>>>>>>>> system_u:object_r:etc_t:s0 denied
>>>>>>>>
>>>>>>>> Other than making all of /etc writable, anyone have any suggestions
>>>>>>>> how to fix this so that fail2ban & sed can do what they need to do?
>>>>>>>>
>>>>>>>>
>>>>>>>> thanks!
>>>>>>>> _______________________________________________
>>>>>>>> Linux-users mailing list
>>>>>>>> Linux-users at linux-sxs.org
>>>>>>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>>>>>>> _______________________________________________
>>>>>>> Linux-users mailing list
>>>>>>> Linux-users at linux-sxs.org
>>>>>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>>>>>> _______________________________________________
>>>>>> Linux-users mailing list
>>>>>> Linux-users at linux-sxs.org
>>>>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>>>>> --
>>>>> Leon A. Goldstein
>>>>>
>>>>> HP G7
>>>>> Linux Mint 18.3
>>>>>
>>>>> _______________________________________________
>>>>> Linux-users mailing list
>>>>> Linux-users at linux-sxs.org
>>>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>>> --
>>> Leon A. Goldstein
>>>
>>> HP G7
>>> Linux Mint 18.3
>> _______________________________________________
>> Linux-users mailing list
>> Linux-users at linux-sxs.org
>> http://mailman.celestial.com/mailman/listinfo/linux-users
>
>
>
--
Leon A Goldstein
System Fitlet
Linux Mint 20.0
More information about the Linux-users
mailing list