Security Enhanced Linux Kernel? Eh? What's going on here? O.o!

55 respuestas [Último envío]
CentaurX00
Desconectado/a
se unió: 06/17/2015

https://en.wikipedia.org/wiki/Security-Enhanced_Linux

Wow. I'm just SHOCKED!

Why was it released under GPL and no one has stopped them from re-licensing it?

CentaurX00
Desconectado/a
se unió: 06/17/2015

And why is it on Trisquel? http://packages.trisquel.info/uk/taranis/libselinux1

GOSH!

davidnotcoulthard (no verificado)
davidnotcoulthard

Wikipedia it's a Linux kernel security module, not a kernel.

And what do you mean by "no one has stopped them from re-licensing it?"? What relicensing?

CentaurX00
Desconectado/a
se unió: 06/17/2015

Well, I mean. If it has been provided by the NSA, and it licensed under GPL... it should have been changed a while ago.

Is there anyway to disable or change it?
I know, it's free software, nonetheless, I'm not a programmer, so I cannot look into the source code myself and check if there is any backdoor. (I don't intend being paranoid)

I just want to avoid it, you know... :(

SELINUX.png
davidnotcoulthard (no verificado)
davidnotcoulthard

"If it has been provided by the NSA, and it licensed under GPL... it should have been changed a while ago."

What do you mean by that?

CentaurX00
Desconectado/a
se unió: 06/17/2015

Well, I meant that if it had a malicious feature, it shouldn't have been licensed under GPL. Nonetheless, by reading other comments I'm more relieved to the fact that no one has found anything about it... but we should be aware...

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

If SELinux had malware, it would be certainly known. Thanks to its GNU GPL license (SELinux's has never been relicensed). Anyone has the freedom to study SELinux's source code. You cannot directly do so because you are not a programmer. But other users do (starting with all Linux hackers who show interest in security). Moreover, the code coming from the NSA certainly is more studied than any other code.

moxalt
Desconectado/a
se unió: 06/19/2015

Trust me- you're not the first to have ever been concerned about
SELinux. People have had a look at it before, and there really is
nothing to worry about. If there was (since it's GPL) there would have
been an uproar, and it would have been modified or rejected by the
GNU/Linux community.

Sure, it comes from the NSA. But it's also under the GPL. There is
nothing to fear.

CentaurX00
Desconectado/a
se unió: 06/17/2015

Just to be sure, before it gets to my repos, was there someone reviewing it before adding it to the repositories?

davidnotcoulthard (no verificado)
davidnotcoulthard

Guys from Ubuntu and Debian, yes (and if, IF you don't trust any of those guys then why trust the rest of Trisquel's repos?).

CentaurX00
Desconectado/a
se unió: 06/17/2015

The difference is that the guys from Debian and Ubuntu (mainly) are not as concerned as the guys from Trisquel are regarding privacy.

marioxcc
Desconectado/a
se unió: 08/13/2014

But no distribution audits all of the software it bundles (and even if they did, it is likely that several vulnerabilities go undetected); in specific, Ubuntu and Debian don't. For discovering vulnerabilities distributions mostly rely on public discoveries. Debian mentions the name of the discoverer of vulnerabilities in announces in the read only mailing list “name at domain”.

In one occasion, Debian introduced a vulnerability, possibly accidentally, it was discovered and fixed. There have been vulnerabilities which have remained undiscovered for years like CVE-2014-6271 (use a search engine for more information).

moxalt
Desconectado/a
se unió: 06/19/2015

Indeed. But what's even more alarming, is the presence of (gasp) Emacs!
Let's put on our tinfoil hats guys- who reviewed that before it got put
in the repos? Or- gosh- KDE? or linux-firmware? or GNOME? or
libreoffice? or nano? Or (I tremble at the name) sl!

Perhaps behind its seemingly innocent ASCII art facade, there lies a
vile plot to destroy our entire planet, daresay our entire universe!
Didn't see that one coming, did'ya?

--

SELinux is old. It is under the GPL. It's not that big. It has been
examined. It is OK. Stop worrying.

And would you please stop ending every post with that annoying ominous
ellipsis of yours?

CentaurX00
Desconectado/a
se unió: 06/17/2015

I beg your pardon, what do you mean by "ominous ellipsis"?

Did I say something offensive or disgusting? (I never intended that, if so, my apologies...)

By the way, I'm not a native English speaker, so sometimes I may sound foreign, but could you dig deeper into that, I'm curious about what I said...

onpon4
Desconectado/a
se unió: 05/30/2012

An ellipsis is three dots: "..." (or, more correctly, ". . .", but pretty much no one does that).

JadedCtrl
Desconectado/a
se unió: 08/11/2014

You used a few ellipses (...), which are commonly pretty ominous.

"The difference is that the guys from Debian and Ubuntu (mainly) are not as concerned as the guys from Trisquel are regarding privacy."

The Debian project as a whole is pretty big on privacy, security, and software freedom-- as much as Trisquel is, I'd say.
Just because the module was written by the NSA doesn't mean it's malicious. The module's been pretty much eyed by many people, so you've nothing to worry about.

Oh, and is that Lelouch I see? Er... Zero?

SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

The Debian project as a whole is pretty big on privacy, security, and software freedom-- as much as Trisquel is, I'd say.
Just because the module was written by the NSA doesn't mean it's malicious. The module's been pretty much eyed by many people, so you've nothing to worry about.

well said girl!

danieru
Desconectado/a
se unió: 01/06/2013

I get why you're worry with just seeing "NSA", but I can't understand what's the concern with the GPL license. Nice desktop by the way.

CentaurX00
Desconectado/a
se unió: 06/17/2015

Oh, if the NSA had added any malicious feature that we are not aware of, it must have been licensed differently. Well, at least because it's licensed under GPL the programmers can look into the source code.

Oh, by the way, thank you! :)
I'm using Blag 200k Alpha with MATE environment.

Desktop.png
danieru
Desconectado/a
se unió: 01/06/2013

As far as I know, the GPL doesn't say anything about malicious features inside the software. Richard Stallman say that malicious features, killing people with software, etc.. Don't have be regulated by licenses as copyright isn't for that, the rest of the law is for that.

davidnotcoulthard (no verificado)
davidnotcoulthard

It's by the NSA but it's free software and I expect kernel developers and/or the FSF to have checked if it's dangerous. In all fairness we can'tbe 100% sure, but........

CentaurX00
Desconectado/a
se unió: 06/17/2015

Yeah, I've been doing a little research, and it seems that everybody is saying:

"It's licensed under GPL, we should be safe" and "You can look into the source code"

But so far, nobody was reviewing it... I think we're not being so cautious...

davidnotcoulthard (no verificado)
davidnotcoulthard

Yeah but one can say that about everything, from SysVinit to IceCat to GNU Emacs to Vim to Linux-libre to GNU Hurd to Drupal to OpenOffice.

onpon4
Desconectado/a
se unió: 05/30/2012

Please consider that when Unity started doing something malicious (automatically sending search queries to Canonical's servers), it was very quickly discovered. I don't think anyone's made a fixed fork of Unity, but that's more because of a lack of interest in Unity than anything (the only major party particularly interested in Unity is its developer, Canonical).

SELinux is old. I was in Kindergarten at the time. If it was malicious, it would have been discovered long ago. Malicious features simply do not thrive in libre software.

CentaurX00
Desconectado/a
se unió: 06/17/2015

Has it been fixed? Or do they continue doing that?

lembas
Desconectado/a
se unió: 05/13/2010

They're still at it. https://fixubuntu.com/

CentaurX00
Desconectado/a
se unió: 06/17/2015
SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

Someone said Unnunntu Kylin?
http://www.ubuntu.com/download/ubuntu-kylin

An OS made for Chinese people and very welcomed by one of the greatest dictatorships of the entire stupid World..
I wouldn't trust Ubunnuntu on anything. But then again, I am paranoid and that is just my thought..

davidnotcoulthard (no verificado)
davidnotcoulthard

Compared to which American (and probably European) surveillance doesn't really pale, if at all, so..........

HuangLao
Desconectado/a
se unió: 01/19/2014

It is very naive to think that "Malicious features simply do not thrive in libre software."

More difficult, perhaps, impossible, not by the least. There are many vulnerabilities in any given software. And yes, Libre, open source software can be created with the explicit intention to create holes (bugs). An example is the prior OpenSSH debacle, this only affected systems that ran SELinux, if you did not have it installed or enabled then your system was fine. Interesting that a system designed to make your OS more secure created a major hole that was wide open!

SELinux is what made OpenSSH insecure! Similar concerns have been raised with systemd.

http://www.juniper.net/security/auto/vulnerabilities/vuln30276.html

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

That makes one more lie. Who keeps the count? Maybe five or six within a week? Here is the bottom line on this vulnerability (which ended up not being one):

Upon investigating this issue, the Red Hat Security Response Team has determined that this is not a vulnerability. The ability to specify a desired role when connecting to OpenSSH is a feature of how OpenSSH interacts with SELinux. Users can only assign themselves SELinux roles which they have permission to access. They cannot assign themselves arbitrary roles.
http://www.cvedetails.com/cve/CVE-2008-3234/

Even if there was a real vulnerability, it would be an OpenSSH's bug (introduced by its developers), not a SELinux's bug. And, of course, one would expect some evidence that it was "created with the explicit intention to create holes". Anyway, it was not even a vulnerability.

What about the "similar concerns [that] have been raised with systemd"? Well, let us see if HuangLao gives us any reference. Since he usually does not give any (or only gives random ones that do not prove anything), I do not hold my breath.

HuangLao
Desconectado/a
se unió: 01/19/2014

SELinux and RedHats connections to the US gov./spy agencies is the main reason why SUSE/openSUSE created AppArmor, (Immunix actually). You also have Tomoyo as another alternative and grsec-kernel if you really want security.

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

SELinux and RedHats connections to the US gov./spy agencies is the main reason why SUSE/openSUSE created AppArmor, (Immunix actually).

Is it another lie? Or do you have a reference (other than discussion on a forum) this time?

HuangLao
Desconectado/a
se unió: 01/19/2014

For starters, the official SELinux handbook is hosted by and maintained by the NSA. Also, note the above post in response to onpon, regarding the OpenSSH debacle being created by SELinux.

Systems that did not have it installed or enabled were fine.

SUSE/openSUSE are very popular in Europe and Asia, in part because those countries do not trust software that is so tightly connected with the US government in general, and NSA in particular.

Same reason why they prefer KDE, because of RedHats connections with Gnome. Again, not anything new to most in the *nix field.

tomlukeywood
Desconectado/a
se unió: 12/05/2014

"Or do you have a reference (other than discussion on a forum) this time?"

not sure you entirely answered the above question
do you have a reference for why you think redhat are linked to the us government spy agency's

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

not sure you entirely answered the above question

I am sure he did not.

HuangLao
Desconectado/a
se unió: 01/19/2014

look down a little lower Magic...I forgot to reply directly to his post.

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

SUSE/openSUSE are very popular in Europe and Asia, in part because those countries do not trust software that is so tightly connected with the US government in general, and NSA in particular.

You know that Novell (the company behind SUSE and openSUSE) is Microsoft's number 1 partner in the GNU/Linux world, right? Here is a reference: http://news.cnet.com/Microsoft+makes+Linux+pact+with+Novell/2100-1016_3-6132119.html

And, you know that Microsoft has been setting up backdoors for the NSA since at least Windows NT 4: https://en.wikipedia.org/wiki/NSAKEY

The German government still believe the NSA has a backdoor in Windows 8: http://www.technobuffalo.com/2013/08/22/nsa-windows-8-exploit/

If it promotes SUSE and openSUSE, it is because those GNU/Linux distributions are German. Not for some crazy conspiracy reasons.

HuangLao
Desconectado/a
se unió: 01/19/2014

LOL, where do you get your outdated info.

The Microsoft settlement is one of the oldest sticks and exaggerations one could throw. It was a lawsuit settlement between Novell and Microsoft over patents.

NEWSBREAK.... Novell no longer owns SUSE and they never owned openSUSE. Micro Focus International is the new owner of SUSE, and the first thing they did was give SUSE autonomy, in other words, SUSE can do their own thing make their own decisions and it is not based on Micro Focus. Also, frees them up from the Novell settlement with Microsoft. Microsoft never owned SUSE anyway that is funny.

Good try Magic, would expect better from you though.

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

LOL, where do you get your outdated info.

On SUSE's current website: https://www.suse.com/partners/alliance-partners/microsoft/
On Microsoft's side too: http://blogs.technet.com/b/openness/archive/2014/05/01/microsoft-suse-alliance-linux-windows-interoperability-.aspx

You will learn with the second link that the current agreement is valid through 2016 and that it is far more than a patent deal:
Since 2006, the Microsoft-SUSE alliance has helped more than 1,000 customers benefit from joint efforts to improve interoperability and support between Windows and Linux. We extended this agreement through 2016 and remain committed to working in tandem on solutions that help our customers manage critical workloads in mixed-source environments.

Novell (...) never owned openSUSE.

Novell created openSUSE after purchasing SuSE Linux AG for US$210 million on 4 November 2003.
https://en.wikipedia.org/wiki/OpenSUSE

Anyway, I do not care about openSUSE. At all. This GNU/Linux distribution is full of proprietary software.

HuangLao
Desconectado/a
se unió: 01/19/2014

Oh, this just keeps getting funnier.

The partnership as a part of the settlement over patents and only patents (again why GPL is a great creation, it avoids this nonsense), anyway, also had SUSE create their system so it can operate within companies that are mainly Microsoft oriented (ie: most companies) and the SUSE OS (SLES) would be able to work with the other systems flawlessly.

But to say that SUSE or openSUSE is a Microsoft product is just laughable. Their OBS (open build service) is the largest repository for free software in the world (120,000 packages), With their OBS you can build programs for Debian, Fedora, CentOS, Slackware...etc..., I would say that is a pretty darn good commitment to open source.
https://en.opensuse.org/openSUSE:Why_openSUSE

Again, the settlement was not between SUSE and Microsoft it was between Novell and Microsoft. And yes, I do think they (Novell) copped out and caved in to the pressure, which RedHat did not, so cudos to them for that. openSUSE is community driven like Fedora, but even more open and autonomy then Fedora.

Agreed, this is not the place to discuss that distro. in any detail, but wanted to clarify your points.

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

But to say that SUSE or openSUSE is a Microsoft product is just laughable.

I never said that. Ever.

Again, the settlement was not between SUSE and Microsoft it was between Novell and Microsoft.

I never talked about a settlement. I talk about the current partnership between SUSE and Microsoft. And I gave you two references on both sides of the partnership.

HuangLao
Desconectado/a
se unió: 01/19/2014

funny, for what part?

HuangLao
Desconectado/a
se unió: 01/19/2014

This is/was the Chairman of the Board
https://en.wikipedia.org/wiki/Hugh_Shelton
Interesting choice for a technology company, no.

http://cdn.atechnologyjobisnoexcuse.com/files/2012/02/sandia-20120206.pdf

http://gcn.com/Articles/2005/01/21/Red-Hat-pushes-for-Linux-in-federal-market.aspx

They are mainly a gov. company now, most of their contracts are US gov. contracts. Even USPS uses SUSE/openSUSE apparently out of privacy concerns for its customers. International Stock exchanges, and many European and Asian companies and Governments use SUSE/openSUSE, because RedHat is seen as being "in bed with" the US Gov.

More links are available if needed, or you can use DuckDuck, the info. is not hidden.

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

They are mainly a gov. company now, most of their contracts are US gov. contracts.

One new lie. The article you reference tells:
Despite the new federal division, and roughly 50 Red Hat employees and contractors focused on government, agencies must still proceed cautiously when considering a Linux migration.

Red Hat has "approximately 7,500 employees worldwide": http://investors.redhat.com/faq.cfm

That makes about half a percent of Red Hat's workforce that is "focused on government". Microsoft dominates the US public market. Unfortunately.

Anyway, even if the US government was Red Hat's first customer, Red Hat's software is free software. With freedom 1 "to study how the program works" ("and change it so it does your computing as you wish"). Show us the malware.

Even USPS uses SUSE/openSUSE apparently out of privacy concerns for its customers. International Stock exchanges, and many European and Asian companies and Governments use SUSE/openSUSE, because RedHat is seen as being "in bed with" the US Gov.

References needed.

More links are available if needed, or you can use DuckDuck, the info. is not hidden.

Again: I have better things to do.

HuangLao
Desconectado/a
se unió: 01/19/2014

http://gcn.com/articles/2009/07/13/update2-usps-open-source-product-tracking-system.aspx

Let me know, if you want more, I can find them...I usually bookmark things like this. If not, thats fine...

Enjoying the debate, as it helps to make *nix even stronger,even if only a little bit each time. :)

Magic Banana

I am a member!

Desconectado/a
se unió: 07/24/2010

http://gcn.com/articles/2009/07/13/update2-usps-open-source-product-tracking-system.aspx

This article is about interoperability between SUSE and the proprietary Solaris OS, porting COBOL programs, and cutting costs. There is not a single line on "privacy concerns for its customers" or on "RedHat being in bed with the US Gov".

Enjoying the debate, as it helps to make *nix even stronger,even if only a little bit each time.

By citing random references, telling lies and propagating conspiracy theories? In my opinion, if something goes stronger, it is how foolish you look.

onpon4
Desconectado/a
se unió: 05/30/2012

Hey, remember just yesterday when I, not taking you at all seriously, hastily replied to you based on a quick glance at what you said, and turned out to be wrong?

This is not debate. You're spewing out so much bullshit so frequently that most sane people are just going to ignore what you say. I'm not going to accuse you of intentionally causing this to make people who don't share your views look bad, but I will say that if you truly want an intelligent debate as you claim, you're doing it completely wrongly.

HuangLao
Desconectado/a
se unió: 01/19/2014

Well, all I can say to both of you is, wow!

As the old saying goes...you can take a horse to water but you can't make it drink...unless of course its cool-aid, and then its obvious when people drink that.

Anyway, it was enjoyable, and perhaps others will read up on it, and learn as well.

SuperTramp83

I am a translator!

Desconectado/a
se unió: 10/31/2014

nah..

Mampir
Desconectado/a
se unió: 12/16/2009

HuangLao, I don't feel I can learn anything all from your numerous "debates". It seems like all of your arguments are always based on speculations and aren't backed by any evidence. When you provide references they typically have little to do with your claims, are just some discussion between some random people or sometimes even oppose your claims.

I think all of your disputes mainly contribute to misinformation, as most people can be bother to check for the facts you aren't providing. All this mainly serves as FUD, even if that's not your intention.

I would still love to see a statement by the developers of AppArmor, where they say they made AppArmor because there are US government/spy agencies behind the SELinux project. This seems very interesting to me, but unfortunately I doubt there's such statement and it's much more likely it's your own explanation for things, only based on broad speculations.

About conspiracies

I find it really annoying that "conspiracy" nowadays is primarily associated with this kind of debates, where everything is speculated and no one is bothered to do any real research and provide any concrete evidence to support or refute claims. Debates where everything is just speculations based on references by to other speculations - numerous speculations stacked upon each other.

You shouldn't use "conspiracy" or "conspiracy theory" when you just want to say that someone isn't providing any evidence.

There are real conspiracies in the world, between companies, governments and others, and it's hardly surprising too if you think about it. But when "conspiracy" is associated primarily with this kind of debates, it starts imply that all conspiracies are made up, so people start to believe that such things just never happen.