Re: How NSA access was built into Windows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
> On Friday 19 January 2007 07:40, Stephen Smalley wrote:
> >
> >Aside from rebuilding from source with selinux options disabled in the
> >compile-time configuration, you are correct - you cannot remove the
> >actual selinux bits from Fedora at runtime, although you can disable
> >their execution (boot with selinux=0).  Performing an audit of the code
> >associated with disabling SELinux at boot time isn't difficult, and
> >doesn't require understanding the rest of the SELinux code that is never
> >reached in that case.
> 
> I have removed it from the kernel, but those log messages I posted before 
> are still in the logwatch report this morning.

Do you mean the loginuid messages?  That isn't selinux, as I said - that
is audit-related.  You can remove pam_loginuid from your /etc/pam.d/*
configs.  You could file a bug against it or audit arguing that they
should check whether audit is enabled in the kernel and silently exit in
that case.

> I'm a bit less concerned with it now after all this discussion, but I 
> doubt if I'll bring it back in.  Why?  Well, so far, the instructions as 
> to how to recover the system once its been disabled have not been good 
> enough to re-enable everything, so even if its set permissive, my logs 
> will have many kilobytes a day saying that this or that was blocked.  My 
> nightly amanda run probably makes 50k of entries all by itself.
> 
> Those recovery instructions should be in a 'man selinux' but I don't 
> recall seeing them in there when I did look 2 weeks ago.  Were they, and 
> I can't read?

Do you mean how to relabel your filesystems?  That is mentioned there as
well as in the Fedora SELinux FAQ, and rc.sysinit should do it
automatically upon booting a selinux-enabled kernel after previously
running disabled.  Possibly it needs to run fixfiles with the -F flag to
force relabeling of even customizable contexts.  File bugs on the
appropriate packages (initscripts if it isn't working correctly,
libselinux for the man page).

-- 
Stephen Smalley
National Security Agency

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux