Re: How NSA access was built into Windows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Jan 19, 2007, at 10:42 AM, Stephen Smalley wrote:

On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
On Friday 19 January 2007 07:40, Stephen Smalley wrote:

Aside from rebuilding from source with selinux options disabled in the
compile-time configuration, you are correct - you cannot remove the
actual selinux bits from Fedora at runtime, although you can disable
their execution (boot with selinux=0). Performing an audit of the code
associated with disabling SELinux at boot time isn't difficult, and
doesn't require understanding the rest of the SELinux code that is never
reached in that case.

I have removed it from the kernel, but those log messages I posted before
are still in the logwatch report this morning.

Do you mean the loginuid messages? That isn't selinux, as I said - that
is audit-related.  You can remove pam_loginuid from your /etc/pam.d/*
configs.  You could file a bug against it or audit arguing that they
should check whether audit is enabled in the kernel and silently exit in
that case.

I'm a bit less concerned with it now after all this discussion, but I
doubt if I'll bring it back in. Why? Well, so far, the instructions as to how to recover the system once its been disabled have not been good enough to re-enable everything, so even if its set permissive, my logs will have many kilobytes a day saying that this or that was blocked. My
nightly amanda run probably makes 50k of entries all by itself.

Those recovery instructions should be in a 'man selinux' but I don't
recall seeing them in there when I did look 2 weeks ago. Were they, and
I can't read?

Do you mean how to relabel your filesystems? That is mentioned there as
well as in the Fedora SELinux FAQ, and rc.sysinit should do it
automatically upon booting a selinux-enabled kernel after previously
running disabled. Possibly it needs to run fixfiles with the -F flag to
force relabeling of even customizable contexts.  File bugs on the
appropriate packages (initscripts if it isn't working correctly,
libselinux for the man page).

--
Stephen Smalley
National Security Agency

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux