Re: How best get rid of SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2007-09-21 at 13:31 -0500, Mike McCarty wrote:
> Arthur Pemberton wrote:
> > 
> > I either run it (in targeted mode) or I don't - I do on servers, don't
> > on desktops/laptops
> 
> Then we are agreed on this point, at least: If SELinux has benefit,
> then it is still an installation dependent issue whether the
> cost outweighs the benefit, or vice versa. I have a desktop which
> has exactly one LAN connected machine, my firewall. The firewall
> on the WAN side is connected exactly to one machine, an ADSL modem.
> 
> It does not make sense to install and run software which one does
> not ever intend to use. Simply having it on the machine but disabled
> makes the machine potentially less secure, but gives no benefit.
> Even "disabled", it is present, and code is actively being executed,
> though I'm sure much less of it gets executed than otherwise.

The SELinux kernel code unhooks itself from the kernel code paths if you
use SELINUX=disabled in /etc/selinux/config (and never hooks at all if
you use selinux=0 in grub.conf).  So the kernel code is not actively
executed when disabled.

The userland code should be doing an is_selinux_enabled() check before
doing SELinux processing, and skipping it if disabled.  If not, then
that's a bug.

If you want to be able to remove the libraries (e.g. libselinux),
someone would need to rework the users of the libraries to use dlopen()
and friends to dynamically lookup the selinux symbols and fall back to
non-selinux behavior if not present rather than linking against
libselinux at build time.  Doable, but at a cost (in time to rework all
calling code, and in runtime for the dlopen).  If you want to make that
happen, patches that implement such changes are the best way...

-- 
Stephen Smalley
National Security Agency

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux