Re: SELinux Attack!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2007-10-13 at 06:41 -0600, Karl Larsen wrote:
> Vinayak Mahadevan wrote:
> > On 10/13/07, Karl Larsen <k5di@xxxxxxxxxx> wrote:
> >   
> >>>       
> >>     I have had all those problems in the past years. But this problem
> >> yesterday was in fact caused by SELinux. I say that because different
> >> from your experience when I turned off SELinux all the problems went away.
> >>     
> >
> > let the machine  run for some days and then let us know your
> > experience with the machine.
> >
> > Vinayak
> >
> >   
>     So far so good. But I would like to know why SELinux did this. And 
> what do I need to do to to make SELinux work on this machine? There seem 
> to be others that use it and it works without a problem.

Karl-

As I recall, you said earlier in the thread that you had disabled
SELinux for a while when you were experimenting with spinning a custom
distribution.  

SELinux checks the contexts of files (their SELinux security
information) to see if programs are violating their restrictions, but it
also updates the contexts when files are created and updated.  If you
turn SELinux off, file contexts stop getting updated.  When you turn it
back on, the files may suddenly not have contexts that allow their
applications to access them.  You'll see the things going wrong
in /var/log/messages (grep for AVC and look for "denied" messages) or
you'll get that star icon in your notification area when a program.  And
of course, the programs that use incorrectly labeled files will not
work.

You also said at some point that you followed instructions to relabel
your filesystem and things started to work.  That is exactly the
solution to the problems introduced by turning SELinux off.  So if you
turn SELinux back on and relabel one more time, you should be OK after
that (as long as you leave SELinux on).

Most people don't see (too many) SELinux problems because most people
don't ever turn it off.  So it maintains itself.

> 
> 
> 
-- 
                Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux