On Tue, 22 Jun 2004 10:29:22 PDT, edwarner99@xxxxxxxxx said: > After I rebooted, I can run as a user with root > privileges. In the logs, it states there is an unknown > user -u. A little hard to diagnose without seeing the actual error message(s) in the logs, with a few lines of context before and after so we can guess when it happens. But a quick 'grep -e -u /etc/init.d/*' indicates the most likely culprit is one of these 4 lines: % grep -e 'id -u' /etc/init.d/* /etc/init.d/identd:[ `id -u` -ne 0 ] && exit 1 /etc/init.d/irqbalance:[ `id -u` = 0 ] || exit 0 /etc/init.d/rawdevices: ID=`id -u` /etc/init.d/xinetd:[ `id -u` = 0 ] || exit 1 (No, I don't know how /usr/bin/id gets confused into thinking -u is a userid and not a flag, and I may be looking in the wrong place due to the lack of any real information....) > I'm a little confused about selinux to begin with. I > have read the documents. I run a small lan, so do you > suggest I turn off selinux? The proper question is: What is your threat model, and does SELinux do anything to help with it? It's possible you run a small lan, but have a security concern that SELinux can help with. It's possible that you run a very large network, and don't have any threats that SELinux can help with. Basically, you have to decide whether you're worried about the sort of things that SELinux stops (basically, it does damage containment - even if an attacker gets full control of a process that's in one security context, they are limited in what data in other contexts they can access, and what system operations they can perform (for instance, if the program is in a security context that doesn't include the permission to use the exec*() family of system calls, an exploit that does the usual "exec() and get a /bin/sh" shellcode Just Won't Work). Whether the added security is worth the added administration effort is something you have to decide for yourself. Note however, that the more people use it and report any problems, the faster it will become more transparent to the sysadmin....
Attachment:
pgpF75wGdH6IL.pgp
Description: PGP signature
