Re: How NSA access was built into Windows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Jan 19, 2007, at 10:42 AM, Stephen Smalley wrote:


On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:

On Friday 19 January 2007 07:40, Stephen Smalley wrote:
Aside from rebuilding from source with selinux options disabled in the 
compile-time configuration, you are correct - you cannot remove the
actual selinux bits from Fedora at runtime, although you can disable
their execution (boot with selinux=0). Performing an audit of the code 
associated with disabling SELinux at boot time isn't difficult, and
doesn't require understanding the rest of the SELinux code that is never 
reached in that case.
I have removed it from the kernel, but those log messages I posted before 
are still in the logwatch report this morning.
Do you mean the loginuid messages? That isn't selinux, as I said - that 
is audit-related.  You can remove pam_loginuid from your /etc/pam.d/*
configs.  You could file a bug against it or audit arguing that they
should check whether audit is enabled in the kernel and silently exit in 
that case.


I'm a bit less concerned with it now after all this discussion, but I
doubt if I'll bring it back in. Why? Well, so far, the instructions as to how to recover the system once its been disabled have not been good enough to re-enable everything, so even if its set permissive, my logs will have many kilobytes a day saying that this or that was blocked. My 
nightly amanda run probably makes 50k of entries all by itself.

Those recovery instructions should be in a 'man selinux' but I don't
recall seeing them in there when I did look 2 weeks ago. Were they, and 
I can't read?
Do you mean how to relabel your filesystems? That is mentioned there as 
well as in the Fedora SELinux FAQ, and rc.sysinit should do it
automatically upon booting a selinux-enabled kernel after previously
running disabled. Possibly it needs to run fixfiles with the -F flag to 
force relabeling of even customizable contexts.  File bugs on the
appropriate packages (initscripts if it isn't working correctly,
libselinux for the man page).

--
Stephen Smalley
National Security Agency

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux