On Jan 19, 2007, at 10:42 AM, Stephen Smalley wrote:
On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
On Friday 19 January 2007 07:40, Stephen Smalley wrote:
Aside from rebuilding from source with selinux options disabled
in the
compile-time configuration, you are correct - you cannot remove the
actual selinux bits from Fedora at runtime, although you can disable
their execution (boot with selinux=0). Performing an audit of
the code
associated with disabling SELinux at boot time isn't difficult, and
doesn't require understanding the rest of the SELinux code that
is never
reached in that case.
I have removed it from the kernel, but those log messages I posted
before
are still in the logwatch report this morning.
Do you mean the loginuid messages? That isn't selinux, as I said -
that
is audit-related. You can remove pam_loginuid from your /etc/pam.d/*
configs. You could file a bug against it or audit arguing that they
should check whether audit is enabled in the kernel and silently
exit in
that case.
I'm a bit less concerned with it now after all this discussion, but I
doubt if I'll bring it back in. Why? Well, so far, the
instructions as
to how to recover the system once its been disabled have not been
good
enough to re-enable everything, so even if its set permissive, my
logs
will have many kilobytes a day saying that this or that was
blocked. My
nightly amanda run probably makes 50k of entries all by itself.
Those recovery instructions should be in a 'man selinux' but I don't
recall seeing them in there when I did look 2 weeks ago. Were
they, and
I can't read?
Do you mean how to relabel your filesystems? That is mentioned
there as
well as in the Fedora SELinux FAQ, and rc.sysinit should do it
automatically upon booting a selinux-enabled kernel after previously
running disabled. Possibly it needs to run fixfiles with the -F
flag to
force relabeling of even customizable contexts. File bugs on the
appropriate packages (initscripts if it isn't working correctly,
libselinux for the man page).
--
Stephen Smalley
National Security Agency
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
