Re: How best get rid of SELinux?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Friday 21 September 2007, David Boles wrote:
>on 9/21/2007 12:34 AM, Gene Heskett wrote:
>> On Thursday 20 September 2007, David Boles wrote:
>>> on 9/20/2007 11:30 PM, Gene Heskett wrote:
>>> This way is, IMO, the crude way to do this. Turn SELinux off, if you
>>> chose to do so, in the SELinux configuration file.
>>> /etc/selinux/config
>>> change SELINUX=enforcing
>>> to SELINUX=disabled
>>> When you eventually update to a newer version of Fedora there will be
>>> better configuration GUIs available for you.
>> Rahul, Stephen Smalley and I went round and round over this several months
>> ago, and I frankly don't care what you put in whatever /etc/sysconfig
>> file, and there have been at least 3 named here in the last 72 hours, if
>> you really want to disable it AND use the machine for something other than
>> a training exercise in writing selinux rules from scratch, and figuring
>> out how to protect them from yum/smart update activities, you WILL use the
>> "crude" way because its the only one that actually works.
>> With this file in effect:
>> [root@coyote ~]# grep SELINUX /etc/sysconfig/*
>> /etc/sysconfig/selinux:# SELINUX= can take one of these three values:
>> /etc/sysconfig/selinux:SELINUX=disabled
>> /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible
>> values are:
>> /etc/sysconfig/selinux:SELINUXTYPE=targeted
>> cups was denied access to my usb printer.
>> heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of
>> a usb-seriel adaptor.  It was also denied access to a regular serial port
>> when the cm11a was hooked up to one of the 2 very precious serial ports on
>> this box.
>> bulldog, the monitor for belkin ups's, was denied access to both the
>> serial port and the usb port to talk to the ups.
>> There were probably more noshows on this busy machine, but by then I was
>> ready to switch distro's to something that didn't cross-breed with
>> selinux.  Steven suggested I try the grub command I've quoted here, and
>> magically everything started working once I'd undone the configuration
>> messes I'd made trying to make it work when it had been working very well
>> for FC2.
>> So don't try and tell _me_ the above settings in /etc/sysconfig/selinux
>> should be all that's required.  That information has already been through
>> the bovine digestive tract once, and should be treated as such, chopped
>> up, and spread on a cornfield and plowed back in cuz that is all its good
>> for.
>> Worse yet, its being spewed by people who have a image of being
>> authoritative about it when by my personal testing, its an outright lie.
>> What the hell IS the agenda with selinux anyway?  Is it something M$
>> funded to make linux less appealing to the joe sixpack users?  Is it a
>> backdoor that NSA conned RedHat into adding?  I only know two things about
>> it for sure, and that's that it is a Pain In The Ass, and that the sample
>> grub command option selinux=0 works.
>Wow Gene. I did not mean to set you off. SELinux is designed to help *you*
>protect your Linux system from one of the major flaws in Windows.

And that flaw is (other than BG and his lawyers need to make a living)?

>unknown, bad, executables from doing strange things on your system without
>your permission or, at times, without your knowledge of it happening.

Cups isn't exactly something I'd call unknown, but just because it can't guess 
the fine points of driving an old C82 properly without my help in the 
configuration files makes it a bad-ass?

If I didn't want heyu running the exterior lights & logging some of the odd 
activities its sensors might record, would I have installed it?

>If you chose to turn this protection off that is most certainly your
>right. It is your system. If you don't feel that the protection is
>valuable then screw it.

I have a firewall that has so far been bulletproof.  Its called dd-wrt, run on 
an old scrap x86 box, booting busybox from a cf card, no drives in it & only 
2 fans.  I know enough about such things to know that someday, somebody will 
read the RFC's and figure out a way around it.  To have to put up with that 
bit of paranoia harassing me everytime the clock ticks until that time is 
asking too much of any user.  I built this box, and the 6 or 7 before it, to 
use, too do usefull things, and I want it to do usefull things, which it 
cannot even begin to do with selinux enabled in any capacity.

>But when that smiling hacker from somewhere finally finally decides that
>there are enough Linux users that think like Windows users he will write
>that program that will wipe out your milling program.

He'll have to get through that firewall for starters, then figure out which 
machine the milling program is running on.  But there are far more tasty 
targets here than a copy of emc-2.1.7 that I can download and re-install in 
15 minutes as long as the network is up.  Me and one of my kids who thinks he 
is a windows expert spent the better part of 2 hours on the phone one night a 
few months ago, each using the others actual ip address, and trying to figure 
out a way into the others box.  But first, you have to prove there is 
actually a box at that address, right?  He had the latest satan and something 
I never heard of and I had nmap, ping in both protocols and traceroute in 
both protocols, and neither of us could even get a response from the identd 
daemon, so effectively (and we tried 100% of the port range up to 65535) 
there was no computer to be attacked at that ip address, for either of us.  I 
had to admit he had that XP box locked up quite nicely.  And all that time, 
email was flowing at both ends of that 1200 mile circuit at full speed.

>Honest Gene. SELinux has never caused me a problem that a simple 'look 'n
>fix it' could not solve. It is work in progress and when you use older
>releases it can cause problems.

There should be, in the man-pages, a direct translation of the logged error to 
a command that would fix it.  There is not for 90% of the cases, and I rest 
my case.

Having come "hat in hand" with 20k of logfiles, and be told in no uncertain 
terms to take my problems to the selinux list sucks.  If redhat/fedora 
doesn't want to either write some docs that make sense, or support the crap 
they put in the distribution, then it gets its lifeline cut.  It really is 
that simple.

Oh, and in case anyone is interested, FC6 is not what I'd call "older" just 
yet, it still has some support although that seems to be drying up as F8 
approaches.  Older is me, I'll be 73 in 2 weeks.  The unfunny part is that 
the person whom I gave my red Chiefs chair to at the tv station 5 years ago, 
and now 50 years old, is laying in the shop right now waiting for a 
catherization session that will probably install some stents tomorrow.

>Have a good day.

I did actually.  I'm learning how to do cabinet joinery with hand cut mortise 
and tenons, building me a gun cabinet for the room I just got done 
remodeling.  I'm getting better as I go, but it still works up a sweat when 
doing it by hand with an antique wooden hammer and some Marples (rebranded 
Record) chisels. That will keep me out of the bars for at least a couple 
months by the time I get ready to put a 2 wheeler under it and take it to the 
house.  Ash frame parts, solid cherry paneling.  And I know where the trees 
that supplied the wood once stood.  There's a certain cachet to that which 
you'll never get dropping the card for something like that.

Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Mal: "Dear Buddha: please send me a pony, and a plastic rocket, and..."

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux