12:29 p.m.
Message: 10
Date: Tue, 22 Jun 2004 09:07:12 -0400
From: Stephen Smalley <sds(a)epoch.ncsc.mil>
Subject: Re: FC2 Startup Errors
To: "Fedora SELinux support list for users &
developers."
<fedora-selinux-list(a)redhat.com>
Message-ID:
<1087909632.6237.26.camel(a)moss-spartans.epoch.ncsc.mil>
Content-Type: text/plain
On Tue, 2004-06-22 at 08:54, edwarner99(a)yahoo.com
wrote:
> I am getting these errors when I reboot FC2.
> I don't know what they mean. I have more, but this
is
> the jist of the errors.
>
> I can log in as a user, but I have root
privileges.
>
> audit(1087859536.934:0): avc: denied { getattr }
for
> pid=1 exe=/sbin/init path=/dev/initctl dev=hda2
> ino=73143 scontext=system_u:system_r:kernel_t
> tcontext=system_u:object_r:file_t tclass=fifo_file
<snip>
The audit message indicates that you are running
with SELinux enabled,
but have not labeled your filesystem. I'm not sure
what you mean by
your statement about root privileges. Do you want
SELinux to be
enabled? If so, then run fixfiles relabel to label
your filesystems.
If not, then edit /etc/sysconfig/selinux accordingly
to disable it.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
After I rebooted, I can run as a user with root
privileges. In the logs, it states there is an unknown
user -u.
I'm a little confused about selinux to begin with. I
have read the documents. I run a small lan, so do you
suggest I turn off selinux?
Thanks,
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail
1:05 p.m.
New subject: FC2 Startup Errors
On Tue, 2004-06-22 at 13:29, edwarner99(a)yahoo.com wrote:
After I rebooted, I can run as a user with root
privileges. In the logs, it states there is an unknown
user -u.
It is likely that SELinux is running in permissive mode, i.e. logging
denials as warnings but not actually preventing access.
/etc/sysconfig/selinux (or in rawhide, /etc/selinux/config) specifies
the initial state, and setenforce can be used to switch at runtime,
subject to access control once you are in enforcing mode. You don't
want to switch to enforcing mode without labeling your filesystems via
'fixfiles relabel' and rebooting.
I'm a little confused about selinux to begin with. I
have read the documents. I run a small lan, so do you
suggest I turn off selinux?
Did you read the Fedora SELinux FAQ?
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
I can't advise you either way. The paper available from
http://www.nsa.gov/selinux/papers/inevit-abs.cfm talks about why
mandatory access controls in the operating system (which is what SELinux
provides) are critical to system security.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency
1:23 p.m.
New subject: FC2 Startup Errors
On Tue, 22 Jun 2004 10:29:22 PDT, edwarner99(a)yahoo.com said:
After I rebooted, I can run as a user with root
privileges. In the logs, it states there is an unknown
user -u.
A little hard to diagnose without seeing the actual error message(s)
in the logs, with a few lines of context before and after so we can
guess when it happens.
But a quick 'grep -e -u /etc/init.d/*' indicates the most likely culprit
is one of these 4 lines:
% grep -e 'id -u' /etc/init.d/*
/etc/init.d/identd:[ `id -u` -ne 0 ] && exit 1
/etc/init.d/irqbalance:[ `id -u` = 0 ] || exit 0
/etc/init.d/rawdevices: ID=`id -u`
/etc/init.d/xinetd:[ `id -u` = 0 ] || exit 1
(No, I don't know how /usr/bin/id gets confused into thinking -u is a userid
and not a flag, and I may be looking in the wrong place due to the lack
of any real information....)
I'm a little confused about selinux to begin with. I
have read the documents. I run a small lan, so do you
suggest I turn off selinux?
The proper question is: What is your threat model, and does SELinux do
anything to help with it?
It's possible you run a small lan, but have a security concern that SELinux can
help with. It's possible that you run a very large network, and don't have any
threats that SELinux can help with.
Basically, you have to decide whether you're worried about the sort of things
that SELinux stops (basically, it does damage containment - even if an attacker
gets full control of a process that's in one security context, they are limited
in what data in other contexts they can access, and what system operations they
can perform (for instance, if the program is in a security context that doesn't
include the permission to use the exec*() family of system calls, an exploit
that does the usual "exec() and get a /bin/sh" shellcode Just Won't Work).
Whether the added security is worth the added administration effort is
something you have to decide for yourself. Note however, that the more people
use it and report any problems, the faster it will become more transparent to
the sysadmin....
7245
days inactive
7245
days old
selinux@lists.fedoraproject.org
2 comments
3 participants
participants (3)
-
Ed Warner -
Stephen Smalley -
Valdis.Kletnieks@vt.edu