Message: 10 Date: Tue, 22 Jun 2004 09:07:12 -0400 From: Stephen Smalley sds@epoch.ncsc.mil Subject: Re: FC2 Startup Errors To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Message-ID:
1087909632.6237.26.camel@moss-spartans.epoch.ncsc.mil
Content-Type: text/plain
On Tue, 2004-06-22 at 08:54, edwarner99@yahoo.com wrote:
I am getting these errors when I reboot FC2. I don't know what they mean. I have more, but this
is
the jist of the errors.
I can log in as a user, but I have root
privileges.
audit(1087859536.934:0): avc: denied { getattr }
for
pid=1 exe=/sbin/init path=/dev/initctl dev=hda2 ino=73143 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:file_t tclass=fifo_file
<snip>
The audit message indicates that you are running with SELinux enabled, but have not labeled your filesystem. I'm not sure what you mean by your statement about root privileges. Do you want SELinux to be enabled? If so, then run fixfiles relabel to label your filesystems. If not, then edit /etc/sysconfig/selinux accordingly to disable it.
-- Stephen Smalley sds@epoch.ncsc.mil National Security Agency
After I rebooted, I can run as a user with root privileges. In the logs, it states there is an unknown user -u.
I'm a little confused about selinux to begin with. I have read the documents. I run a small lan, so do you suggest I turn off selinux? Thanks,
__________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail
On Tue, 2004-06-22 at 13:29, edwarner99@yahoo.com wrote:
After I rebooted, I can run as a user with root privileges. In the logs, it states there is an unknown user -u.
It is likely that SELinux is running in permissive mode, i.e. logging denials as warnings but not actually preventing access. /etc/sysconfig/selinux (or in rawhide, /etc/selinux/config) specifies the initial state, and setenforce can be used to switch at runtime, subject to access control once you are in enforcing mode. You don't want to switch to enforcing mode without labeling your filesystems via 'fixfiles relabel' and rebooting.
I'm a little confused about selinux to begin with. I have read the documents. I run a small lan, so do you suggest I turn off selinux?
Did you read the Fedora SELinux FAQ? http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/
I can't advise you either way. The paper available from http://www.nsa.gov/selinux/papers/inevit-abs.cfm talks about why mandatory access controls in the operating system (which is what SELinux provides) are critical to system security.
On Tue, 22 Jun 2004 10:29:22 PDT, edwarner99@yahoo.com said:
After I rebooted, I can run as a user with root privileges. In the logs, it states there is an unknown user -u.
A little hard to diagnose without seeing the actual error message(s) in the logs, with a few lines of context before and after so we can guess when it happens.
But a quick 'grep -e -u /etc/init.d/*' indicates the most likely culprit is one of these 4 lines:
% grep -e 'id -u' /etc/init.d/* /etc/init.d/identd:[ `id -u` -ne 0 ] && exit 1 /etc/init.d/irqbalance:[ `id -u` = 0 ] || exit 0 /etc/init.d/rawdevices: ID=`id -u` /etc/init.d/xinetd:[ `id -u` = 0 ] || exit 1
(No, I don't know how /usr/bin/id gets confused into thinking -u is a userid and not a flag, and I may be looking in the wrong place due to the lack of any real information....)
I'm a little confused about selinux to begin with. I have read the documents. I run a small lan, so do you suggest I turn off selinux?
The proper question is: What is your threat model, and does SELinux do anything to help with it?
It's possible you run a small lan, but have a security concern that SELinux can help with. It's possible that you run a very large network, and don't have any threats that SELinux can help with.
Basically, you have to decide whether you're worried about the sort of things that SELinux stops (basically, it does damage containment - even if an attacker gets full control of a process that's in one security context, they are limited in what data in other contexts they can access, and what system operations they can perform (for instance, if the program is in a security context that doesn't include the permission to use the exec*() family of system calls, an exploit that does the usual "exec() and get a /bin/sh" shellcode Just Won't Work).
Whether the added security is worth the added administration effort is something you have to decide for yourself. Note however, that the more people use it and report any problems, the faster it will become more transparent to the sysadmin....
selinux@lists.fedoraproject.org