The most actively updated selinux package is selinux-policy. So you should be able to remove this without too many dependencies.
policycoreutils does have lots of packages that require it so getting rid of it will be a problem. libselinux is a core library which you can't remove. libsemanage and libsepol are required by policycoreutils.
So I would just remove selinux-policy-* and you should see far less updates.
That seemed to work. I also found I could remove the setroubleshoot stuff with no dependency issues. Any of the remaining packages seem to transitively drag in every other rpm on the system :-).
Thanks.
Tom Horsley wrote:
The most actively updated selinux package is selinux-policy. So you should be able to remove this without too many dependencies.
policycoreutils does have lots of packages that require it so getting rid of it will be a problem. libselinux is a core library which you can't remove. libsemanage and libsepol are required by policycoreutils.
So I would just remove selinux-policy-* and you should see far less updates.
That seemed to work. I also found I could remove the setroubleshoot stuff with no dependency issues. Any of the remaining packages seem to transitively drag in every other rpm on the system :-).
Thanks.
Have you tried running setroubleshoot with SELInux enabled or in permissive? I recently enabled it on my sandboxed server and the program made it fairly easy to get the system functioning as it should function. I noticed some actions which I did not want allowed also in the process. Though the server is sandboxed, my XP computer is exposed to a large group of users and the Internet access. If the XP computer ended up being "owned" the sandboxed server could be compromised. SELinux is now active on most computers since it is easier to diagnose problems, report misbehaving programs in a security sense.
Jim
Jim Cornette wrote:
[snip]
SELinux is now active on most computers since it is easier to diagnose problems, report misbehaving programs in a security sense.
What do you mean by "most computers"? "Most computers running FC6"?
It would be nice to address the original question, which is
For those of us who prefer not to install or run SELinux, how can we do that easily without leaving Fedora Core Project?
Mike
Mike McCarty wrote:
Jim Cornette wrote:
[snip]
SELinux is now active on most computers since it is easier to diagnose problems, report misbehaving programs in a security sense.
What do you mean by "most computers"? "Most computers running FC6"?
SELinux is not FC6 specific. It is part of the upstream kernel and itt is default in versions of Fedora from FC3 onwards and default in RHEL from RHEL 4 onwards (and rebuilds). It is also available in Debian, Ubuntu, Gentoo etc.
It would be nice to address the original question, which is
For those of us who prefer not to install or run SELinux, how can we do that easily without leaving Fedora Core Project?
Not running SELinux is trivially easy and is in the SELinux FAQ. Removing most of the related packages has been answered in this thread.
Rahul
Rahul Sundaram wrote:
Mike McCarty wrote:
Jim Cornette wrote:
[snip]
SELinux is now active on most computers since it is easier to diagnose problems, report misbehaving programs in a security sense.
What do you mean by "most computers"? "Most computers running FC6"?
SELinux is not FC6 specific. It is part of the upstream kernel and itt
Of course not. I didn't mean to imply that. Sorry if it seemed so.
[snip]
For those of us who prefer not to install or run SELinux, how can we do that easily without leaving Fedora Core Project?
Not running SELinux is trivially easy and is in the SELinux FAQ. Removing most of the related packages has been answered in this thread.
You didn't address what I interpret to be the initial question, which involves not having it installed at all.
Mike
Mike McCarty wrote:
You didn't address what I interpret to be the initial question, which involves not having it installed at all.
I did. I said in the other post not installing some libraries like libselinux is not possible currently like some of the core libraries like kerberos. They are very complicated to split out and has been deemed not worth the effort as the space savings are in a few kilobytes. BTW this has been discussed here several times.
Rahul
Rahul Sundaram wrote:
Mike McCarty wrote:
You didn't address what I interpret to be the initial question, which involves not having it installed at all.
I did. I said in the other post not installing some libraries like libselinux is not possible currently like some of the core libraries like kerberos.
[snip]
Ok, thanks.
Mike
On Thu, 28 Jun 2007 15:22:20 -0500 Mike McCarty Mike.McCarty@sbcglobal.net wrote:
For those of us who prefer not to install or run SELinux, how can we do that easily without leaving Fedora Core Project?
Just turn it off in the config tools. The rest of the SELinux stuff - the libraries and the like are tiny and are integrated with all the other tools so they can display things like SELinux labels.
Alan
Mike McCarty wrote:
Jim Cornette wrote:
[snip]
SELinux is now active on most computers since it is easier to diagnose problems, report misbehaving programs in a security sense.
What do you mean by "most computers"? "Most computers running FC6"?
I don't have any FC6 versions left. They are all up to F7. I don't have SELinux active on the development version.
It would be nice to address the original question, which is For those of us who prefer not to install or run SELinux, how can we do that easily without leaving Fedora Core Project?
If you do not use SELinux, you will not know whether it has improved in manageability and good default policies. I recently started using SELinux for F7 but before only set it to permissive.
It is better, so the best idea is to not fight so hard to remove it.
Earlier reasons why I only ran permissive instead of enforcing are below.
- It used to mess up package installation with errors in %pre and %post scriptlets. - It was too much hassle to set up server programs bcause of it blocking intended operations.
Both problems seem to be squashed from at least frequency.
You can disable it and remove associated programs if you choose to. I thought it would be worth mentioning that one who did not find value with SELinux has converted to preferring SELinux because the SELinux Troubleshooter informs you of the problem along with good explanations and corrective actions to allow your system to work as you intend it to work.
Jim
Mike
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
You can disable it and remove associated programs if you choose to. I thought it would be worth mentioning that one who did not find value with SELinux has converted to preferring SELinux because the SELinux Troubleshooter informs you of the problem along with good explanations and corrective actions to allow your system to work as you intend it to work.
Oh goody! Now it comes with a useful tool that explains exactly why it is being a pain in the ass :-).
Its not a pain at all if I disable it.
Tom Horsley wrote:
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
You can disable it and remove associated programs if you choose to. I thought it would be worth mentioning that one who did not find value with SELinux has converted to preferring SELinux because the SELinux Troubleshooter informs you of the problem along with good explanations and corrective actions to allow your system to work as you intend it to work.
Oh goody! Now it comes with a useful tool that explains exactly why it is being a pain in the ass :-).
There are real and potential security issues that SELinux trouble shooter can inform and help fix. An example of a class of problems being exposed by SELinux is http://people.redhat.com/drepper/selinux-mem.html. Not being informed about those issues might be superficially better but it's false comfort.
Its not a pain at all if I disable it.
Sure. Firewall problems go away if you disable it too.
Rahul
Tom Horsley wrote:
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
Hello all,
Here is why I used the excellent advice given earlier on this list and turned off selinux. It didn't hurt and took about 5 minutes because you must re-boot to make it work.
I turned it off because it does nothing good that I could tell, was a mess on my dmesg printout and others talked about real problems with it. I have not received a single virus and no-one ever got into my computer in 10 years without selinux. I have no need for insurance.
Karl
Karl Larsen wrote:
Here is why I used the excellent advice given earlier on this list and turned off selinux. It didn't hurt and took about 5 minutes because you must re-boot to make it work.
I turned it off because it does nothing good that I could tell, was a mess on my dmesg printout and others talked about real problems with it. I have not received a single virus and no-one ever got into my computer in 10 years without selinux. I have no need for insurance.
I've never been hit by a car either, but when the light turns green I still look both ways before crossing. I also don't stay out on the golf course when a thunderstorm is approaching even though I've never been hit by lightning.
The "It hasn't happened to me" argument never ceases to amaze me.
Yet, I must say that I'm happy some individuals choose to run selinux disabled rather than learn about it.
on 6/28/2007 6:50 PM, Ed Greshko wrote:
Karl Larsen wrote:
Here is why I used the excellent advice given earlier on this list and turned off selinux. It didn't hurt and took about 5 minutes because you must re-boot to make it work.
I turned it off because it does nothing good that I could tell, was a mess on my dmesg printout and others talked about real problems with it. I have not received a single virus and no-one ever got into my computer in 10 years without selinux. I have no need for insurance.
I've never been hit by a car either, but when the light turns green I still look both ways before crossing. I also don't stay out on the golf course when a thunderstorm is approaching even though I've never been hit by lightning.
The "It hasn't happened to me" argument never ceases to amaze me.
Yet, I must say that I'm happy some individuals choose to run selinux disabled rather than learn about it.
I always likeed that argument too Rd. Almost as much as the "I always run as root" people. What could possibly go wrong? ;-)
on 6/28/2007 6:30 PM, Karl Larsen wrote:
Tom Horsley wrote:
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
Hello all,
Here is why I used the excellent advice given earlier on this listand turned off selinux. It didn't hurt and took about 5 minutes because you must re-boot to make it work.
I turned it off because it does nothing good that I could tell, wasa mess on my dmesg printout and others talked about real problems with it. I have not received a single virus and no-one ever got into my computer in 10 years without selinux. I have no need for insurance.
Karl
Just today you learned how to disable SELinux. And you started with FC when? It has been there a long time and you did not even know it? Observant of you.
David Boles wrote:
Just today you learned how to disable SELinux. And you started with FC when? It has been there a long time and you did not even know it? Observant of you.
It amazes me that someone who desires to exercise personal control over what gets installed and run on his own personal computer excites others to use sarcastic criticism. It's his machine. What do you care?
Mike
on 6/28/2007 7:22 PM, Mike McCarty wrote:
David Boles wrote:
Just today you learned how to disable SELinux. And you started with FC when? It has been there a long time and you did not even know it? Observant of you.
It amazes me that someone who desires to exercise personal control over what gets installed and run on his own personal computer excites others to use sarcastic criticism. It's his machine. What do you care?
Actually I do not care one little bit what he, Karl, does. Or what you do either for that matter.
And I am just an ordinary user. I have no control over what Fedora decides to provide, or to not provide, or how they do it. With a hardware firewall in place. With a software firewall in place. And with SELinux up and running. Problems? Sure. Once in a while. But I fix them. Or somebody does. But I do agree with what they offer and how they do it. If I did not I would move on. Me? I'm staying.
What He, or you, want to install, configure, or disable? That is up to you as far as going along with what Fedora offers. As for SELinux, or one of several other Hmm.. several different flavors of this type of protection? Get used to it. They - the other distros - have it too. So remember just how to disable it for the future. ;-)
Karl Larsen wrote:
Tom Horsley wrote:
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
Hello all,
Here is why I used the excellent advice given earlier on this list and turned off selinux. It didn't hurt and took about 5 minutes because you must re-boot to make it work.
I turned it off because it does nothing good that I could tell, was a mess on my dmesg printout and others talked about real problems with it. I have not received a single virus and no-one ever got into my computer in 10 years without selinux. I have no need for insurance.
Karl
Maybe the intruders were merely covering their tracks better. I doubt that you had intrusions into your system. I don't think I had too many intrusions, though it is only because nothing seemed to be acting abnormally on my systems.
I did however read some Google searches from Italy where my name was a topic back in RHL 5.x days where firewalls and the like were less effective. I did not have a router and ipchains may or may not have been running. Sendmail was the topic.
More security measures that are configurable are alright with me. The insurance is welcome in my view.
Anyway, the issue is removing all SELinux packages or start a new distro or find another distribution where eradicating SELinux is a goal they desire.
Jim
On Thu, 2007-06-28 at 19:30 -0600, Karl Larsen wrote:
I turned it off because it does nothing good that I could tell, was a mess on my dmesg printout and others talked about real problems with it. I have not received a single virus and no-one ever got into my computer in 10 years without selinux. I have no need for insurance.
It's worth remembering that not all problems are "viruses". SELinux goes some way to protecting against external and local problems (hacks, badly written software, and users doing daft things, etc.).
Tom Horsley wrote:
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
You can disable it and remove associated programs if you choose to. I thought it would be worth mentioning that one who did not find value with SELinux has converted to preferring SELinux because the SELinux Troubleshooter informs you of the problem along with good explanations and corrective actions to allow your system to work as you intend it to work.
Oh goody! Now it comes with a useful tool that explains exactly why it is being a pain in the ass :-).
Its not a pain at all if I disable it.
According to some, it consumes too much because of updates whether it is active or not. It does not matter to me whether people run with it enabled or not.
With the new user tools you can set it up easier and it no longer gets in the way for your intended operation. Other elements which do get by with conventional security programs like people trying to run elements under /proc are flagged and prevented.
Also, while I was addressing the need for adjustments to SELinux, I changed some aspects of other programs to make them more secure. (Limiting external users and whether they have a shell for the account)
Since I did not use SELinux in active mode prior to F7 substantially, it does not surprise me much that others still would find relatively easy adjustments to SELinux to still be a bother.
Maybe F8 will be automagic enough for you to use. (?)
Jim
Tom Horsley wrote:
On Thu, 28 Jun 2007 20:43:54 -0400 Jim Cornette fc-cornette@insight.rr.com wrote:
You can disable it and remove associated programs if you choose to. I thought it would be worth mentioning that one who did not find value with SELinux has converted to preferring SELinux because the SELinux Troubleshooter informs you of the problem along with good explanations and corrective actions to allow your system to work as you intend it to work.
Oh goody! Now it comes with a useful tool that explains exactly why it is being a pain in the ass :-).
Its not a pain at all if I disable it.
I just installed F7 on the weekend and ran into a few SELinux issues. The troubleshooter helped me greatly.
I will run SELinux on my home machines as it will help prevent my kids from doing nasty things to the computer, at least I hope so. :)
This is an interesting read and one point that seems to be, How do I remove all SELinux items.
I look at this from a different point. After trying it, I hate Evolution and I want to remove all traces of that but it is impossible. To many dependencies. Removing SELinux and related dependencies is no different from removing any other application that the system is dependent on.
I bet if someone decided to go through the archives, they could come up with quite a large list of applications that have a dependency nightmare related to them.
If you cannot live with these dependencies, then the only option is to move to some system that allows micro configuration beyond what Redhat and others offer. I wouldn't be surprised to see SELinux in more and more distro's in the future.
Robin Laing wrote:
I just installed F7 on the weekend and ran into a few SELinux issues. The troubleshooter helped me greatly.
That is great to know. I was pointing out that it was easier to setup system to system variables with the browser. I was not promoting SELinux as the greatest concept for security.
I will run SELinux on my home machines as it will help prevent my kids from doing nasty things to the computer, at least I hope so. :)
My father was explaining to me a problem he was having when trying to get my cousin from trashing a Windows computer. (Virus prone sites.) So the point is that some aspects that the kids do should be better prevented with the added security measure. Of course virus prevention is not a main concern, but having the computer "owned" because of hacker activity should be prevented.
This is an interesting read and one point that seems to be, How do I remove all SELinux items.
I look at this from a different point. After trying it, I hate Evolution and I want to remove all traces of that but it is impossible.
With yum it is. It wants to remove much of your system packages. If you use rpm directly, it is a much simpler result, evolution is removed.
[root@HP ~]# rpm -e evolution [root@HP ~]# rpm -q evolution package evolution is not installed
Jim
On Thu, 2007-07-05 at 00:09 -0400, Jim Cornette wrote:
Robin Laing wrote:
I look at this from a different point. After trying it, I hate Evolution and I want to remove all traces of that but it is impossible.
With yum it is. It wants to remove much of your system packages. If you use rpm directly, it is a much simpler result, evolution is removed.
[root@HP ~]# rpm -e evolution [root@HP ~]# rpm -q evolution package evolution is not installed
I don't see what's so hard about using yum to do this.
$ sudo yum remove evolution Password: Loading "changelog" plugin Loading "installonlyn" plugin Loading "presto" plugin Setting up Remove Process Resolving Dependencies --> Running transaction check ---> Package evolution.i386 0:2.10.2-3.fc7 set to be erased --> Processing Dependency: libeshell.so.0 for package: evolution-connector --> Processing Dependency: evolution for package: evolution-remove-duplicates --> Processing Dependency: libeutil.so.0 for package: mail-notification-evolution-plugin --> Restarting Dependency Resolution with new changes. --> Running transaction check ---> Package evolution-connector.i386 0:2.10.2-2.fc7 set to be erased ---> Package evolution.i386 0:2.10.2-3.fc7 set to be erased ---> Package evolution-remove-duplicates.i386 0:0.0.2-6.fc7 set to be erased ---> Package mail-notification-evolution-plugin.i386 0:4.0-2.fc7 set to be erased
Dependencies Resolved
============================================================================= Package Arch Version Repository Size ============================================================================= Removing: evolution i386 2.10.2-3.fc7 installed 59 M Removing for dependencies: evolution-connector i386 2.10.2-2.fc7 installed 2.3 M evolution-remove-duplicates i386 0.0.2-6.fc7 installed 25 k mail-notification-evolution-plugin i386 4.0-2.fc7 installed 66 k
Transaction Summary ============================================================================= Install 0 Package(s) Update 0 Package(s) Remove 4 Package(s)
Is this ok [y/N]: n Exiting on user Command Complete!
There are a couple of other hangers on, but they can be removed individually, except for evolution-data-server (which is no longer part of Evolution).
-
Alan Cox -
David -
Ed Greshko -
Jim Cornette -
Karl Larsen -
Martin Hooper -
Matthew Saltzman -
Mike McCarty -
Rahul Sundaram -
Robin Laing -
Tim -
Tom Horsley