How NSA access was built into Windows
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 19 15:42:44 UTC 2007
On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
> On Friday 19 January 2007 07:40, Stephen Smalley wrote:
> >
> >Aside from rebuilding from source with selinux options disabled in the
> >compile-time configuration, you are correct - you cannot remove the
> >actual selinux bits from Fedora at runtime, although you can disable
> >their execution (boot with selinux=0). Performing an audit of the code
> >associated with disabling SELinux at boot time isn't difficult, and
> >doesn't require understanding the rest of the SELinux code that is never
> >reached in that case.
>
> I have removed it from the kernel, but those log messages I posted before
> are still in the logwatch report this morning.
Do you mean the loginuid messages? That isn't selinux, as I said - that
is audit-related. You can remove pam_loginuid from your /etc/pam.d/*
configs. You could file a bug against it or audit arguing that they
should check whether audit is enabled in the kernel and silently exit in
that case.
> I'm a bit less concerned with it now after all this discussion, but I
> doubt if I'll bring it back in. Why? Well, so far, the instructions as
> to how to recover the system once its been disabled have not been good
> enough to re-enable everything, so even if its set permissive, my logs
> will have many kilobytes a day saying that this or that was blocked. My
> nightly amanda run probably makes 50k of entries all by itself.
>
> Those recovery instructions should be in a 'man selinux' but I don't
> recall seeing them in there when I did look 2 weeks ago. Were they, and
> I can't read?
Do you mean how to relabel your filesystems? That is mentioned there as
well as in the Fedora SELinux FAQ, and rc.sysinit should do it
automatically upon booting a selinux-enabled kernel after previously
running disabled. Possibly it needs to run fixfiles with the -F flag to
force relabeling of even customizable contexts. File bugs on the
appropriate packages (initscripts if it isn't working correctly,
libselinux for the man page).
--
Stephen Smalley
National Security Agency
More information about the users
mailing list