How NSA access was built into Windows
Margaret Doll
Margaret_Doll at brown.edu
Fri Jan 19 15:50:12 UTC 2007
On Jan 19, 2007, at 10:42 AM, Stephen Smalley wrote:
> On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
>> On Friday 19 January 2007 07:40, Stephen Smalley wrote:
>>>
>>> Aside from rebuilding from source with selinux options disabled
>>> in the
>>> compile-time configuration, you are correct - you cannot remove the
>>> actual selinux bits from Fedora at runtime, although you can disable
>>> their execution (boot with selinux=0). Performing an audit of
>>> the code
>>> associated with disabling SELinux at boot time isn't difficult, and
>>> doesn't require understanding the rest of the SELinux code that
>>> is never
>>> reached in that case.
>>
>> I have removed it from the kernel, but those log messages I posted
>> before
>> are still in the logwatch report this morning.
>
> Do you mean the loginuid messages? That isn't selinux, as I said -
> that
> is audit-related. You can remove pam_loginuid from your /etc/pam.d/*
> configs. You could file a bug against it or audit arguing that they
> should check whether audit is enabled in the kernel and silently
> exit in
> that case.
>
>> I'm a bit less concerned with it now after all this discussion, but I
>> doubt if I'll bring it back in. Why? Well, so far, the
>> instructions as
>> to how to recover the system once its been disabled have not been
>> good
>> enough to re-enable everything, so even if its set permissive, my
>> logs
>> will have many kilobytes a day saying that this or that was
>> blocked. My
>> nightly amanda run probably makes 50k of entries all by itself.
>>
>> Those recovery instructions should be in a 'man selinux' but I don't
>> recall seeing them in there when I did look 2 weeks ago. Were
>> they, and
>> I can't read?
>
> Do you mean how to relabel your filesystems? That is mentioned
> there as
> well as in the Fedora SELinux FAQ, and rc.sysinit should do it
> automatically upon booting a selinux-enabled kernel after previously
> running disabled. Possibly it needs to run fixfiles with the -F
> flag to
> force relabeling of even customizable contexts. File bugs on the
> appropriate packages (initscripts if it isn't working correctly,
> libselinux for the man page).
>
> --
> Stephen Smalley
> National Security Agency
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
More information about the users
mailing list