How NSA access was built into Windows

Margaret Doll Margaret_Doll at brown.edu
Fri Jan 19 15:50:12 UTC 2007


On Jan 19, 2007, at 10:42 AM, Stephen Smalley wrote:

> On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
>> On Friday 19 January 2007 07:40, Stephen Smalley wrote:
>>>
>>> Aside from rebuilding from source with selinux options disabled  
>>> in the
>>> compile-time configuration, you are correct - you cannot remove the
>>> actual selinux bits from Fedora at runtime, although you can disable
>>> their execution (boot with selinux=0).  Performing an audit of  
>>> the code
>>> associated with disabling SELinux at boot time isn't difficult, and
>>> doesn't require understanding the rest of the SELinux code that  
>>> is never
>>> reached in that case.
>>
>> I have removed it from the kernel, but those log messages I posted  
>> before
>> are still in the logwatch report this morning.
>
> Do you mean the loginuid messages?  That isn't selinux, as I said -  
> that
> is audit-related.  You can remove pam_loginuid from your /etc/pam.d/*
> configs.  You could file a bug against it or audit arguing that they
> should check whether audit is enabled in the kernel and silently  
> exit in
> that case.
>
>> I'm a bit less concerned with it now after all this discussion, but I
>> doubt if I'll bring it back in.  Why?  Well, so far, the  
>> instructions as
>> to how to recover the system once its been disabled have not been  
>> good
>> enough to re-enable everything, so even if its set permissive, my  
>> logs
>> will have many kilobytes a day saying that this or that was  
>> blocked.  My
>> nightly amanda run probably makes 50k of entries all by itself.
>>
>> Those recovery instructions should be in a 'man selinux' but I don't
>> recall seeing them in there when I did look 2 weeks ago.  Were  
>> they, and
>> I can't read?
>
> Do you mean how to relabel your filesystems?  That is mentioned  
> there as
> well as in the Fedora SELinux FAQ, and rc.sysinit should do it
> automatically upon booting a selinux-enabled kernel after previously
> running disabled.  Possibly it needs to run fixfiles with the -F  
> flag to
> force relabeling of even customizable contexts.  File bugs on the
> appropriate packages (initscripts if it isn't working correctly,
> libselinux for the man page).
>
> -- 
> Stephen Smalley
> National Security Agency
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list




More information about the users mailing list