How best get rid of SELinux?

David Boles dgboles at gmail.com
Fri Sep 21 13:57:55 UTC 2007


on 9/21/2007 2:13 AM, Gene Heskett wrote:
> On Friday 21 September 2007, David Boles wrote:
>> on 9/21/2007 12:34 AM, Gene Heskett wrote:
>> Wow Gene. I did not mean to set you off. SELinux is designed to help *you*
>> protect your Linux system from one of the major flaws in Windows.
> 
> And that flaw is (other than BG and his lawyers need to make a living)?
> 
>> Allowing 
>> unknown, bad, executables from doing strange things on your system without
>> your permission or, at times, without your knowledge of it happening.
> 
> Cups isn't exactly something I'd call unknown, but just because it can't guess 
> the fine points of driving an old C82 properly without my help in the 
> configuration files makes it a bad-ass?
> 
> If I didn't want heyu running the exterior lights & logging some of the odd 
> activities its sensors might record, would I have installed it?
> 
>> If you chose to turn this protection off that is most certainly your
>> right. It is your system. If you don't feel that the protection is
>> valuable then screw it.
> 
> I have a firewall that has so far been bulletproof.  Its called dd-wrt, run on 
> an old scrap x86 box, booting busybox from a cf card, no drives in it & only 
> 2 fans.  I know enough about such things to know that someday, somebody will 
> read the RFC's and figure out a way around it.  To have to put up with that 
> bit of paranoia harassing me everytime the clock ticks until that time is 
> asking too much of any user.  I built this box, and the 6 or 7 before it, to 
> use, too do usefull things, and I want it to do usefull things, which it 
> cannot even begin to do with selinux enabled in any capacity.
> 
>> But when that smiling hacker from somewhere finally finally decides that
>> there are enough Linux users that think like Windows users he will write
>> that program that will wipe out your milling program.
> 
> He'll have to get through that firewall for starters, then figure out which 
> machine the milling program is running on.  But there are far more tasty 
> targets here than a copy of emc-2.1.7 that I can download and re-install in 
> 15 minutes as long as the network is up.  Me and one of my kids who thinks he 
> is a windows expert spent the better part of 2 hours on the phone one night a 
> few months ago, each using the others actual ip address, and trying to figure 
> out a way into the others box.  But first, you have to prove there is 
> actually a box at that address, right?  He had the latest satan and something 
> I never heard of and I had nmap, ping in both protocols and traceroute in 
> both protocols, and neither of us could even get a response from the identd 
> daemon, so effectively (and we tried 100% of the port range up to 65535) 
> there was no computer to be attacked at that ip address, for either of us.  I 
> had to admit he had that XP box locked up quite nicely.  And all that time, 
> email was flowing at both ends of that 1200 mile circuit at full speed.
> 
>> Honest Gene. SELinux has never caused me a problem that a simple 'look 'n
>> fix it' could not solve. It is work in progress and when you use older
>> releases it can cause problems.
> 
> There should be, in the man-pages, a direct translation of the logged error to 
> a command that would fix it.  There is not for 90% of the cases, and I rest 
> my case.
> 
> Having come "hat in hand" with 20k of logfiles, and be told in no uncertain 
> terms to take my problems to the selinux list sucks.  If redhat/fedora 
> doesn't want to either write some docs that make sense, or support the crap 
> they put in the distribution, then it gets its lifeline cut.  It really is 
> that simple.

The SELinux list would be where you would find the SELinux 'guys' so that
would be, IMO, a better place to look for SELinux help than here on a
general list. If I was having a problem with some application, pick one, I
would go to its support list.

In Fedora 7 was the beginning of a trouble shooting GUI for SELinux. In
Fedora 8 it is now working quite well. When SELinux 'sees' what it
'Thinks' is a 'bad thing trying to happen' it will tell you with an applet
warning in the task bar. Clicking on the applet brings down a window with
a pretty complete explanation of what is happening, what it thinks is
wrong and why. If you disagree just keep reading the very short paragraph
and it will tell you how to change the setting. Verbatim. If, it happens
very seldom for me, the setting can not be changed it will offer you a bug
report.


> Oh, and in case anyone is interested, FC6 is not what I'd call "older" just 
> yet, it still has some support although that seems to be drying up as F8 
> approaches.  Older is me, I'll be 73 in 2 weeks.  The unfunny part is that 
> the person whom I gave my red Chiefs chair to at the tv station 5 years ago, 
> and now 50 years old, is laying in the shop right now waiting for a 
> catherization session that will probably install some stents tomorrow.



Fedora Core 6 is EOL in December. I would consider that 'older'.  ;-)

BTW Happy birthday. You got me by a little more that 12 years.


>> Have a good day.
> 
> I did actually.  I'm learning how to do cabinet joinery with hand cut mortise 
> and tenons, building me a gun cabinet for the room I just got done 
> remodeling.  I'm getting better as I go, but it still works up a sweat when 
> doing it by hand with an antique wooden hammer and some Marples (rebranded 
> Record) chisels. That will keep me out of the bars for at least a couple 
> months by the time I get ready to put a 2 wheeler under it and take it to the 
> house.  Ash frame parts, solid cherry paneling.  And I know where the trees 
> that supplied the wood once stood.  There's a certain cachet to that which 
> you'll never get dropping the card for something like that.


That sounds interesting. I was never much good at cabinet/finish work in
wood. Framing is about my limit there. My trade is sheet metal. HVAC That
I can do from flat sheets to the 'last screw'.  ;-)

This is getting OT for this list.
-- 

  David




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20070921/f959af8b/attachment-0001.bin 


More information about the users mailing list