How best get rid of SELinux?
pemboa at gmail.com
Fri Sep 21 17:10:26 UTC 2007
On 9/21/07, Gene Heskett <gene.heskett at verizon.net> wrote:
> On Friday 21 September 2007, Ed Greshko wrote:
> >Gene Heskett wrote:
> >> I have a firewall that has so far been bulletproof. Its called dd-wrt,
> >> run on an old scrap x86 box, booting busybox from a cf card, no drives in
> >> it & only 2 fans.
> >I'm not sure why you are comparing the functions of SELinux with the
> >functions of a firewall. It would be nice to hear your interpretation of
> >the issues that SELinux targets v.s. what a Firewall targets. If you think
> >they serve the same functions it would be nice if you would cite your
> > source.
> Several people have referred to 'that hacker' getting into the system, which
> is how I at least made the connection to a firewall.
So you're firewalls are capable of protecting against 'that hacker'
who _is_ on your box, ie. has gotten past your firewall somehow -
getting past a firewall is by no means an impossible task
> And to me, the firewall
> function of standing guard between my stuff and the rest of the planet is at
> least 10,000 times more important than silently, no log was generated,
> blocking off any and all access to the hardware data ports (usb and serial)
> even when that file says SELINUX=disabled.
So umm, why do you think it was SELinux causing the problem?
> In truth, and from the clues this old troubleshooter has detected, the only
> thing disabled by the above line is the logging, selinux is still standing
> behind the user, with a baseball bat hitting you in the back of the knee
> joints but using a pillow to muffle the noise. But that will be denied
> vociferously by those whose purpose it is to see to it that we run with it
> enabled. If you don't believe that, just watch this space...
I have several machines with SELinux disabled, and I see no messages from it.
> Questions that need answered _here_, where the whole list will read them are:
You make it sound like there is some attempted coverup going on
> Why do the supposed selinux functions, if 10,000% less important than a
> firewall (my personal estimation anyway) seem to take 10,000 times more
> maintenance than the far more important firewall?
Well besides the obvious possibility that your personal estimation is
wrong, there is the fact that they provide very different
functionality. Here's a bad metric, but one I think is still somewhat
useful. The SElinux howto/tutorial is at least 50% the size of that
Iptables howto, while providing all the necessary information
> And why is it that any "refutation of my claims messages" all have little or
> nothing to say except point the reader to other net locations where the
> propaganda to be read was written by someone WITH an agenda.
I haven't notice any specific claims. Please provide a list that we
can go through, and/or join the fedora-selinux list. Please, it
doesn't seem rational to be throwing around the word propaganda just
> And why is it that an error if logged, can't it be grepped for in the
> man-pages and the correct command line option to fix it be found?
There is a tool that gives you the exact command you need to fix an
SElinux error, much simpler than grepping i believe.
> I suppose the theory there is not to make it too simple for the hacker to fix,
> but if the hacker has gotten to that point, I'll submit that you already have
> a hell of a lot bigger problem than selinux is ever going to fix.
That is not the theory as far as I know. With SELinux present, said
hacker would likely not get far enough to disable SELinux. They didn't
in my case.
> Its a 'solution' looking for a 'problem' and if it can't find a problem, it
> will make 10 problems just for spite.
It solves problems for me, if you do not share this, that is
understandable. But it does infact solve problems.
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )
More information about the users