[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Disabling selinux question



On Fri, 2008-01-04 at 12:32 +0100, Linus Walleij wrote:
> Eric and others, please be patient with me now, because I'm trying to 
> understand our implicit rationale surrounding the selinux services here, 
> I'm not ranting. I might very well be uneducated and stupid, but sometimes 
> (as has been said before) it is useful to take the perspective of a 
> newcomer to a certain system (or in my case subsystem) and try to 
> understand why this user has problems with it.

Rant away, I've heard enough SELinux rants over the years *smile*

I just hope that every rant I hear from now on comes from someone who
tried SELinux on F8!

> 
> On Thu, 3 Jan 2008, Eric Paris wrote:
> 
> > selinux uses auditd but they are not at all closely coupled.  selinux
> > will function fine without auditd and auditd provides all of its
> > capabilities without selinux.  There is no reason these 2 should be
> > coupled together.
> 
> I get it. (Did some homework reading up on auditd here.)
> 
> So every Fedora user must have these (right?):
> root      2219  0.0  0.0  12288   684 ?        S<sl 10:14   0:00 auditd
> root      2221  0.0  0.0  12200   708 ?        S<sl 10:14   0:00 /sbin/audispd
> 
> What else, besides selinux, is using auditd in Fedora right now or in the 
> immediate future? (Since we're a distribution we don't count theoretical 
> use cases I hope...)
> 
> bash-3.2$ repoquery --whatrequires `repoquery --provides audit`
> setroubleshoot-server-0:2.0.0-3.fc9.noarch
> audispd-plugins-0:1.6.4-3.fc9.i386
> seedit-0:2.2.0-1.fc9.i386
> amtu-0:1.0.6-1.fc9.i386
> audit-0:1.6.4-3.fc9.i386
> 

you didn't talk about 'audit'

the audit subsystem is a freestanding subsystem with lots of
capabilities and functionality of its own.  By default, without any of
those packages installed audit is still going to get messages like user
login, segfaulting programs, changes of nics to promiscuous, and other
information.  Audit can be used free standing to audit events on your
system, see man auditctl

There is no reason that a user cannot turn auditd off themselves (kernel
just reroutes the messages to syslog rather than audit log) but audit
still functions and serves a purpose all by itself.

My opinion, if you disable SELinux in the installer (or s-c-selinux) it
should disable those other programs you mentioned if those programs are
not smart enough to not run on their own.  (sounds like setroubleshoot
and i'm going to guess sealert already are smart enough and
anaconda/s-c-* shouldn't bother them...)

-Eric


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]