How NSA access was built into Windows
Gene Heskett
gene.heskett at verizon.net
Fri Jan 19 17:50:42 UTC 2007
On Friday 19 January 2007 10:42, Stephen Smalley wrote:
>On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
>> On Friday 19 January 2007 07:40, Stephen Smalley wrote:
>> >Aside from rebuilding from source with selinux options disabled in
>> > the compile-time configuration, you are correct - you cannot remove
>> > the actual selinux bits from Fedora at runtime, although you can
>> > disable their execution (boot with selinux=0). Performing an audit
>> > of the code associated with disabling SELinux at boot time isn't
>> > difficult, and doesn't require understanding the rest of the SELinux
>> > code that is never reached in that case.
>>
>> I have removed it from the kernel, but those log messages I posted
>> before are still in the logwatch report this morning.
>
>Do you mean the loginuid messages? That isn't selinux, as I said - that
>is audit-related. You can remove pam_loginuid from your /etc/pam.d/*
>configs. You could file a bug against it or audit arguing that they
>should check whether audit is enabled in the kernel and silently exit in
>that case.
There are 95 files in /etc/pam.d, but pam_loginuid isn't one of them.
Ahh, found it, good old locate to the rescue again.
[root at coyote pam.d]# locate pam_loginuid
/lib/security/pam_loginuid.so
But I see that's the library. So whats calling it? Something in
the /etc/pam.d/cron file since the messages all carry a crond label:
# The PAM configuration file for the cron daemon
#
#
auth sufficient pam_rootok.so
auth required pam_env.so
auth include system-auth
account required pam_access.so
account include system-auth
session required pam_loginuid.so <-aha! can I nuke this line?
session include system-auth
>> I'm a bit less concerned with it now after all this discussion, but I
>> doubt if I'll bring it back in. Why? Well, so far, the instructions
>> as to how to recover the system once its been disabled have not been
>> good enough to re-enable everything, so even if its set permissive, my
>> logs will have many kilobytes a day saying that this or that was
>> blocked. My nightly amanda run probably makes 50k of entries all by
>> itself.
>>
>> Those recovery instructions should be in a 'man selinux' but I don't
>> recall seeing them in there when I did look 2 weeks ago. Were they,
>> and I can't read?
>
>Do you mean how to relabel your filesystems?
Yes. There was something about touching a file on /, which I tried
several times, but I had to set it permissive before amanda could run.
amanda is locally built from the most recent snapshots, sometimes 3-4
times a week. That tarball install is not open for discussion, I do the
canary work for amanda.
>That is mentioned there as
>well as in the Fedora SELinux FAQ, and rc.sysinit should do it
>automatically upon booting a selinux-enabled kernel after previously
>running disabled. Possibly it needs to run fixfiles with the -F flag to
>force relabeling of even customizable contexts. File bugs on the
>appropriate packages (initscripts if it isn't working correctly,
>libselinux for the man page).
Can I run this fixfiles standalone? Looks like I can, so its working.
Results if any later.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.
More information about the fedora-list
mailing list