FC2 Startup Errors
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Tue Jun 22 18:23:02 UTC 2004
On Tue, 22 Jun 2004 10:29:22 PDT, edwarner99 at yahoo.com said:
> After I rebooted, I can run as a user with root
> privileges. In the logs, it states there is an unknown
> user -u.
A little hard to diagnose without seeing the actual error message(s)
in the logs, with a few lines of context before and after so we can
guess when it happens.
But a quick 'grep -e -u /etc/init.d/*' indicates the most likely culprit
is one of these 4 lines:
% grep -e 'id -u' /etc/init.d/*
/etc/init.d/identd:[ `id -u` -ne 0 ] && exit 1
/etc/init.d/irqbalance:[ `id -u` = 0 ] || exit 0
/etc/init.d/rawdevices: ID=`id -u`
/etc/init.d/xinetd:[ `id -u` = 0 ] || exit 1
(No, I don't know how /usr/bin/id gets confused into thinking -u is a userid
and not a flag, and I may be looking in the wrong place due to the lack
of any real information....)
> I'm a little confused about selinux to begin with. I
> have read the documents. I run a small lan, so do you
> suggest I turn off selinux?
The proper question is: What is your threat model, and does SELinux do
anything to help with it?
It's possible you run a small lan, but have a security concern that SELinux can
help with. It's possible that you run a very large network, and don't have any
threats that SELinux can help with.
Basically, you have to decide whether you're worried about the sort of things
that SELinux stops (basically, it does damage containment - even if an attacker
gets full control of a process that's in one security context, they are limited
in what data in other contexts they can access, and what system operations they
can perform (for instance, if the program is in a security context that doesn't
include the permission to use the exec*() family of system calls, an exploit
that does the usual "exec() and get a /bin/sh" shellcode Just Won't Work).
Whether the added security is worth the added administration effort is
something you have to decide for yourself. Note however, that the more people
use it and report any problems, the faster it will become more transparent to
the sysadmin....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20040622/c03c24e7/attachment.sig>
More information about the fedora-selinux-list
mailing list