How NSA access was built into Windows

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 18 17:57:40 UTC 2007


On Thu, 2007-01-18 at 12:44 -0500, Gene Heskett wrote:
> On Thursday 18 January 2007 10:13, Lyvim Xaphir wrote:
> >On Tue, 2007-01-16 at 01:55 -0500, Gene Heskett wrote:
> >> I believe you will have to build a generic kernel.org kernel,
> >> configured without that support, something I have underway right now,
> >> using 2.6.20-rc4.  I was amazed at the number of options I found
> >> turned on that a proper 'make oldconfig' should absolutely never have
> >> turned on.  My scripts take care of everything but grub.conf for a
> >> kernel install, so when its done all I should have to do is reboot
> >> since I'm already running 2.6.20-rc4.  Several things I found may even
> >> account for the apparent slowness of later kernels.  Things like 15
> >> seconds to launch firefox on an xp-2800 athlon with a gig of ram?
> >
> >When you get that kernel up and running, see if you can then do without
> >libselinux installed.

Not a good idea without rebuilding your userland without selinux
support.  Even /sbin/init links against it (to load policy) and will die
without it.

> I'm not sure as I haven't tried to pull that yet.  But without the stuff 
> in the kernel, the logs are being filled by cron processes stuff, but the 
> stuff, like amanda, seem to run normally.
> 
> Lots of this sort of stuff:
> 
>  **Unmatched Entries**
>     crond[1014]: pam_loginuid(crond:session): set_loginuid failed opening 
> loginuid: 1 Time(s)

That isn't selinux - that is audit-related.  Depends on
CONFIG_AUDITSYSCALL.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-list mailing list