How NSA access was built into Windows

Gene Heskett gene.heskett at verizon.net
Fri Jan 19 17:50:42 UTC 2007 

On Friday 19 January 2007 10:42, Stephen Smalley wrote:
>On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote:
>> On Friday 19 January 2007 07:40, Stephen Smalley wrote:
>> >Aside from rebuilding from source with selinux options disabled in
>> > the compile-time configuration, you are correct - you cannot remove
>> > the actual selinux bits from Fedora at runtime, although you can
>> > disable their execution (boot with selinux=0).  Performing an audit
>> > of the code associated with disabling SELinux at boot time isn't
>> > difficult, and doesn't require understanding the rest of the SELinux
>> > code that is never reached in that case.
>>
>> I have removed it from the kernel, but those log messages I posted
>> before are still in the logwatch report this morning.
>
>Do you mean the loginuid messages?  That isn't selinux, as I said - that
>is audit-related.  You can remove pam_loginuid from your /etc/pam.d/*
>configs.  You could file a bug against it or audit arguing that they
>should check whether audit is enabled in the kernel and silently exit in
>that case.

There are 95 files in /etc/pam.d, but pam_loginuid isn't one of them.
Ahh, found it, good old locate to the rescue again.
[root at coyote pam.d]# locate pam_loginuid
/lib/security/pam_loginuid.so

But I see that's the library.  So whats calling it? Something in 
the /etc/pam.d/cron file since the messages all carry a crond label:

# The PAM configuration file for the cron daemon
#
#
auth       sufficient pam_rootok.so
auth       required   pam_env.so
auth       include    system-auth
account    required   pam_access.so
account    include    system-auth
session    required   pam_loginuid.so  <-aha! can I nuke this line?
session    include    system-auth


>> I'm a bit less concerned with it now after all this discussion, but I
>> doubt if I'll bring it back in.  Why?  Well, so far, the instructions
>> as to how to recover the system once its been disabled have not been
>> good enough to re-enable everything, so even if its set permissive, my
>> logs will have many kilobytes a day saying that this or that was
>> blocked.  My nightly amanda run probably makes 50k of entries all by
>> itself.
>>
>> Those recovery instructions should be in a 'man selinux' but I don't
>> recall seeing them in there when I did look 2 weeks ago.  Were they,
>> and I can't read?
>
>Do you mean how to relabel your filesystems?

Yes.  There was something about touching a file on /, which I tried 
several times, but I had to set it permissive before amanda could run.
amanda is locally built from the most recent snapshots, sometimes 3-4 
times a week.  That tarball install is not open for discussion, I do the 
canary work for amanda.

>That is mentioned there as 
>well as in the Fedora SELinux FAQ, and rc.sysinit should do it
>automatically upon booting a selinux-enabled kernel after previously
>running disabled.  Possibly it needs to run fixfiles with the -F flag to
>force relabeling of even customizable contexts.  File bugs on the
>appropriate packages (initscripts if it isn't working correctly,
>libselinux for the man page).

Can I run this fixfiles standalone?  Looks like I can, so its working.
Results if any later.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.

More information about the fedora-list mailing list