[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How NSA access was built into Windows

On Friday 19 January 2007 07:40, Stephen Smalley wrote:
>Aside from rebuilding from source with selinux options disabled in the
>compile-time configuration, you are correct - you cannot remove the
>actual selinux bits from Fedora at runtime, although you can disable
>their execution (boot with selinux=0).  Performing an audit of the code
>associated with disabling SELinux at boot time isn't difficult, and
>doesn't require understanding the rest of the SELinux code that is never
>reached in that case.

I have removed it from the kernel, but those log messages I posted before 
are still in the logwatch report this morning.

I'm a bit less concerned with it now after all this discussion, but I 
doubt if I'll bring it back in.  Why?  Well, so far, the instructions as 
to how to recover the system once its been disabled have not been good 
enough to re-enable everything, so even if its set permissive, my logs 
will have many kilobytes a day saying that this or that was blocked.  My 
nightly amanda run probably makes 50k of entries all by itself.

Those recovery instructions should be in a 'man selinux' but I don't 
recall seeing them in there when I did look 2 weeks ago.  Were they, and 
I can't read?

Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]