How NSA access was built into Windows

Gene Heskett gene.heskett at verizon.net
Mon Jan 22 17:49:56 UTC 2007 

On Monday 22 January 2007 10:13, Stephen Smalley wrote:
>On Sun, 2007-01-21 at 17:11 -0500, Gene Heskett wrote:
>> On Sunday 21 January 2007 14:36, Lyvim Xaphir wrote:
>> >On Sun, 2007-01-21 at 01:14 -0500, R. G. Newbury wrote:
>> >> David Boles wrote:
>>
>> [and I snipped, we have enough trolls under this bridge already]
>>
>> Also, to add a bit of fuel to the fire, I just rebuilt my 2.6.20-rc4
>> again after having found some more selinux stuff in the previous build
>> that I am now running without.
>>
>> 1: Now my logs are clean again.
>>
>> 2: It took me 27 minutes to build that selinux free kernel.  Now check
>> this, after having added quite a few usb network related modules as
>> I'm trying to get into a wap11 via the usb port, which will allow me
>> to do a reset to factory, something I cannot do from the snmp
>> interface because that interface requires the old password, something
>> I've forgotten in the 8 months since I last used this device.
>>
>> #> time ./makeit
>> [snip about 200k of make output]
>> All done! Edit grub.conf, reboot and chose your kernel at the grub
>> prompt
>>
>> real    8m42.183s
>> user    4m21.606s
>> sys     1m11.805s
>> [root at coyote linux-2.6.20-rc4]#
>>
>> Now, I could have done something to speed this system up that's not
>> related to selinux, but the only things I've done is to rip out the
>> livna versions of mplayer and mplayerplugin with --nodeps, and put
>> them back in from dries before they were missed, and then restart
>> firefox from its own file menu pulldown, (normal quits and re-runs
>> didn't seem to do it) and now both foxnews and cnn video's now play,
>> although cnn's videos act like the server is in need of quite a bit
>> more iron in its diet.
>>
>> Now, somebody, preferably Dr. Smalley, please explain to me why I
>> should run something that takes a 9 minute compile and makes it take
>> 27 minutes to do it.  And the rest of the system just plain feels
>> snappier.
>
>(1) I'm not a PhD.

Oh, I guess I was echoing someone else who made that assumption.

>(2) If SELinux tripled your kernel compile time, then something is
>terribly wrong with it.  I've never seen that kind of overhead in kernel
>compile benchmarks, not even close.  More like a few percent.  Please
>verify that you are using comparable baselines (e.g. same kernel other
>than selinux options in .config)

The first version of this kernel, 2.6.20-rc4, was a clean build, but 
apparently with pretty close to an allyes config, and no idea how that 
happened.  That took 37 minutes on an XP2800 Athlon with a gig of ram.  
The next build, I had gone about halfway down the make xconfig menu 
canceling stuff I knew I didn't need or my mobo didn't support.  That 
took 33 minutes to build.

The third time I'd gone through it specificly looking for selinux related 
stuff and turning it off.  It was at that point my logs started being 
flooded with those messages I posted, but I found that one of the selinux 
related things in services was still being run so I stopped that and the 
messages went away.   That was audit probably but don't make me lay a 
hand on the good book when I say it, too much is going on  There was a 
concurrant edit to the crond script in /etc/pam.d also.  That build took 
27 minutes.

Then the 4th time I was trying to get access to a wap11 through its usb 
port so I could reset the password and a few other things & maybe put it 
back to use.  So that build actually built more modules than the 3rd one,
(BTW, that didn't work, and no one answered my question about it here on 
this list.  I still had to plug it into my lappy and run the winderz crap 
to do that.  Gives me the hives.)

This is the build that took a bit less than 9 minutes.  To me the major 
diff there is that this was the first kernel built with a kernel built 
without as much selinux as I could turn off, and rebooted to with 
an 'selinux=0' as an additional argument in the grub kernel command line.

>and tests (are you sure your second 
>build was from a clean state, and was there any other system activity
>ongoing during either build?).  Can you reproduce the result reliably?

I believe I could reboot to 2.6.20-rc3., start all the stopped services 
and then rebuild this kernel I suppose.  Seems like a waste of time 
though..  As for 'system activity', fetchmail, procmail, spamassassin 
were all running, and I may have had a session of patience (solitaire) 
running, or browsing the web.  Or all of the above, linux does multitask 
you know. :)

I am using ccache though, and its du -b indicates its using about 1.5GB.  
My makeit script does a make clean at the top of it.  It does everything 
but edit grub.conf for me, and maintains the old kernel and initrd 
& /lib/modules/$VER in a state that a foobar fix is a matter of deleting 
the new stuff and renaming the old to its original names.

>Were any audit/avc messages generated during either build,
>to /var/log/messages or /var/log/audit/audit.log (if running auditd)?

Apparently not for the last build.

>--
>Stephen Smalley
>National Security Agency

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2007 by Maurice Eugene Heskett, all rights reserved.

More information about the fedora-list mailing list