[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?



On Fri, 21 Sep 2007 06:47:12 +0100, Andy Green wrote:
 
> Just to be clear, that is what "permissive" does... it lets you know
> what selinux wouldn't've let through, but lets it through anyway.  So
> these error messages represent a passive opinion from selinux about what
>  it didn't like (but did nothing to prevent).  So selinux is only to
> blame for filling your logs, not any other badness while in permissive.

	In other words, what it tells me in these messages is false?? And 
the distractions it creates to draw attention to itself could be proxied 
out, if I knew how?? 

	The messages in the display when I click on that big yellow star 
are all of the form "SELinux *has* blocked ..." or "... *has* denied ... 
" or the like -- indicative mood. 

> IMO it is better to make selinux happy, if possible without causing a
> heart attack, than to disable it.  

	Such has indeed been my practice heretofore -- and I'm getting 
heartily sick of it.

> Why not start with
> 
> # touch /.autorelabel
> 
> and a reboot.  This will make sure your files have the right selinux
> label, the cause of many problems.

	Like Gene, I have done that, over and over; I haven't counted, 
but it must be at *least* half a dozen times per machine. 

	It is usually anything but convenient to shut all the apps on all 
the workspaces down, just because some nanny I don't need has yet another 
hissy fit. And when I do do it, it takes forever and a month to reboot.

	It may well be that NSA and those of you with big production 
sites to administer do need all this. You certainly (and I hope to God 
NSA, too, despite being a gummint bureaucracy) understand it far better. 

	To start with, surely, you can tell by looking what is serious 
and what isn't -- i.e., what you can safely ignore till you get around to 
it, if ever.

	My half dozen little machines, all behind at least one router, 
physically inaccessible to anyone but my wife and me, running every 
*other* defense I can find and manage, and with nothing in the way of 
wealth, power, or prominence to attract evildoers, ought to be a somewhat 
different kettle of fish. 

	No doubt the crackers out there have bots sniffing at every 
machine they can find in existence. But, unless I've completely 
misunderstood everything I've read on news.grc.com over the years, if 
such a bot suggests my little operation to its obnoxious owner, s/he will 
realize at first glance that nothing here is worth the trouble it would 
take to conquer, with or without SELinux even installed.

	Suggestion : persuade the SELinux developers, if you can, to go 
take lessons from the ZoneAlarm people, paying heavily enough to get 
eager co-operation. ZA is by no means perfect -- it too can be obscure -- 
but on any scale of user-friendliness, it's orders of magnitude (plural!) 
ahead of the SELinux messages.

-- 
Beartooth Staffwright, PhD, Neo-Redneck Linux Convert
Remember I know precious little of what I am talking about.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]