FAQ   Search   Memberlist  
Profile    Log in to check your private messages    Register    Log in
selinux=0

 
Post new topic   Reply to topic    BLAG Forum Index -> development
View previous topic :: View next topic  
Author Message
jebba
PostPosted: Tue Mar 28, 2006 5:17 pm    Post subject: selinux=0 Reply with quote

I've mentioned this a few times here & there, but I don't think we've had a full selinux discussion.

For those of you that aren't familiar with it selinux is
* a security paradigm to keep your linux box from being cracked
OR
* a security paradigm created to make you a digital slave of the NSA

If you haven't heard of the NSA, they are like the CIA but much bigger and supposedly smarter. They are in charge of domestic telephone/email spying in the USA.
http://en.wikipedia.org/wiki/NSA

They are also the guys that created selinux and got it put into the kernel.

RedHat/Fedora have been pushing selinux very hard... So there are Fedora updates where the changelog reads:
Quote:
* Fri Mar 10 2006 Dan Walsh <dwalsh redhat com> 1.12-2
- Upgrade to latest from NSA


I generally disable selinux on my system by adding "selinux=0" to the vmlinuz line in grub.conf (or menu.lst). This disables it at the kernel.

When you install BLAG/Fedora you have the option of using enforcing, permissive (watching), or "disabled".

The problem is that disabled really aint disabled from the get-go... I reported this and it got closed as NOTABUG. See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145881

selinux can slow a system down and often causes odd problems.



So, in sum, I propose we have BLAG 50k and forward add selinux=0 to the kernel boot line and be done with it once and for all.

Thunks?

-Jeff



Last edited by jebba on Tue Mar 28, 2006 6:35 pm; edited 1 time in total
nofoto
PostPosted: Tue Mar 28, 2006 5:33 pm    Post subject: Reply with quote

I've been meaning to ask about this - system-config-securitylevel says it is disabled, but is it really?

Also, how did the NSA manage to push through SELinux? Surely none of the developers would have let it happen? Or is this all part of "trusted computing" and therefore included so that linux doesn't end up becoming obselete?


_________________
---
PM me if needed.
http://www.nofoto.co.uk
pfe1223
PostPosted: Tue Mar 28, 2006 6:41 pm    Post subject: Thanks for the info Reply with quote

I was all for setting SEL to 0, but for performance reasons. I had no idea that the NSA was in on this as well. Now, I definately think that SEL should be disabled. On a some what related note, does the security feature that SUSE uses (forget the name, but it does the same thing as SEL) have similar orgins?

Speaking of privacy, here's a nice little cartoon.

jebba
PostPosted: Tue Mar 28, 2006 6:42 pm    Post subject: Reply with quote

nofoto wrote:
I've been meaning to ask about this - system-config-securitylevel says it is disabled, but is it really?


Well, it still gets initialized, then disabled. So a selinux update rpm (a'la `yum upgrade`) can actually overwrite your disabling, and re-enable it. I think it should be disabled from step one, not turned on then off.

nofoto wrote:
Also, how did the NSA manage to push through SELinux? Surely none of the developers would have let it happen? Or is this all part of "trusted computing" and therefore included so that linux doesn't end up becoming obselete?


It's not part of the "trusted computing" thing at least as far as I know. Basically, they were just able to write up the patches, show that they were cute enough, and got them pushed upstream. It /does/ do some neat things like you can say "the webserver can only write to /var/www/html/i_can_write_here" or "the ftp server cannot read /home" etc. The policy files are quite involved. So if a program has a hole, damage can be limited by selinux. But from what I've seen, it's just an awfully large complex confusing mess which often just breaks systems. Complexity is often the enemy of security. I don't have enough kernel brains to evaluate its C. I've just seen lots of issues with it and am not too enthused to trust the NSA with frequent updates to my system.

-Jeff

r7
PostPosted: Tue Mar 28, 2006 6:51 pm    Post subject: Re: selinux=0 Reply with quote

jebba wrote:
So, in sum, I propose we have BLAG 50k and forward add selinux=0 to the kernel boot line and be done with it once and for all.


/me nods. quite apart from the nsa concerns, it screwed one install on my box already.

a thought on the nsa: why would you trust the an organization to tell you the truth about somehing [selinux, to pick an example at random] when that's not their 'business' in every other sphere of their activity.

gr00ve
PostPosted: Tue Apr 04, 2006 8:34 pm    Post subject: Re: selinux=0 Reply with quote

r7 wrote:
a thought on the nsa: why would you trust the an organization to tell you the truth about somehing [selinux, to pick an example at random] when that's not their 'business' in every other sphere of their activity.


who said anything about trust :))) just use their goodies for your own purposes imo.
the way i look at it - selinux does imply harder approach to many things - setup wise and operations and i'd say for an average user it is not needed.
on the other hand excluding this feature completely (to the point where i'd have to attempt installing the goodies from nsa's site alone nooooooo) would lead to my suicide as i seriously not looking into another migration from distro to distro :) as a matter of fact i do truly like blag for what it is.

enabling selinux in 3000x series was a bit of a nut cracker at first, in terms that i'd never suspect that setup or first boot doesn;t relabel the fs according to contexts defined automatically. however as long as i am able to relable thus easily activating selinux me and users who don;t need it are happy campers as we both win, even nsa wins :) you see

john maclean
PostPosted: Wed Apr 05, 2006 12:16 pm    Post subject: Reply with quote

After this incident with selinux locking me out of my own box, I don't think I'll ever have anything to do with it. Lucky I had another laptop to google with... I would've been fscked.

url from an earlier thread


_________________
BLAG 'em up!
Display posts from previous:   
Post new topic   Reply to topic    BLAG Forum Index -> development
Page 1 of 1

Protected by Anti-Spam ACP