BLAG

BLAG Forums
It is currently Thu Dec 18, 2014 4:22 pm

All times are UTC




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: selinux=0
PostPosted: Tue Mar 28, 2006 5:17 pm 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
I've mentioned this a few times here & there, but I don't think we've had a full selinux discussion.

For those of you that aren't familiar with it selinux is
* a security paradigm to keep your linux box from being cracked
OR
* a security paradigm created to make you a digital slave of the NSA

If you haven't heard of the NSA, they are like the CIA but much bigger and supposedly smarter. They are in charge of domestic telephone/email spying in the USA.
http://en.wikipedia.org/wiki/NSA

They are also the guys that created selinux and got it put into the kernel.

RedHat/Fedora have been pushing selinux very hard... So there are Fedora updates where the changelog reads:
Quote:
* Fri Mar 10 2006 Dan Walsh <dwalsh redhat com> 1.12-2
- Upgrade to latest from NSA


I generally disable selinux on my system by adding "selinux=0" to the vmlinuz line in grub.conf (or menu.lst). This disables it at the kernel.

When you install BLAG/Fedora you have the option of using enforcing, permissive (watching), or "disabled".

The problem is that disabled really aint disabled from the get-go... I reported this and it got closed as NOTABUG. See:
https://bugzilla.redhat.com/bugzilla/sh ... ?id=145881

selinux can slow a system down and often causes odd problems.



So, in sum, I propose we have BLAG 50k and forward add selinux=0 to the kernel boot line and be done with it once and for all.

Thunks?

-Jeff


Last edited by jebba on Tue Mar 28, 2006 6:35 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Tue Mar 28, 2006 5:33 pm 
Offline

Joined: Mon Jan 09, 2006 8:35 pm
Posts: 123
Location: Amersham, Bucks, UK
I've been meaning to ask about this - system-config-securitylevel says it is disabled, but is it really?

Also, how did the NSA manage to push through SELinux? Surely none of the developers would have let it happen? Or is this all part of "trusted computing" and therefore included so that linux doesn't end up becoming obselete?

_________________
---
PM me if needed.
http://www.nofoto.co.uk


Top
 Profile  
 
 Post subject: Thanks for the info
PostPosted: Tue Mar 28, 2006 6:41 pm 
Offline

Joined: Tue Jan 24, 2006 8:22 pm
Posts: 72
Location: Soon to be Boston Area
I was all for setting SEL to 0, but for performance reasons. I had no idea that the NSA was in on this as well. Now, I definately think that SEL should be disabled. On a some what related note, does the security feature that SUSE uses (forget the name, but it does the same thing as SEL) have similar orgins?

Speaking of privacy, here's a nice little cartoon.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Mar 28, 2006 6:42 pm 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
nofoto wrote:
I've been meaning to ask about this - system-config-securitylevel says it is disabled, but is it really?


Well, it still gets initialized, then disabled. So a selinux update rpm (a'la `yum upgrade`) can actually overwrite your disabling, and re-enable it. I think it should be disabled from step one, not turned on then off.

nofoto wrote:
Also, how did the NSA manage to push through SELinux? Surely none of the developers would have let it happen? Or is this all part of "trusted computing" and therefore included so that linux doesn't end up becoming obselete?


It's not part of the "trusted computing" thing at least as far as I know. Basically, they were just able to write up the patches, show that they were cute enough, and got them pushed upstream. It /does/ do some neat things like you can say "the webserver can only write to /var/www/html/i_can_write_here" or "the ftp server cannot read /home" etc. The policy files are quite involved. So if a program has a hole, damage can be limited by selinux. But from what I've seen, it's just an awfully large complex confusing mess which often just breaks systems. Complexity is often the enemy of security. I don't have enough kernel brains to evaluate its C. I've just seen lots of issues with it and am not too enthused to trust the NSA with frequent updates to my system.

-Jeff


Top
 Profile  
 
 Post subject: Re: selinux=0
PostPosted: Tue Mar 28, 2006 6:51 pm 
Offline

Joined: Sun Mar 14, 2004 4:39 pm
Posts: 220
Location: xerta, espa├▒a
jebba wrote:
So, in sum, I propose we have BLAG 50k and forward add selinux=0 to the kernel boot line and be done with it once and for all.


/me nods. quite apart from the nsa concerns, it screwed one install on my box already.

a thought on the nsa: why would you trust the an organization to tell you the truth about somehing [selinux, to pick an example at random] when that's not their 'business' in every other sphere of their activity.


Top
 Profile  
 
 Post subject: Re: selinux=0
PostPosted: Tue Apr 04, 2006 8:34 pm 
Offline

Joined: Mon Mar 27, 2006 11:05 pm
Posts: 286
r7 wrote:
a thought on the nsa: why would you trust the an organization to tell you the truth about somehing [selinux, to pick an example at random] when that's not their 'business' in every other sphere of their activity.


who said anything about trust :))) just use their goodies for your own purposes imo.
the way i look at it - selinux does imply harder approach to many things - setup wise and operations and i'd say for an average user it is not needed.
on the other hand excluding this feature completely (to the point where i'd have to attempt installing the goodies from nsa's site alone nooooooo) would lead to my suicide as i seriously not looking into another migration from distro to distro :) as a matter of fact i do truly like blag for what it is.

enabling selinux in 3000x series was a bit of a nut cracker at first, in terms that i'd never suspect that setup or first boot doesn;t relabel the fs according to contexts defined automatically. however as long as i am able to relable thus easily activating selinux me and users who don;t need it are happy campers as we both win, even nsa wins :) you see


Top
 Profile  
 
 Post subject:
PostPosted: Wed Apr 05, 2006 12:16 pm 
Offline
Site Admin

Joined: Wed Mar 17, 2004 6:17 pm
Posts: 1340
Location: London, UK
After this incident with selinux locking me out of my own box, I don't think I'll ever have anything to do with it. Lucky I had another laptop to google with... I would've been fscked.

url from an earlier thread

_________________
BLAG 'em up!


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group