selinux strangeness
Zbigniew Koziol
softquake-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Wed Jul 1 16:42:38 UTC 2009
Jamon Camisso wrote:
> Zbigniew Koziol wrote:
>> Jamon Camisso wrote:
>>> LD_ASSUME_KERNEL will fix that.
>>> Read http://people.redhat.com/drepper/assumekernel.html for more.
>> I did in the past something like that. Perhaps on another system.
>> Dont assume however that I understand what I did or what you wrote...
>> I actually right now do not understand what you wrote... ;)
>
> I don't assume anything which is why I pointed out the information.
> What you choose to do with it is entirely up to you, I don't know the
> intricacies of your system to be able to spoon feed an answer (though
> plugging the original error message into google and retrieving that
> first result seems close enough).
>
>> The situation is really crazy. Now, I find that when I issue
>> "xdosemu" command from terminal window, it sometimes works. And..
>> sometimes it does not work, producing error message. This is a
>> something entirely out of mind.
>
> Set that environment variable and then see.
>
>>>
>>> People tend to blame selinux for a lot of problems that they haven't
>>> encountered before, but generally, if your problem is selinux
>>> related, there will be a message in /var/log/messages and
>>> /var/log/audit/audit.log.
>>
>> I know about these messages.
>>>
>>> selinux isn't the boogeyman (turn it back on), though I dislike
>>> working with it sometimes since the logged messages are rather
>>> verbose and yet still somewhat cryptic.
>>>
>> I disagree somewhat about all this selinux. If one can not understand
>> security, than that is not security.
>
> That's the advantage of selinux, you can't break it if you don't
> understand it, all you can do it turn it off. It is an effective way
> to keep people who should know better from making a mess in their system.
>
> To turn it off you have to be root and have to know that you're
> turning it off. If you break something after that, it's a simple
> matter of pebkac.
>
>> Besides, what a hell is this selinux for? Anyone around could really
>> explain? I mean - I do probably know what for (and I doubt that the
>> model used there is really useful commonly), but I want to hear from
>> the list.
>
> It enforces mandatory access controls via the kernel's lsm framework.
> http://magazine.redhat.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/
>
Thanks ;)
Well... I still claim that 93.37% of users of _this_ list does not
understand what is selinux ;)
My feeling is that it is basically about local access control. Or.. if a
hacker brakes in and compiles something as root than after installing
shitty stuff these may not work. Good. But this is not a sort of
security we are mostly used to think about, a kind that would prevent
hacking the system from outside. It rather helps to keep the system
intact from fool actions of users and... root.
There is a catch. Often, oh God, how often, I did install software from
outside and then I had to suffer a lot because of crazy, cryptic error
messages. The reason? Well... software was not compiled properly with
selinux in mind...
Dont assume that I am entirely ignorant in this subject ;) I did play
with selinux security ;)
zb.
>
> Jamon
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list