FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-04-2008, 09:06 PM
Linus Walleij
 
Default Disabling selinux question

Thanks for the long explanation Steve, I now understand what auditd is and
what interacts with it and why it should be default-enabled.



You can turn it off if you want.


You're right, and I'm beginning to suspect that much of my bad experiences
with system-config-services is that # description: foo in the
/etc/init.d/foo scripts is too short and uniformative.


A user that does not know what the daemons are intended for will not know
for sure whether they can enable and disable it or not.


Would you accept this patch to /etc/init.d/auditd:

--- auditd.orig 2008-01-04 22:53:32.000000000 +0100
+++ auditd 2008-01-04 22:58:46.000000000 +0100
@@ -3,7 +3,11 @@
# auditd This starts and stops auditd
#
# chkconfig: 2345 11 88
-# description: This starts the Linux Auditing System Daemon
+# description: This starts the Linux Auditing System Daemon,
+# which collects security related events in a
+# dedicated auditing log. Turning it off will not
+# alter system functionality, security related events
+# will then be recorded in the default system log.
#
# processname: /sbin/auditd
# config: /etc/sysconfig/auditd

I think this (if it is correct, beware) is what a user of
system-config-services need to know about this particular daemon in order
to make an educated choice of whether or not it should be enabled.


Hm, perhaps the other SELinux related daemons will be likewise
understandable if I make three more such patches...



sigh...


Plese don't give up on me so easily. I have good intentions.


the services should exit if selinux is disabled. Its ok for them to
start up.


Yes, certainly, but how as a user of the system-config-services interface,
would I know that?


s-c-s is itching me somewhere and I try to find out why and what's the
remedy for.


Linus

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 09:30 PM
Linus Walleij
 
Default Disabling selinux question

On Fri, 4 Jan 2008, Eric Paris wrote:


There is no reason that a user cannot turn auditd off themselves (kernel
just reroutes the messages to syslog rather than audit log) but audit
still functions and serves a purpose all by itself.


Yeah turns out my big problem is likely with the # decription : provided
to s-c-s through the /etc/init.d/foo files so user knows they can actually
turn it off without shooting themselves in the foot.



My opinion, if you disable SELinux in the installer (or s-c-selinux) it
should disable those other programs you mentioned if those programs are
not smart enough to not run on their own. (sounds like setroubleshoot
and i'm going to guess sealert already are smart enough and
anaconda/s-c-* shouldn't bother them...)


I think the best thing I can do is patch their # description : entries, so
the s-c-s user knows this.


If this was a major problem with s-c-s to me (not very high tech indeed)
I'm bold enough to believe it's going to be to many others as well.


Linus

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-05-2008, 12:29 PM
Steve Grubb
 
Default Disabling selinux question

On Friday 04 January 2008 17:06:55 Linus Walleij wrote:
> A user that does not know what the daemons are intended for will not know
> for sure whether they can enable and disable it or not.
>
> Would you accept this patch to /etc/init.d/auditd:

I changed some wording, but an improved description will be in the audit
daemon 1.6.5 init script which should be out sometime next week. I'll push it
to F8 after its been in rawhide a few days.

Thanks,
-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-06-2008, 11:19 AM
Linus Walleij
 
Default Disabling selinux question

On Sat, 5 Jan 2008, Steve Grubb wrote:


I changed some wording, but an improved description will be in the audit
daemon 1.6.5 init script which should be out sometime next week. I'll push it
to F8 after its been in rawhide a few days.


That's perfect Steve, thanks a lot!

Linus

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org