Void's Forums

[worker201]

Hopefully, glibc will be all better now that SELinux is disabled.

Here's the place that kernel must have come from:
http://download.atrpms.net/mirrors/fedo ... 6/?C=S;O=A

Yes, apparently it is a testing kernel, yet I have been running this kernel for a while now, and never had any problems. But I updated my SELinux targeted policy on Christmas Eve. I am no longer uncertain that SELinux is the problem. Ah well, there is a newer kernel out, and I was going to update it anyway.

Well, I'm glad that all of us have had a chance to learn something. For laughs, imagine somebody trying to use Microsoft Word on an NSA targeted policy system. Talk about crashes!

[worker201]

With SELinux disabled:

[lholcombe@holcombe2 ~]$ rpm -V glibc
..?..... /usr/sbin/glibc_post_upgrade.i686

Is that normal???

[Void Main]

You need to run the "rpm -V" as root because that file is only readable by root.

[worker201]

[root@holcombe2 lholcombe]# rpm -V glibc
[root@holcombe2 lholcombe]# rpm -V glibc-common
[root@holcombe2 lholcombe]#

Well, is that what I wanted to see?

[Void Main]

Yes sir. That means everything is exactly as it was when the RPMs were installed for those two packages (file sizes, permissions, md5 sums, etc, etc).

[worker201]

SELinux has been uninstalled, and kernel 2.6.9-1.724 has been installed. Thank god all this got taken care of. I would hate to have to look at my watch to know what time it is!!

[worker201]

Apparently, SELinux interferes with ntpd because there is a potential security risk involved. Void, could you maybe discuss what sorts of things a rogue ntp broadcaster could do? I have a hard time believing it could really do any serious damage.

[Void Main]

I believe this is only if you have your server configured as an NTP server. By default on Red Hat and Fedora ntpd does not listen on your external interfaces so I wouldn't worry too much about it. SELinux just implements further security controls in the case someone were to exploit the service. That doesn't mean the service has any current known vulnerabilities. It minimizes the damage if a new exploit is discovered.

[worker201]

I believe this is only if you have your server configured as an NTP server. By default on Red Hat and Fedora ntpd does not listen on your external interfaces so I wouldn't worry too much about it. SELinux just implements further security controls in the case someone were to exploit the service. That doesn't mean the service has any current known vulnerabilities. It minimizes the damage if a new exploit is discovered.

Once again, this is proof that SELinux is not meant for the everyday personal computing user.

[Void Main]

I agree that it's not for the home user, *if* that home user has a real firewall which in my opinion all home users *should* have. I don't think any user level machine should touch the internet directly. That's certainly true for any M$ machine but it's also true for Linux. If all M$ machines were required to be behind firewalls with proper outbound policies SPAM would become nearly extinct.

On the other hand SELinux *is* an extra security measure and for servers it might not be a bad idea, especially since most administrators don't even have a clue about how to properly set file system permissions securely. Look how many web sites out there are defaced on a daily bases because the file system permissions are set in such a way that allows the user that the web server process runs under to modify files (security 101 no no). So when they have a breach in a poorly written script the attacker can change whatever they want (see phpBB vulnerability thread). If people used the existing tools to secure their systems properly and keep their systems updated and have good inbound as well as outbound (just as important as inbound) firewall policies then they really shouldn't have too many problems.

The main thing everyone has to remember is that security is a "process". It's not something you can buy, install, and forget.