Disabling selinux question
John Dennis
jdennis at redhat.com
Thu Jan 3 22:43:41 UTC 2008
Linus Walleij wrote:
> Here's a spinoff relating to selinux from discussions around
> system-config-services and its UI. selinux seem to involve the following
> services/daemons:
>
> auditd
> mcstrans
> restorecond
> setroubleshoot
>
> If I use system-config-selinux or anaconda to disable SELinux
> altogether, then none of these are disabled accordingly. The only case
> seems to be that auditd is turn on if I disable them all manually and
> then enable SELinux.
>
> Is this a bug or is there something I don't get here?
auditd is the general auditing facility, SELinux messages are just one
of the possible auditing messages. You wouldn't want to disable auditing
just because SELinux was disabled, that would disable all auditing.
setroubleshootd is a diagnostic tool. If SELinux is completely disabled
the daemon exits if started.
Your expectation seems to be that if you disable SELinux it will
chkconfig off certain daemons. There is a distinction between having a
daemon started (e.g. chkconfig on) and whether it continues to run once
started. Allowing the daemon to decide if it should run or exit is more
robust than some utility which thinks it knows if something should be
chkconfig'ed on or not because it will almost certainly get that answer
wrong.
--
John Dennis <jdennis at redhat.com>
More information about the fedora-devel-list
mailing list