Request to re-add option to disable SELinux - compromise
Stephen Smalley
sds at tycho.nsa.gov
Wed Jul 9 15:43:05 UTC 2008
On Wed, 2008-07-09 at 10:58 -0400, Chuck Anderson wrote:
> On Wed, Jul 09, 2008 at 09:52:49AM -0500, Callum Lerwick wrote:
> > Because booting with selinux enabled after installing onto a
> > filesystem such as reiserfs that doesn't work with selinux results in
> > epic fail. As in, you can not log in. Though you can get around this
> > by booting with selinux=0 on the kernel command line...
>
> I think reiserfs supports selinux now.
Unfortunately not.
It did briefly, but then things broke again.
reiserfs support has never been a priority for the selinux maintainers,
and selinux support was never a priority for the reiserfs maintainers.
I believe though that all of the other major filesystems should work
with selinux these days (ext[2-4], jfs, xfs, jffs2, gfs2); if not,
that's a bug that should be reported.
> > Though I haven't done this since something like FC6. I migrated to
> > ext3 so I could use selinux.
> >
> > And while I'm at it, I'll provide a counterpoint and point out that
> > I've run all my machines, including my wife's laptop, with selinux
> > enabled since FC6. I've never, ever run in to any problem. Ever. I
> > don't know what you people are doing, but you must be doing it wrong.
>
> Not wrong, just out of the norm. If you keep things in the standard
> directories and use mostly default configs, you generally don't have
> problems.
But these days users should be able to address such deviations from the
norm by running a couple of semanage commands (or system-config-selinux
if they prefer GUIs) and/or creating a local loadable policy module
using audit2allow.
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list