Request to re-add option to disable SELinux - compromise
jeff
moe at blagblagblag.org
Fri Jul 11 22:07:08 UTC 2008
Peter Jones wrote:
> jeff wrote:
>
>> Mr. Cox, do you see and *technical* problems with the selinux=0 passed
>> to anaconda passed to grub.conf proposal?
>
> If you pass selinux=0 to anaconda, you don't get selinux. It's been
> that way since 13-Apr-2004. Did we break it? It doesn't appear to have
> been broken intentionally, but I don't try it regularly either, since
With selinux=0 in grub, in dmesg you get:
Security Framework initialized
SELinux: Disabled at boot.
Capability LSM initialized
Without selinux=0 in grub:
Security Framework initialized
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
Capability LSM initialized as secondary
...
SELinux: Registering netfilter hooks
...
SELinux: Disabled at runtime.
SELinux: Unregistering netfilter hooks
> Does the system boot up correctly afterwards?
Yes, assuming the "Starting in permissive mode" is correct.
> What does "getenforce" say when you run it?
"Disabled"
I don't know what the ramifications are, but it definitely has different
behaviour if you disable using selinux=0 than if you don't. I see no reason why
it should be loaded, initialized, etc. if it isn't wanted.
Thanks,
-Jeff
More information about the fedora-devel-list
mailing list