Request to re-add option to disable SELinux - compromise
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 14 12:48:01 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeremy Katz wrote:
> On Fri, 2008-07-11 at 19:07 -0300, jeff wrote:
>> I don't know what the ramifications are, but it definitely has different
>> behaviour if you disable using selinux=0 than if you don't. I see no reason why
>> it should be loaded, initialized, etc. if it isn't wanted.
>
> Because relying on boot options is a great way to cause problems for
> yourself later on down the line. If you boot with selinux=0, the
> installer disables SELinux for the installed system. The fact that we
> use a better and more persistent means of disabling it and also one that
> can be reversed if you later decide that you want SELinux is a
> *positive* thing.
>
> Jeremy
>
Also there is little difference between "selinux=0" and selinux=disabled
in the /etc/selinux/config file.
The init process checks the config file for this entry and then tells
the kernel to disable all SELinux components. selinux=0 disables all
SELinux components before init runs. At the time init is running there
is no loaded policy, so pretty much SELinux is disabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkh7SwEACgkQrlYvE4MpobPhXgCcDn48xGhOVhi292Qy43g235Fp
eucAoJzCsnIL0RYHYdOqiCYutcdeNBEE
=8qoI
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list