How best get rid of SELinux?
Gene Heskett
gene.heskett at verizon.net
Fri Sep 21 04:34:25 UTC 2007
On Thursday 20 September 2007, David Boles wrote:
>on 9/20/2007 11:30 PM, Gene Heskett wrote:
>> On Thursday 20 September 2007, Beartooth wrote:
>>> I keep it set to -- supposedly -- NON-enforcing, because of the
>>> warning in the installer against eliminating it; but it keeps making all
>>> kinds of trouble, anyway. Can I just command "yum remove selinux"?
>>
>> No, but it can be disabled by only one method I know of, the kernels
>> command line in grub.conf.
>>
>> Append to it: selinux=0
>> and reboot.
>
>This way is, IMO, the crude way to do this. Turn SELinux off, if you chose
>to do so, in the SELinux configuration file.
>
>/etc/selinux/config
>
>change SELINUX=enforcing
>
>to SELINUX=disabled
>
>When you eventually update to a newer version of Fedora there will be
>better configuration GUIs available for you.
Rahul, Stephen Smalley and I went round and round over this several months
ago, and I frankly don't care what you put in whatever /etc/sysconfig file,
and there have been at least 3 named here in the last 72 hours, if you really
want to disable it AND use the machine for something other than a training
exercise in writing selinux rules from scratch, and figuring out how to
protect them from yum/smart update activities, you WILL use the "crude" way
because its the only one that actually works.
With this file in effect:
[root at coyote ~]# grep SELINUX /etc/sysconfig/*
/etc/sysconfig/selinux:# SELINUX= can take one of these three values:
/etc/sysconfig/selinux:SELINUX=disabled
/etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values
are:
/etc/sysconfig/selinux:SELINUXTYPE=targeted
cups was denied access to my usb printer.
heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a
usb-seriel adaptor. It was also denied access to a regular serial port when
the cm11a was hooked up to one of the 2 very precious serial ports on this
box.
bulldog, the monitor for belkin ups's, was denied access to both the serial
port and the usb port to talk to the ups.
There were probably more noshows on this busy machine, but by then I was ready
to switch distro's to something that didn't cross-breed with selinux. Steven
suggested I try the grub command I've quoted here, and magically everything
started working once I'd undone the configuration messes I'd made trying to
make it work when it had been working very well for FC2.
So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should
be all that's required. That information has already been through the bovine
digestive tract once, and should be treated as such, chopped up, and spread
on a cornfield and plowed back in cuz that is all its good for.
Worse yet, its being spewed by people who have a image of being authoritative
about it when by my personal testing, its an outright lie.
What the hell IS the agenda with selinux anyway? Is it something M$ funded to
make linux less appealing to the joe sixpack users? Is it a backdoor that
NSA conned RedHat into adding? I only know two things about it for sure, and
that's that it is a Pain In The Ass, and that the sample grub command option
selinux=0 works.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
parallel processors running perpendicular today
More information about the fedora-list
mailing list