[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?



On Thursday 20 September 2007, David Boles wrote:
>on 9/20/2007 11:30 PM, Gene Heskett wrote:
>> On Thursday 20 September 2007, Beartooth wrote:
>>> 	I keep it set to -- supposedly -- NON-enforcing, because of the
>>> warning in the installer against eliminating it; but it keeps making all
>>> kinds of trouble, anyway. Can I just command "yum remove selinux"?
>>
>> No, but it can be disabled by only one method I know of, the kernels
>> command line in grub.conf.
>>
>> Append to it: selinux=0
>> and reboot.
>
>This way is, IMO, the crude way to do this. Turn SELinux off, if you chose
>to do so, in the SELinux configuration file.
>
>/etc/selinux/config
>
>change SELINUX=enforcing
>
>to SELINUX=disabled
>
>When you eventually update to a newer version of Fedora there will be
>better configuration GUIs available for you.

Rahul, Stephen Smalley and I went round and round over this several months 
ago, and I frankly don't care what you put in whatever /etc/sysconfig file, 
and there have been at least 3 named here in the last 72 hours, if you really 
want to disable it AND use the machine for something other than a training 
exercise in writing selinux rules from scratch, and figuring out how to 
protect them from yum/smart update activities, you WILL use the "crude" way 
because its the only one that actually works.

With this file in effect:
[root coyote ~]# grep SELINUX /etc/sysconfig/*
/etc/sysconfig/selinux:# SELINUX= can take one of these three values:
/etc/sysconfig/selinux:SELINUX=disabled
/etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values 
are:
/etc/sysconfig/selinux:SELINUXTYPE=targeted

cups was denied access to my usb printer.

heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a 
usb-seriel adaptor.  It was also denied access to a regular serial port when 
the cm11a was hooked up to one of the 2 very precious serial ports on this 
box.

bulldog, the monitor for belkin ups's, was denied access to both the serial 
port and the usb port to talk to the ups.

There were probably more noshows on this busy machine, but by then I was ready 
to switch distro's to something that didn't cross-breed with selinux.  Steven 
suggested I try the grub command I've quoted here, and magically everything 
started working once I'd undone the configuration messes I'd made trying to 
make it work when it had been working very well for FC2.

So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should 
be all that's required.  That information has already been through the bovine 
digestive tract once, and should be treated as such, chopped up, and spread 
on a cornfield and plowed back in cuz that is all its good for.

Worse yet, its being spewed by people who have a image of being authoritative 
about it when by my personal testing, its an outright lie.

What the hell IS the agenda with selinux anyway?  Is it something M$ funded to 
make linux less appealing to the joe sixpack users?  Is it a backdoor that 
NSA conned RedHat into adding?  I only know two things about it for sure, and 
that's that it is a Pain In The Ass, and that the sample grub command option 
selinux=0 works.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
parallel processors running perpendicular today


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]