[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?



on 9/21/2007 12:34 AM, Gene Heskett wrote:
> On Thursday 20 September 2007, David Boles wrote:
>> on 9/20/2007 11:30 PM, Gene Heskett wrote:
>> This way is, IMO, the crude way to do this. Turn SELinux off, if you chose
>> to do so, in the SELinux configuration file.
>>
>> /etc/selinux/config
>>
>> change SELINUX=enforcing
>>
>> to SELINUX=disabled
>>
>> When you eventually update to a newer version of Fedora there will be
>> better configuration GUIs available for you.
> 
> Rahul, Stephen Smalley and I went round and round over this several months 
> ago, and I frankly don't care what you put in whatever /etc/sysconfig file, 
> and there have been at least 3 named here in the last 72 hours, if you really 
> want to disable it AND use the machine for something other than a training 
> exercise in writing selinux rules from scratch, and figuring out how to 
> protect them from yum/smart update activities, you WILL use the "crude" way 
> because its the only one that actually works.
> 
> With this file in effect:
> [root coyote ~]# grep SELINUX /etc/sysconfig/*
> /etc/sysconfig/selinux:# SELINUX= can take one of these three values:
> /etc/sysconfig/selinux:SELINUX=disabled
> /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values 
> are:
> /etc/sysconfig/selinux:SELINUXTYPE=targeted
> 
> cups was denied access to my usb printer.
> 
> heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a 
> usb-seriel adaptor.  It was also denied access to a regular serial port when 
> the cm11a was hooked up to one of the 2 very precious serial ports on this 
> box.
> 
> bulldog, the monitor for belkin ups's, was denied access to both the serial 
> port and the usb port to talk to the ups.
> 
> There were probably more noshows on this busy machine, but by then I was ready 
> to switch distro's to something that didn't cross-breed with selinux.  Steven 
> suggested I try the grub command I've quoted here, and magically everything 
> started working once I'd undone the configuration messes I'd made trying to 
> make it work when it had been working very well for FC2.
> 
> So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should 
> be all that's required.  That information has already been through the bovine 
> digestive tract once, and should be treated as such, chopped up, and spread 
> on a cornfield and plowed back in cuz that is all its good for.
> 
> Worse yet, its being spewed by people who have a image of being authoritative 
> about it when by my personal testing, its an outright lie.
> 
> What the hell IS the agenda with selinux anyway?  Is it something M$ funded to 
> make linux less appealing to the joe sixpack users?  Is it a backdoor that 
> NSA conned RedHat into adding?  I only know two things about it for sure, and 
> that's that it is a Pain In The Ass, and that the sample grub command option 
> selinux=0 works.


Wow Gene. I did not mean to set you off. SELinux is designed to help *you*
protect your Linux system from one of the major flaws in Windows. Allowing
unknown, bad, executables from doing strange things on your system without
your permission or, at times, without your knowledge of it happening.

If you chose to turn this protection off that is most certainly your
right. It is your system. If you don't feel that the protection is
valuable then screw it.

But when that smiling hacker from somewhere finally finally decides that
there are enough Linux users that think like Windows users he will write
that program that will wipe out your milling program.

Honest Gene. SELinux has never caused me a problem that a simple 'look 'n
fix it' could not solve. It is work in progress and when you use older
releases it can cause problems.

Have a good day.
-- 

  David

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]