How best get rid of SELinux?

Ralf Corsepius rc040203 at freenet.de
Fri Sep 21 05:24:28 UTC 2007


On Fri, 2007-09-21 at 00:57 -0400, David Boles wrote:
> on 9/21/2007 12:34 AM, Gene Heskett wrote:
> > On Thursday 20 September 2007, David Boles wrote:
> >> on 9/20/2007 11:30 PM, Gene Heskett wrote:
> >> This way is, IMO, the crude way to do this. Turn SELinux off, if you chose
> >> to do so, in the SELinux configuration file.
> >>
> >> /etc/selinux/config
> >>
> >> change SELINUX=enforcing
> >>
> >> to SELINUX=disabled
> >>
> >> When you eventually update to a newer version of Fedora there will be
> >> better configuration GUIs available for you.
> > 
> > Rahul, Stephen Smalley and I went round and round over this several months 
> > ago, and I frankly don't care what you put in whatever /etc/sysconfig file, 
> > and there have been at least 3 named here in the last 72 hours, if you really 
> > want to disable it AND use the machine for something other than a training 
> > exercise in writing selinux rules from scratch, and figuring out how to 
> > protect them from yum/smart update activities, you WILL use the "crude" way 
> > because its the only one that actually works.
> > 
> > With this file in effect:
> > [root at coyote ~]# grep SELINUX /etc/sysconfig/*
> > /etc/sysconfig/selinux:# SELINUX= can take one of these three values:
> > /etc/sysconfig/selinux:SELINUX=disabled
> > /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values 
> > are:
> > /etc/sysconfig/selinux:SELINUXTYPE=targeted
> > 
> > cups was denied access to my usb printer.
> > 
> > heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a 
> > usb-seriel adaptor.  It was also denied access to a regular serial port when 
> > the cm11a was hooked up to one of the 2 very precious serial ports on this 
> > box.
> > 
> > bulldog, the monitor for belkin ups's, was denied access to both the serial 
> > port and the usb port to talk to the ups.
> > 
> > There were probably more noshows on this busy machine, but by then I was ready 
> > to switch distro's to something that didn't cross-breed with selinux.  Steven 
> > suggested I try the grub command I've quoted here, and magically everything 
> > started working once I'd undone the configuration messes I'd made trying to 
> > make it work when it had been working very well for FC2.
> > 
> > So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should 
> > be all that's required.  That information has already been through the bovine 
> > digestive tract once, and should be treated as such, chopped up, and spread 
> > on a cornfield and plowed back in cuz that is all its good for.
> > 
> > Worse yet, its being spewed by people who have a image of being authoritative 
> > about it when by my personal testing, its an outright lie.
> > 
> > What the hell IS the agenda with selinux anyway?  Is it something M$ funded to 
> > make linux less appealing to the joe sixpack users?  Is it a backdoor that 
> > NSA conned RedHat into adding?  I only know two things about it for sure, and 
> > that's that it is a Pain In The Ass, and that the sample grub command option 
> > selinux=0 works.
> 
> 
> Wow Gene. I did not mean to set you off.
Well, Gene is not alone with his opinion. Though I do not agree with
each and every detail he says, I have to concur with him on a large
extend.

>  SELinux is designed to help *you*
Here you say it: SELinux is a promise - This doesn't not mean, it
actually does what it promises, nor that is actually a "good (tm)"
approach, nor that the problem it tries to solve actually is a problem
the user.

RedHat and their employees say it was a terrific approach, they say it
solves a very critical problem affecting everybody.

Well, it is an approach all other Linux vendors but RH have not adopted,
despite the fact SELinux is around for several years, and despite the
fact RH has been aggressively promoting it.

And yes, it tries to solve a problem which could hit any user at
anytime, but ... fact also is nobody but RH has SELinux, so nobody but
those people having tried to use SELinux will miss it.

> Honest Gene. SELinux has never caused me a problem that a simple 'look 'n
> fix it' could not solve.
Hmm, ... I have been in such situations pretty often :/ [1]

> It is work in progress and when you use older
> releases it can cause problems.
Right, SELinux seems to be gradually maturing and becoming better
usable, but ... doesn't such a long time of "WIP" trigger some alarm
bells to you? 

To me it does - It justifies doubts on an approach's fundations and an
approach's usability. Whether these doubts are justified, is a different
question. 

Ralf

[1] E.g. SELinux updates killing nfs or named. Not really nice when
updating a machine from remote without physical access to it.





More information about the fedora-list mailing list