How best get rid of SELinux?

Stephen Smalley sds at tycho.nsa.gov
Fri Sep 21 15:14:04 UTC 2007 

On Fri, 2007-09-21 at 00:34 -0400, Gene Heskett wrote:
> On Thursday 20 September 2007, David Boles wrote:
> >on 9/20/2007 11:30 PM, Gene Heskett wrote:
> >> On Thursday 20 September 2007, Beartooth wrote:
> >>> 	I keep it set to -- supposedly -- NON-enforcing, because of the
> >>> warning in the installer against eliminating it; but it keeps making all
> >>> kinds of trouble, anyway. Can I just command "yum remove selinux"?
> >>
> >> No, but it can be disabled by only one method I know of, the kernels
> >> command line in grub.conf.
> >>
> >> Append to it: selinux=0
> >> and reboot.
> >
> >This way is, IMO, the crude way to do this. Turn SELinux off, if you chose
> >to do so, in the SELinux configuration file.
> >
> >/etc/selinux/config
> >
> >change SELINUX=enforcing
> >
> >to SELINUX=disabled
> >
> >When you eventually update to a newer version of Fedora there will be
> >better configuration GUIs available for you.
> 
> Rahul, Stephen Smalley and I went round and round over this several months 
> ago, and I frankly don't care what you put in whatever /etc/sysconfig file, 
> and there have been at least 3 named here in the last 72 hours, if you really 
> want to disable it AND use the machine for something other than a training 
> exercise in writing selinux rules from scratch, and figuring out how to 
> protect them from yum/smart update activities, you WILL use the "crude" way 
> because its the only one that actually works.
> 
> With this file in effect:
> [root at coyote ~]# grep SELINUX /etc/sysconfig/*
> /etc/sysconfig/selinux:# SELINUX= can take one of these three values:
> /etc/sysconfig/selinux:SELINUX=disabled
> /etc/sysconfig/selinux:# SELINUXTYPE= type of policy in use. Possible values 
> are:
> /etc/sysconfig/selinux:SELINUXTYPE=targeted
> 
> cups was denied access to my usb printer.
> 
> heyu was denied access to /dev/ttyUSB0 and the cm11a on the other side of a 
> usb-seriel adaptor.  It was also denied access to a regular serial port when 
> the cm11a was hooked up to one of the 2 very precious serial ports on this 
> box.
> 
> bulldog, the monitor for belkin ups's, was denied access to both the serial 
> port and the usb port to talk to the ups.
> 
> There were probably more noshows on this busy machine, but by then I was ready 
> to switch distro's to something that didn't cross-breed with selinux.  Steven 
> suggested I try the grub command I've quoted here, and magically everything 
> started working once I'd undone the configuration messes I'd made trying to 
> make it work when it had been working very well for FC2.
> 
> So don't try and tell _me_ the above settings in /etc/sysconfig/selinux should 
> be all that's required.  That information has already been through the bovine 
> digestive tract once, and should be treated as such, chopped up, and spread 
> on a cornfield and plowed back in cuz that is all its good for.

Just to clarify (trying to avoid the flame fest here):  SELINUX=disabled
in /etc/selinux/config on any modern Fedora system should truly disable
SELinux in the kernel, by having /sbin/init write a "1" to
the /selinux/disable pseudo file provided by the kernel (note that this
is only allowed if policy has not yet been loaded).  That unregisters
the SELinux hooks from the kernel, and it is no longer active on the
kernel code paths.  It was true though that at one time, the kernel
didn't support that and SELINUX=disabled just meant don't load any
policy and stay in permissive mode, which would explain your FC2
experience.  So, selinux=0 was originally the only way to completely
disable SELinux, but with any modern kernel and init, it should be
possible to use SELINUX=disabled to the same effect.  

Permissive mode is different - SELinux stays active on the code paths
and while permission checks are always granted, there are other possible
failure paths.  However, if you (here you == any user) find that
something is broken in permissive mode, please file a bug report so that
it can be examined to see whether it can be resolved.

> Worse yet, its being spewed by people who have a image of being authoritative 
> about it when by my personal testing, its an outright lie.
> 
> What the hell IS the agenda with selinux anyway?  Is it something M$ funded to 
> make linux less appealing to the joe sixpack users?  Is it a backdoor that 
> NSA conned RedHat into adding?  I only know two things about it for sure, and 
> that's that it is a Pain In The Ass, and that the sample grub command option 
> selinux=0 works.

The agenda is the already stated one, to bring flexible mandatory access
control to the mainstream in order to counter the threat posed by
malicious and flawed programs.  Nothing more, nothing less.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-list mailing list