[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: How best get rid of SELinux?

On Fri, 21 Sep 2007 11:14:04 -0400, Stephen Smalley wrote:
> Just to clarify (trying to avoid the flame fest here):  SELINUX=disabled
> in /etc/selinux/config on any modern Fedora system should truly disable
> SELinux in the kernel, by having /sbin/init write a "1" to the
> /selinux/disable pseudo file provided by the kernel (note that this is
> only allowed if policy has not yet been loaded).  That unregisters the
> SELinux hooks from the kernel, and it is no longer active on the kernel
> code paths.  

	I recall a time (but not which FC) when, watching the boot 
messages, I always saw something about hooks -- and wondered what they 
were ... I haven't been seeing that lately. 

	I *think* therefore that the options available have changed. Is 
that right?

> It was true though that at one time, the kernel didn't
> support that and SELINUX=disabled just meant don't load any policy and
> stay in permissive mode, which would explain your FC2 experience.  So,
> selinux=0 was originally the only way to completely disable SELinux, but
> with any modern kernel and init, it should be possible to use
> SELINUX=disabled to the same effect.

	So it's no wonder that all these incomprehensible messages are so 
new to me. Right? The software (or whatever it takes) to run SELinux was 
on the machine, where it could be enabled; but in fact, on my machines, 
it did nothing. Right again? And that changed? Probably with F7?

> Permissive mode is different - SELinux stays active on the code paths
> and while permission checks are always granted, there are other possible
> failure paths.  However, if you (here you == any user) find that
> something is broken in permissive mode, please file a bug report so that
> it can be examined to see whether it can be resolved.

	I quit installing bug buddy because I had the distinct impression 
I was way short of being able to say anything worth an Alpha Plus 
Technoid's time to read. In fact, most of its draft bug reports came as 
surprises to me -- telling me about epiphany crashes I had no idea had 
happened, etc.

	If that's wrong, and the stuff bug buddy puts together is of 
value even with completely clueless comments (such as "Huh? I dunno what 
was happening just before <whatever> crashed; news to me that it did."), 
then I can certainly tell pirut to but bug buddy back.

> The agenda is the already stated one, to bring flexible mandatory access
> control to the mainstream in order to counter the threat posed by
> malicious and flawed programs.  Nothing more, nothing less.

Beartooth Staffwright, PhD, Neo-Redneck Linux Convert
Remember I know precious little of what I am talking about.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]