Has the boot param syntax/semantics changed?

Tom London selinux at comcast.net
Mon Jun 28 21:02:03 UTC 2004 

>
> ------------------------------------------------------------------------
>
>     * /From/: Bob Gustafson <bobgus rcn com>
>
> ------------------------------------------------------------------------
> [root hoho2 user1]# cat /etc/selinux/config
>
># This file controls the state of SELinux on the system.
># SELINUX= can take one of these three values:
>#       enforcinfg - SELinux security policy is enforced.
>#       permissive - SELinux prints warnings instead of enforcing.
>#       disabled - No SELinux policy is loaded.
>#SELINUX=disabled
>SELINUX=enforcing
>SELINUXTYPE=strict
>POLICYTYPE=strict
>[root hoho2 user1]#
>
>Then I changed the /etc/selinux/config to the version shown below and rebooted.
>
>I got far less messages, and I was even able to go to root when clicking on
>gnome applications that required higher priority (with above config
>contents, whatever I typed was not enough, gnome kept coming back for more)
>
>[root hoho2 user1]# cat /etc/selinux/config
># This file controls the state of SELinux on the system.
># SELINUX= can take one of these three values:
>#       enforcinfg - SELinux security policy is enforced.
>#       permissive - SELinux prints warnings instead of enforcing.
>#       disabled - No SELinux policy is loaded.
>#SELINUX=disabled
>SELINUX=enforcing
>#SELINUXTYPE=strict
>SELINUXTYPE=permissive
>POLICYTYPE=strict
>[root hoho2 user1]#
>
>My assumption has been that the boot parameters override the contents of
>the /etc/selinux/config file, and that the boot param 'enforcing=0' will
>make the selinux a permissive one.
>
>Have these assumptions changed?
>  
>
Well, the names have changed a bit ;)  POLICYTYPE is no longer 
operative, so I think
you have booted up in 'targeted' mode, not strict. 'enforcing=0' still 
works for me.

Here is what you need for strict:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcinfg - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
 
# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=strict

tom

More information about the fedora-selinux-list mailing list