Has the boot param syntax/semantics changed?

Bob Gustafson bobgus at rcn.com
Tue Jun 29 02:10:19 UTC 2004 

On Mon, 28 Jun 2004 14:02:03 -0700, Tom London wrote:
>>
>> ------------------------------------------------------------------------
>>
>>     * /From/: Bob Gustafson <bobgus rcn com>
>>
>> ------------------------------------------------------------------------
>> [root hoho2 user1]# cat /etc/selinux/config
>>
>># This file controls the state of SELinux on the system.
>># SELINUX= can take one of these three values:
>>#       enforcinfg - SELinux security policy is enforced.
>>#       permissive - SELinux prints warnings instead of enforcing.
>>#       disabled - No SELinux policy is loaded.
>>#SELINUX=disabled
>>SELINUX=enforcing
>>SELINUXTYPE=strict
>>POLICYTYPE=strict
>>[root hoho2 user1]#
>>
>>Then I changed the /etc/selinux/config to the version shown below and
>>rebooted.
>>
>>I got far less messages, and I was even able to go to root when clicking on
>>gnome applications that required higher priority (with above config
>>contents, whatever I typed was not enough, gnome kept coming back for more)
>>
>>[root hoho2 user1]# cat /etc/selinux/config
>># This file controls the state of SELinux on the system.
>># SELINUX= can take one of these three values:
>>#       enforcinfg - SELinux security policy is enforced.
>>#       permissive - SELinux prints warnings instead of enforcing.
>>#       disabled - No SELinux policy is loaded.
>>#SELINUX=disabled
>>SELINUX=enforcing
>>#SELINUXTYPE=strict
>>SELINUXTYPE=permissive
>>POLICYTYPE=strict
>>[root hoho2 user1]#
>>
>>My assumption has been that the boot parameters override the contents of
>>the /etc/selinux/config file, and that the boot param 'enforcing=0' will
>>make the selinux a permissive one.
>>
>>Have these assumptions changed?
>>
>>

>Well, the names have changed a bit ;)  POLICYTYPE is no longer
>operative, so I think
>you have booted up in 'targeted' mode, not strict. 'enforcing=0' still
>works for me.
>
>Here is what you need for strict:
>
># This file controls the state of SELinux on the system.
># SELINUX= can take one of these three values:
>#       enforcinfg - SELinux security policy is enforced.
>#       permissive - SELinux prints warnings instead of enforcing.
>#       disabled - No SELinux policy is loaded.
>SELINUX=enforcing
>
># SELINUXTYPE= can take one of these two values:
>#       targeted - Only targeted network daemons are protected.
>#       strict - Full SELinux protection.
>SELINUXTYPE=strict
>
>tom


 If POLICYTYPE is no longer used, then the file that contains that
deprecated param should be either overwritten during the 'yum update'
process, or a note or message should show up somewhere (visibly) during the
'yum update' process.

If the user's config file is not changed, but the program changes in the
'yum update', then there is a problem (perhaps even a 'process bug').

Is there a 'permissive' value for SELINUXTYPE?

Using the boot param 'enforcing=0' seems to be different than setting the
SELINUXTYPE=permissive for me.

enforcing=0 was less permissive...

BobG

More information about the fedora-selinux-list mailing list