sds at tycho.nsa.gov
Thu Apr 13 17:08:38 UTC 2006
On Thu, 2006-04-13 at 17:52 +0100, idonttrustmspassport at ktcasey.plus.com
> Is it possible to remove SELinux completely during FC5 installation, or
> even when installed?
Disable, yes. Remove, no.
> So far problems during YUM updates (It gives errors while installing
> policies then freezes Yum) have destroyed my system twice.
> (In both cases the system refuses to boot with an error "not syncing:
> Attempting to kill init!".
Hmm..well, more details wold be interesting as that should obviously not
be happening and hasn't been reported elsewhere AFAIK. bugzilla even.
> Passing a parm of selinux=disabled to the kernel allowed a boot, but all my
> attempts to make this permanent then fail and I end up reinstalling and
selinux=0 on the kernel line in grub.conf or SELINUX=disabled
in /etc/selinux/config should do the trick.
> I admit to being a newbie, I only started 10 years ago, *never* had
> anything so good at locking down my PC, it seems to be a first class option
> for DRM..
Um, no. MAC != DRM.
> So, can I get rid of it completely,
> 1) I tried uninstalling everything with SELinux in the name, interesting
> effect try it one day when you have some time...
Not feasible, as the SELinux kernel "module" is built into the kernel,
and libselinux is a dependency for /sbin/init, coreutils, and other
critical components. You can't remove the code without rebuilding
everything, but you can disable its execution.
> 2) Tried the gui tool, (as a minimum I thought I'd turn it to the lowest
> level) it brings up a command prompt which freezes...
> 3) Tried editing the files to disable it at reboot, fails with "file is
> read only", chmod failed with "file is read only", chmod of the directory
> failed with "read only"..
Sound like the filesystem is mounted read-only, not SELinux-related at
all. mount -o rw,remount /? If you booted with selinux=0, then SELinux
> Is there any chance that, as a minimum it could give an error message like
> "SELinux configuration is corrupt, boot halted" as it took me a loooooong
> time to figure out what was wrong...
Hmmm.../sbin/init does contain a log call to output 'Unable to load
SELinux Policy. Machine is in enforcing mode. Halting now.' Don't know
if there is a problem that is preventing that from being displayed
> And is there a documented process to
> handle a situation where the configuration is corrupted (accidentally or
> during an update) and the whole system is locked?
Boot with enforcing=0 is usually sufficient, or selinux=0 if that
National Security Agency
More information about the fedora-selinux-list