Kernel + Selinux + Udev + selinux=0

"Jóhann B. Guðmundsson" johannbg at hi.is
Tue Mar 4 09:21:55 UTC 2008 

Yuan Yijun wrote:
> 2008/3/4, Johann B. Gudmundsson <johannbg at hi.is>:
>   
>> Anyone else noticing this...
>>
>>  The kernels get stuck at UDEV loading...
>>
>>  kernel-2.6.25-0.82.rc3.git2.fc9.i686
>>  kernel-2.6.25-0.73.rc3.git1.fc9.i686
>>
>>  Have selinux disabled in /etc/selinux/config...
>>  and the kernel get stuck at UDEV
>>
>>  But if I pass the selinux=0 kernel parameter
>>  to the kernel(s) they load just fine..
>>
>>  Best regards.
>>                      Johann B.
>>
>>  PS. the radeon driver sorta works now for [ Mobility Radeon X300]
>>        had to switch to vesa driver with the previous version to get into X
>>         It does not offer correct resolution for my screen though
>>        ( Dell inspiron 6000/Dell 1600x1200/Driver/Display only offers/
>>  1680x1050 )
>>        xorg-x11-drv-ati-6.8.0-3.fc9.i386
>>
>>
>>     
>
> Boot a second time and it will be fine, I have met with this several times.
>
> BTW, I find that one must have selinux=enforcing when installing
> kernel. I started with selinux=0, and changed /etc/sysconfig/selinux
> to permissive, then reboot to single mode, relabel, setenforce 1, then
> install the kernel, change /etc/sysconfig/selinux to enforcing and
> reboot: that fixes boot problem for ever.
>
> I have a problem that how to specify selinux=permissive at grub
> prompt, when /etc/sysconfig/selinux=enforcing?
>
>
>
>   

Selinux related Kernel Parameters..

autorelabel=1 # Forces system to relabel

enforcing=0 #Sets selinux to Permissive (log only, no denials).

Yuan the above is what you want selinux=permissive does not exist..

enforcing=1 # Sets selinux to Enforcing (deny and log).

selinux=0 # THIS IS NOT SAME AS ENFORCING this will cause
the kernel to not load any of the selinux infrastructure hence files that
are created at boot time will not get a label and are market as file_t ( 
Unlabeled file).

After booting with selinux=0 make sure that you do "touch /.autorelabel"
( This should be done by default but hey this is rawhide we are talking 
about :) )
or better yet do "echo 0 > /selinux/enforce && fixfiles relabel " or on 
next reboot
pass the "enforcing=0 autorelabel=1" to the kernel.

( That is if you are gonna run selinux in either permissive or enforcing 
mode )

selinux=1 # Turns the selinux infrastructure on ( Default )...

selinux_compat_net=0 # Sets selinux to use new secmark-based packet 
controls ( default )

selinux_compat_net=1 # Sets selinux to use legacy packet controls

If you wanna change the value of selinux at runtime do....

echo 0 > /selinux/enforce # Sets selinux in permissive mode

echo 1 > /selinux/enforce #Sets selinux to enforce again..

For compat_net do..

echo 0 > /selinux/compat_net # secmark-based packet controls

echo 1 > /selinux/compat_net # legacy packet controls

To get the status of selinux use "getenforce"

To permanently change the status of selinux either edit
/etc/selinux/config manually ( disabled,permissive,enabled )
or use setenforce=0 ( permissive ) or setenforce=1 (enabled )
or set kernel parameters to grub.conf

Best regards
                 Johann B.

PS. Could somebody put this on the wiki --> Testers page

 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johannbg.vcf
Type: text/x-vcard
Size: 381 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20080304/31696769/attachment.vcf>

More information about the fedora-test-list mailing list