No selinux whatsoever

Fri Jan 18 16:43:25 UTC 2008

Michael DeHaan wrote:
> Gary Thomas wrote:
>> I'm trying to use anaconda+kickstart to load up a deeply
>> embedded platform.  This device will never need nor use
>> selinux, so I want to figure out how to keep it from
>> ever being installed, whatsoever.
>>
>> How do I make this happen in the kickstart file?
>>
>> Note: this is such a resource limited platform that simply
>> installing the "selinux-policy-targetted" RPM takes around
>> 5 hours!  Hence my desire to never even try.
>>
> 
> Just add "selinux disabled" in your kickstart and it will not be enabled 
> and will not be doing anything.
> 
> There isn't a lot of overhead in terms of extra storage to worry about 
> AFAIK.
> 
> The policy shouldn't be being applied if don't turn selinux on (either 
> in enforcing mode or permissive). I could be wrong about this however, 
> have you tried disabling SELinux in your kickstart for starters?

Yes. I have "selinux --disabled" in my kickstart and I start
anaconda with "selinux=0" (don't believe the documentation on
this one - trust the code).  It still loads the selinux packages
and the loader/anaconda still tries to do stuff with selinux, e.g.
from my install log:
   12:38:33 WARNING : Failed to create /etc/selinux/config: Read-only file system
   12:38:33 WARNING : Failed to create /etc/selinux/targeted/contexts/customizable_types: Read-only 
file system
etc.

BTW, my embedded kernel also is tuned for no selinux support,
so even if the packages are installed, nothing happens (they
just get in the way IMO)

I have found that I can simply remove "selinux-policy-targetted"
in my kickstart packages and this makes things much better.

%packages
@base
-selinux-policy-targeted
%end

-- 
------------------------------------------------------------
Gary Thomas                 |  Consulting for the
MLB Associates              |    Embedded world
------------------------------------------------------------