How best get rid of SELinux?

[Arthur Pemberton]

On 9/21/07, Mike McCarty <Mike.McCarty at sbcglobal.net> wrote:
> Arthur Pemberton wrote:
> >
> > I either run it (in targeted mode) or I don't - I do on servers, don't
> > on desktops/laptops
>
> Then we are agreed on this point, at least: If SELinux has benefit,
> then it is still an installation dependent issue whether the
> cost outweighs the benefit, or vice versa. I have a desktop which
> has exactly one LAN connected machine, my firewall. The firewall
> on the WAN side is connected exactly to one machine, an ADSL modem.
>
> It does not make sense to install and run software which one does
> not ever intend to use. Simply having it on the machine but disabled
> makes the machine potentially less secure, but gives no benefit.
> Even "disabled", it is present, and code is actively being executed,
> though I'm sure much less of it gets executed than otherwise.
>
> Mike
> --
> p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
> Oppose globalization and One World Governments like the UN.
> This message made from 100% recycled bits.
> You have found the bank of Larn.
> I can explain it for you, but I can't understand it for you.
> I speak only for myself, and I am unanimous in that!

I don't think it is even possible to have SELinux work as separate
type install. If so, push for that. The selinux tools are useland, but
I'm pretty sure (subject to correction) that SELinux is part of the
kernel itself.

Maybe you could ask for a non selinux kernel to be made available for Fedora.

However, just to speak to one of your past points, if you're not
worried about the attack vectors that SELinux prevents, I don't think
you should be worried with the (possible) attack vectors that the
disabled SELinux code introduces.

-- 
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )