SElinux Removal?

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 13 17:08:38 UTC 2006 

On Thu, 2006-04-13 at 17:52 +0100, idonttrustmspassport at ktcasey.plus.com
wrote:
> Is it possible to remove SELinux completely during FC5 installation, or
> even when installed?

Disable, yes.  Remove, no.

> So far problems during YUM updates (It gives errors while installing
> policies then freezes Yum) have destroyed my system twice. 
> (In both cases the system refuses to boot with an error "not syncing:
> Attempting to kill init!".

Hmm..well, more details wold be interesting as that should obviously not
be happening and hasn't been reported elsewhere AFAIK.  bugzilla even.

> Passing a parm of selinux=disabled to the kernel allowed a boot, but all my
> attempts to make this permanent then fail and I end up reinstalling and
> reconfiguring.

selinux=0 on the kernel line in grub.conf or SELINUX=disabled
in /etc/selinux/config should do the trick.

> I admit to being a newbie, I only started 10 years ago, *never* had
> anything so good at locking down my PC, it seems to be a first class option
> for DRM.. 

Um, no.  MAC != DRM.

> So, can I get rid of it completely, 
> 1) I tried uninstalling everything with SELinux in the name, interesting
> effect try it one day when you have some time... 

Not feasible, as the SELinux kernel "module" is built into the kernel,
and libselinux is a dependency for /sbin/init, coreutils, and other
critical components.  You can't remove the code without rebuilding
everything, but you can disable its execution.

> 2) Tried the gui tool, (as a minimum I thought I'd turn it to the lowest
> level) it brings up a command prompt which freezes...
> 3) Tried editing the files to disable it at reboot, fails with "file is
> read only", chmod failed with "file is read only", chmod of the directory
> failed with "read only"..

Sound like the filesystem is mounted read-only, not SELinux-related at
all.  mount -o rw,remount /?  If you booted with selinux=0, then SELinux
is disabled.

> Is there any chance that, as a minimum it could give an error message like
> "SELinux configuration is corrupt, boot halted" as it took me a loooooong
> time to figure out what was wrong...

Hmmm.../sbin/init does contain a log call to output 'Unable to load
SELinux Policy.  Machine is in enforcing mode.  Halting now.' Don't know
if there is a problem that is preventing that from being displayed
properly.

>  And is there a documented process to
> handle a situation where the configuration is corrupted (accidentally or
> during an update) and the whole system is locked?

Boot with enforcing=0 is usually sufficient, or selinux=0 if that
doesn't work.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list