[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux - compromise



On Wed, 2008-07-09 at 10:58 -0400, Chuck Anderson wrote:
> On Wed, Jul 09, 2008 at 09:52:49AM -0500, Callum Lerwick wrote:
> > Because booting with selinux enabled after installing onto a
> > filesystem such as reiserfs that doesn't work with selinux results in
> > epic fail. As in, you can not log in. Though you can get around this
> > by booting with selinux=0 on the kernel command line...
> 
> I think reiserfs supports selinux now.

Unfortunately not.
It did briefly, but then things broke again.
reiserfs support has never been a priority for the selinux maintainers,
and selinux support was never a priority for the reiserfs maintainers.
I believe though that all of the other major filesystems should work
with selinux these days (ext[2-4], jfs, xfs, jffs2, gfs2); if not,
that's a bug that should be reported.

> > Though I haven't done this since something like FC6. I migrated to
> > ext3 so I could use selinux.
> > 
> > And while I'm at it, I'll provide a counterpoint and point out that
> > I've run all my machines, including my wife's laptop, with selinux
> > enabled since FC6. I've never, ever run in to any problem. Ever. I
> > don't know what you people are doing, but you must be doing it wrong.
> 
> Not wrong, just out of the norm.  If you keep things in the standard 
> directories and use mostly default configs, you generally don't have 
> problems.

But these days users should be able to address such deviations from the
norm by running a couple of semanage commands (or system-config-selinux
if they prefer GUIs) and/or creating a local loadable policy module
using audit2allow.

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]