[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux - compromise



Peter Jones wrote:
jeff wrote:

Mr. Cox, do you see and *technical* problems with the selinux=0 passed to anaconda passed to grub.conf proposal?

If you pass selinux=0 to anaconda, you don't get selinux.  It's been
that way since 13-Apr-2004. Did we break it? It doesn't appear to have been broken intentionally, but I don't try it regularly either, since

With selinux=0 in grub, in dmesg you get:

Security Framework initialized
SELinux:  Disabled at boot.
Capability LSM initialized



Without selinux=0 in grub:
Security Framework initialized
SELinux:  Initializing.
SELinux:  Starting in permissive mode
selinux_register_security:  Registering secondary module capability
Capability LSM initialized as secondary
...
SELinux:  Registering netfilter hooks
...
SELinux:  Disabled at runtime.
SELinux:  Unregistering netfilter hooks


> Does the system boot up correctly afterwards?

Yes, assuming the "Starting in permissive mode" is correct.


> What does "getenforce"  say when you run it?

"Disabled"


I don't know what the ramifications are, but it definitely has different behaviour if you disable using selinux=0 than if you don't. I see no reason why it should be loaded, initialized, etc. if it isn't wanted.

Thanks,

-Jeff


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]