[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux - compromise



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy Katz wrote:
> On Fri, 2008-07-11 at 19:07 -0300, jeff wrote:
>> I don't know what the ramifications are, but it definitely has different 
>> behaviour if you disable using selinux=0 than if you don't. I see no reason why 
>> it should be loaded, initialized, etc. if it isn't wanted.
> 
> Because relying on boot options is a great way to cause problems for
> yourself later on down the line.  If you boot with selinux=0, the
> installer disables SELinux for the installed system.  The fact that we
> use a better and more persistent means of disabling it and also one that
> can be reversed if you later decide that you want SELinux is a
> *positive* thing.
> 
> Jeremy
> 
Also there is little difference between "selinux=0" and selinux=disabled
in the /etc/selinux/config file.

The init process checks the config file for this entry and then tells
the kernel to disable all SELinux components.  selinux=0 disables all
SELinux components before init runs.  At the time init is running there
is no loaded policy, so pretty much SELinux is disabled.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh7SwEACgkQrlYvE4MpobPhXgCcDn48xGhOVhi292Qy43g235Fp
eucAoJzCsnIL0RYHYdOqiCYutcdeNBEE
=8qoI
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]