Description of change/FAQ addition. If a change, include the original text first, then the changed text: In the answers for the questions "How do I turn off SELinux at boot?" and "How do I turn enforcing on/off at boot?", the discussion of SELINUX=disabled is still based on the old behavior prior to our implementation of a runtime disable for SELinux back in April. In April, we implemented a runtime disable in the SELinux kernel code to allow SELINUX=disabled to truly disable SELinux, and SysVinit was changed accordingly. Anyone with an up-to-date FC2 system should consequently have a kernel and /sbin/init that supports this behavior, so that SELINUX=disabled is equivalent to selinux=0 boot parameter. It may be true that FC2 shipped with a kernel that did not include this support; I'm not certain about that offhand. But there have been kernel updates for FC2 since that time that would have included it. Version-Release of FAQ (found on http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html): selinux-faq-1.2-3 (2004-07-30-T16:20-0800)
Therefore, setting SELINUX=disabled in /etc/sysconfig/selinux actually disables SELinux, instead of just not loading a policy? Or is this just for manual changes to the kernel boot parameters? I'll make a note that the behavior changes in later kernels for FC2
Yes, SELINUX=disabled in /etc/sysconfig/selinux actually disables SELinux. Kernel should print a message that says "SELinux: Disabled at runtime" when /sbin/init invokes the runtime disable (vs. the "SELinux: Disabled at boot" message displayed for selinux=0). The runtime disable unregisters the SELinux security hooks and selinuxfs pseudo filesystem entirely, so the SELinux code is no longer invoked at all by the kernel.
The FAQ will be updated today with the below entry changes; feel free to provide comments now or later, I'll address them immediately. Thanks for the catch, this was important in keeping this document relevant, accurate, and useful, even as we move forward with FC versions. ## begin FAQ fix Q:. How do I turn SELinux off? A:. Adding selinux=0 to your kernel command line disables SELinux at boot. Optionally, you can disable SELinux in run time in the latest Fedora Core 2 kernel by setting SELINUX=disabled in /etc/sysconfig/selinux. Warning Be very careful using this option. Any files you create while SELinux is disabled will not have SELinux context information. At the least you may need to relabel the file system, and it's possible you will be unable to boot with selinux=1, requiring a boot to single-user mode for recovery. The kernel that shipped with Fedora Core 2 had a different behavior when you set SELINUX=disabled in /etc/sysconfig/selinux. Instead of unregistering the SELinux hooks from the kernel, SELinux is actually loaded without a policy. This was fixed in later kernels. Q:. How do I turn enforcing on/off at boot? A:. You can specify the SELinux mode using the configuration file /etc/sysconfig/selinux. # This is a comment field in /etc/sysconfig/selinux # # Allowable values are: # enforcing - enables enforcing mode # permissive - enables permissive mode # disabled - disables SELinux SELINUX=<value> Setting the value to enforcing is the same as adding enforcing=1 to your command line when booting the kernel to turn enforcing on, while setting the value to permissive is the same as adding enforcing=0 to turn enforcing off. Note that the command line kernel parameter overrides the configuration file. In the kernel that shipped with Fedora Core 2, setting the value to disabled was not the same as the selinux=0 kernel boot parameter. However, updated kernels act exactly the same if you disable in run time or at boot -- SELinux hooks and pseudo file system are unregistered entirely. ## 30
Pages updated in the live version, also archived at: http://people.redhat.com/kwade/fedora-docs/fc2/selinux-faq-en/