Bug 129240 - SELinux FAQ - disabling SELinux
SELinux FAQ - disabling SELinux
Status: CLOSED CURRENTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://people.redhat.com/kwade/fedora...
:
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2004-08-05 10:34 EDT by Stephen Smalley
Modified: 2007-04-18 13:10 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-06 16:06:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Smalley 2004-08-05 10:34:13 EDT
Description of change/FAQ addition.  If a change, include the original
text first, then the changed text:

In the answers for the questions "How do I turn off SELinux at boot?"
and "How do I turn enforcing on/off at boot?", the discussion of
SELINUX=disabled is still based on the old behavior prior to our
implementation of a runtime disable for SELinux back in April.  In
April, we implemented a runtime disable in the SELinux kernel code to
allow SELINUX=disabled to truly disable SELinux, and SysVinit was
changed accordingly.  Anyone with an up-to-date FC2 system should
consequently have a kernel and /sbin/init that supports this behavior,
so that SELINUX=disabled is equivalent to selinux=0 boot parameter. 
It may be true that FC2 shipped with a kernel that did not include
this support; I'm not certain about that offhand.  But there have been
kernel updates for FC2 since that time that would have included it.

Version-Release of FAQ (found on
http://people.redhat.com/kwade/fedora-docs/selinux-faq-en/ln-legalnotice.html):

 selinux-faq-1.2-3 (2004-07-30-T16:20-0800)
Comment 1 Karsten Wade 2004-08-05 13:02:43 EDT
Therefore, setting SELINUX=disabled in /etc/sysconfig/selinux actually
disables SELinux, instead of just not loading a policy?  Or is this
just for manual changes to the kernel boot parameters?

I'll make a note that the behavior changes in later kernels for FC2
Comment 2 Stephen Smalley 2004-08-05 13:08:27 EDT
Yes, SELINUX=disabled in /etc/sysconfig/selinux actually disables
SELinux.  Kernel should print a message that says "SELinux:  Disabled
at runtime" when /sbin/init invokes the runtime disable (vs. the
"SELinux:  Disabled at boot" message displayed for selinux=0).  The
runtime disable unregisters the SELinux security hooks and selinuxfs
pseudo filesystem entirely, so the SELinux code is no longer invoked
at all by the kernel.
Comment 3 Karsten Wade 2004-08-05 14:21:14 EDT
The FAQ will be updated today with the below entry changes; feel free
to provide comments now or later, I'll address them immediately.

Thanks for the catch, this was important in keeping this document
relevant, accurate, and useful, even as we move forward with FC versions.

## begin FAQ fix
Q:. How do I turn SELinux off?

A:. Adding selinux=0 to your kernel command line disables SELinux at
boot. Optionally, you can disable SELinux in run time in the latest
Fedora Core 2 kernel by setting SELINUX=disabled in
/etc/sysconfig/selinux.

Warning

Be very careful using this option. Any files you create while SELinux
is disabled will not have SELinux context information. At the least
you may need to relabel the file system, and it's possible you will be
unable to boot with selinux=1, requiring a boot to single-user mode
for recovery.

The kernel that shipped with Fedora Core 2 had a different behavior
when you set SELINUX=disabled in /etc/sysconfig/selinux. Instead of
unregistering the SELinux hooks from the kernel, SELinux is actually
loaded without a policy. This was fixed in later kernels.


Q:. How do I turn enforcing on/off at boot?

A:. You can specify the SELinux mode using the configuration file
/etc/sysconfig/selinux.


# This is a comment field in /etc/sysconfig/selinux
#
# Allowable values are:
#     enforcing  -  enables enforcing mode
#     permissive -  enables permissive mode
#     disabled   -  disables SELinux
SELINUX=<value>

Setting the value to enforcing is the same as adding enforcing=1 to
your command line when booting the kernel to turn enforcing on, while
setting the value to permissive is the same as adding enforcing=0 to
turn enforcing off. Note that the command line kernel parameter
overrides the configuration file.

In the kernel that shipped with Fedora Core 2, setting the value to
disabled was not the same as the selinux=0 kernel boot parameter.
However, updated kernels act exactly the same if you disable in run
time or at boot -- SELinux hooks and pseudo file system are
unregistered entirely. 

## 30
Comment 4 Karsten Wade 2004-08-06 16:06:48 EDT
Pages updated in the live version, also archived at:

http://people.redhat.com/kwade/fedora-docs/fc2/selinux-faq-en/

Note You need to log in before you can comment on or make changes to this bug.