Fwiw, in grub I set up duplicate sections for a permissive kernel and an enforcing kernel using ENFORCING on the title line and enforcing=1 on the kernel line. Richard Hally <Snip> > Also I have taken to adding an alternate boot section in > /boot/grub/grub.conf. Is this useful, useless, sane, silly, > underkill, overkill. Thus...: Grub is really good for allowing you to edit the kernel command line before booting it. So if you have problems you can always tell it to boot the kernel with selinux=0 appended even if that is not in your grub.conf. If you accidentally boot a non-SE kernel then /etc/mtab and a few other files will get the wrong label, which will be really annoying for you. We are working on these issues, but in the mean-time you probably don't want to make it too easy to accidentally boot a non-SE kernel.
