Re: How to disable SELinux on FC2(Test3)

Tom Mitchell <mitch48@xxxxxxxxxxxxx> · Mon, 3 May 2004 17:36:30 -0700

On Sun, May 02, 2004 at 03:41:15PM +0200, RJ wrote:
> skywebsy wrote:
> 
> >as subject, thanks
...
> boot with kernel option 'selinux=0'

Currently there  are two boot time kernel variables of interest
in this regard:

	  enforcing 
	  selinux

If you are testing then most will want to toggle enforcing on(1) or
off(0).  In your /boot/grub/grub.conf look for a line much like this:

 kernel /vmlinuz-2.6.5-1.327 ro root=LABEL=/ enforcing=1 vdso=0 acpi=off

With enforcing off you can still see in /var/log/messages the access errors
(avc) and be able to explore the whole set of SELinux concepts.   If you suspect
that SELinux is getting in the way of an application  it can be controlled 
dynamically.  As root first change context:

	      newrole -r sysadm_r

Then id will return context=root:sysadm_r:sysadm_t  something like this:

    # id
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),\
    4(adm),6(disk),10(wheel) context=root:sysadm_r:sysadm_t

Now to toggle enforcing:

   logger "Turning Enforcing OFF"
   echo "0" > /selinux/enforce
   logger "Enforcing is OFF"

The "logger" lines  let you mark sections in /var/log/messages that are 
interesting to people building the policy files.

i.e. You can do stuff like...

    logger "Testing something I think is broken by policy restrictions........"
    logger "Start Testing ...................................................."
    # launch application
    logger "End Testing ...................................................."

   logger "Turning Enforcing OFF"
   echo "0" > /selinux/enforce
   logger "Enforcing is OFF"

    logger "Testing something I think is broken by policy restrictions........"
    logger "Start Testing ...................................................."
    # launch application
    logger "End Testing ...................................................."

   logger "Turning Enforcing back On"
   echo "1" > /selinux/enforce
   logger "Enforcing is back On"

Some testers may wish to set selinux=0 and not load the kernel
security module at all.  I guess that this needs to be done too;
people will do it.

 kernel /vmlinuz-2.6.5-1.327 ro root=LABEL=/  selinux=0 vdso=0 acpi=off

I am sure I missed something ....

-- 
	T o m  M i t c h e l l 
	/dev/null the ultimate in secure storage.