On Wed, 2004-07-28 at 12:44, Bruno Castro da Silva wrote: > I'm trying to install, on fedora core 2, some modules which > also use the LSM framework. Currently selinux is disabled > (/usr/bin/selinuxenabled returns 1), but I can't seem to > load any other modules. > > I always get the "There is already a security framework > initialized, register_security failed" error. > > Is there anyway to completly disable selinux or to allow > other LSM-based software to run? > > Also, I think this problem wouldn't exist if selinux was > compiled as a module. Is there any reason why this isn't so? Both SELinux and the capability module are built into the kernel (and normally stack together); if you disable SELinux, then the capability module simply becomes the primary security module. So you actually want to disable the capability module too. You can boot with selinux=0 capability.disable=1 on the kernel command line to disable them both, I think. SELinux needs to be built-in; it requires early initialization in order to track all kernel objects and apply security labels to them. Security subsystem is too tightly coupled to the core kernel anyway to usefully deal with it as a separate "module"; the LSM API is too large and tightly coupled to the core kernel, and is not guaranteed any stability even within the stable kernel series. We attempted to support SELinux as a loadable module for a while during the development of LSM, but gave it up in 2002 in response to feedback from core kernel developers. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
