Re: [gentoo-user] SELinux

Thu, 09 Mar 2006 03:59:02 -0800

On 3/9/06, Steve B <[EMAIL PROTECTED]> wrote:
Hey everybody,

  Quick question.  How can I disable SELinux without modifing
(recompiling) the kernel?  The reason I ask is because my kernel was
compiled with SELinux support, however its not "active".  Apparent
vpopmail has issues with SELinux and I believe that I am having
problems because of this.  I don't have the luxury of recompiling the
kernel because this is a virutal server running under Xen 2.0.

Thanks!

V/R
Steve

--
gentoo-user@gentoo.org mailing list


Steve,

If the kernel has been configured to allow it, there is a boot command parameter that can disable SElinux. This parameter is 'selinux=0' by default, 'selinux=1' enables it. If not you'll have to find another way.

From the kernel config:

config SECURITY_SELINUX_BOOTPARAM
	bool "NSA SELinux boot parameter"
	depends on SECURITY_SELINUX
	default n
	help
	  This option adds a kernel parameter 'selinux', which allows SELinux

	  to be disabled at boot.  If this option is selected, SELinux
	  functionality can be disabled with selinux=0 on the kernel
	  command line.  The purpose of this option is to allow a single
	  kernel image to be distributed with SELinux built in, but not

	  necessarily enabled.

	  If you are unsure how to answer this question, answer N.

config SECURITY_SELINUX_BOOTPARAM_VALUE
	int "NSA SELinux boot parameter default value"
	depends on SECURITY_SELINUX_BOOTPARAM

	range 0 1
	default 1
	help
	  This option sets the default value for the kernel parameter
	  'selinux', which allows SELinux to be disabled at boot.  If this
	  option is set to 0 (zero), the SELinux kernel parameter will

	  default to 0, disabling SELinux at bootup.  If this option is
	  set to 1 (one), the SELinux kernel parameter will default to 1,
	  enabling SELinux at bootup.

	  If you are unsure how to answer this question, answer 1.


config SECURITY_SELINUX_DISABLE
	bool "NSA SELinux runtime disable"
	depends on SECURITY_SELINUX
	default n
	help
	  This option enables writing to a selinuxfs node 'disable', which
	  allows SELinux to be disabled at runtime prior to the policy load.

	  SELinux will then remain disabled until the next boot.
	  This option is similar to the selinux=0 boot parameter, but is to
	  support runtime disabling of SELinux, e.g. from /sbin/init, for
	  portability across platforms where boot parameters are difficult

	  to employ.

	  If you are unsure how to answer this question, answer N.
HTH,

Simon

Reply via email to