Gentoo Archives: gentoo-user

From: Simon Hogg <nephila@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] SELinux
Date: Thu, 09 Mar 2006 12:00:20
Message-Id: f0302a800603090350g558c9e1fyc55ca6180b623678@mail.gmail.com
In Reply to: [gentoo-user] SELinux by Steve B
1 On 3/9/06, Steve B <linuxcodehacker@×××××.com> wrote:
2 >
3 > Hey everybody,
4 >
5 > Quick question. How can I disable SELinux without modifing
6 > (recompiling) the kernel? The reason I ask is because my kernel was
7 > compiled with SELinux support, however its not "active". Apparent
8 > vpopmail has issues with SELinux and I believe that I am having
9 > problems because of this. I don't have the luxury of recompiling the
10 > kernel because this is a virutal server running under Xen 2.0.
11 >
12 > Thanks!
13 >
14 > V/R
15 > Steve
16 >
17 > --
18 > gentoo-user@g.o mailing list
19 >
20 >
21 Steve,
22
23 If the kernel has been configured to allow it, there is a boot command
24 parameter that can disable SElinux. This parameter is 'selinux=0' by
25 default, 'selinux=1' enables it. If not you'll have to find another way.
26
27 From the kernel config:
28
29 config SECURITY_SELINUX_BOOTPARAM
30 bool "NSA SELinux boot parameter"
31 depends on SECURITY_SELINUX
32 default n
33 help
34 This option adds a kernel parameter 'selinux', which allows SELinux
35 to be disabled at boot. If this option is selected, SELinux
36 functionality can be disabled with selinux=0 on the kernel
37 command line. The purpose of this option is to allow a single
38 kernel image to be distributed with SELinux built in, but not
39 necessarily enabled.
40
41 If you are unsure how to answer this question, answer N.
42
43 config SECURITY_SELINUX_BOOTPARAM_VALUE
44 int "NSA SELinux boot parameter default value"
45 depends on SECURITY_SELINUX_BOOTPARAM
46 range 0 1
47 default 1
48 help
49 This option sets the default value for the kernel parameter
50 'selinux', which allows SELinux to be disabled at boot. If this
51 option is set to 0 (zero), the SELinux kernel parameter will
52 default to 0, disabling SELinux at bootup. If this option is
53 set to 1 (one), the SELinux kernel parameter will default to 1,
54 enabling SELinux at bootup.
55
56 If you are unsure how to answer this question, answer 1.
57
58 config SECURITY_SELINUX_DISABLE
59 bool "NSA SELinux runtime disable"
60 depends on SECURITY_SELINUX
61 default n
62 help
63 This option enables writing to a selinuxfs node 'disable', which
64 allows SELinux to be disabled at runtime prior to the policy load.
65 SELinux will then remain disabled until the next boot.
66 This option is similar to the selinux=0 boot parameter, but is to
67 support runtime disabling of SELinux, e.g. from /sbin/init, for
68 portability across platforms where boot parameters are difficult
69 to employ.
70
71 If you are unsure how to answer this question, answer N.
72
73 HTH,
74
75 Simon