1 |
On 3/9/06, Steve B <linuxcodehacker@×××××.com> wrote: |
2 |
> |
3 |
> Hey everybody, |
4 |
> |
5 |
> Quick question. How can I disable SELinux without modifing |
6 |
> (recompiling) the kernel? The reason I ask is because my kernel was |
7 |
> compiled with SELinux support, however its not "active". Apparent |
8 |
> vpopmail has issues with SELinux and I believe that I am having |
9 |
> problems because of this. I don't have the luxury of recompiling the |
10 |
> kernel because this is a virutal server running under Xen 2.0. |
11 |
> |
12 |
> Thanks! |
13 |
> |
14 |
> V/R |
15 |
> Steve |
16 |
> |
17 |
> -- |
18 |
> gentoo-user@g.o mailing list |
19 |
> |
20 |
> |
21 |
Steve, |
22 |
|
23 |
If the kernel has been configured to allow it, there is a boot command |
24 |
parameter that can disable SElinux. This parameter is 'selinux=0' by |
25 |
default, 'selinux=1' enables it. If not you'll have to find another way. |
26 |
|
27 |
From the kernel config: |
28 |
|
29 |
config SECURITY_SELINUX_BOOTPARAM |
30 |
bool "NSA SELinux boot parameter" |
31 |
depends on SECURITY_SELINUX |
32 |
default n |
33 |
help |
34 |
This option adds a kernel parameter 'selinux', which allows SELinux |
35 |
to be disabled at boot. If this option is selected, SELinux |
36 |
functionality can be disabled with selinux=0 on the kernel |
37 |
command line. The purpose of this option is to allow a single |
38 |
kernel image to be distributed with SELinux built in, but not |
39 |
necessarily enabled. |
40 |
|
41 |
If you are unsure how to answer this question, answer N. |
42 |
|
43 |
config SECURITY_SELINUX_BOOTPARAM_VALUE |
44 |
int "NSA SELinux boot parameter default value" |
45 |
depends on SECURITY_SELINUX_BOOTPARAM |
46 |
range 0 1 |
47 |
default 1 |
48 |
help |
49 |
This option sets the default value for the kernel parameter |
50 |
'selinux', which allows SELinux to be disabled at boot. If this |
51 |
option is set to 0 (zero), the SELinux kernel parameter will |
52 |
default to 0, disabling SELinux at bootup. If this option is |
53 |
set to 1 (one), the SELinux kernel parameter will default to 1, |
54 |
enabling SELinux at bootup. |
55 |
|
56 |
If you are unsure how to answer this question, answer 1. |
57 |
|
58 |
config SECURITY_SELINUX_DISABLE |
59 |
bool "NSA SELinux runtime disable" |
60 |
depends on SECURITY_SELINUX |
61 |
default n |
62 |
help |
63 |
This option enables writing to a selinuxfs node 'disable', which |
64 |
allows SELinux to be disabled at runtime prior to the policy load. |
65 |
SELinux will then remain disabled until the next boot. |
66 |
This option is similar to the selinux=0 boot parameter, but is to |
67 |
support runtime disabling of SELinux, e.g. from /sbin/init, for |
68 |
portability across platforms where boot parameters are difficult |
69 |
to employ. |
70 |
|
71 |
If you are unsure how to answer this question, answer N. |
72 |
|
73 |
HTH, |
74 |
|
75 |
Simon |