On Friday 19 January 2007 07:40, Stephen Smalley wrote: > >Aside from rebuilding from source with selinux options disabled in the >compile-time configuration, you are correct - you cannot remove the >actual selinux bits from Fedora at runtime, although you can disable >their execution (boot with selinux=0). Performing an audit of the code >associated with disabling SELinux at boot time isn't difficult, and >doesn't require understanding the rest of the SELinux code that is never >reached in that case. I have removed it from the kernel, but those log messages I posted before are still in the logwatch report this morning. I'm a bit less concerned with it now after all this discussion, but I doubt if I'll bring it back in. Why? Well, so far, the instructions as to how to recover the system once its been disabled have not been good enough to re-enable everything, so even if its set permissive, my logs will have many kilobytes a day saying that this or that was blocked. My nightly amanda run probably makes 50k of entries all by itself. Those recovery instructions should be in a 'man selinux' but I don't recall seeing them in there when I did look 2 weeks ago. Were they, and I can't read? -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2007 by Maurice Eugene Heskett, all rights reserved.