On Fri, 2007-01-19 at 10:03 -0500, Gene Heskett wrote: > On Friday 19 January 2007 07:40, Stephen Smalley wrote: > > > >Aside from rebuilding from source with selinux options disabled in the > >compile-time configuration, you are correct - you cannot remove the > >actual selinux bits from Fedora at runtime, although you can disable > >their execution (boot with selinux=0). Performing an audit of the code > >associated with disabling SELinux at boot time isn't difficult, and > >doesn't require understanding the rest of the SELinux code that is never > >reached in that case. > > I have removed it from the kernel, but those log messages I posted before > are still in the logwatch report this morning. Do you mean the loginuid messages? That isn't selinux, as I said - that is audit-related. You can remove pam_loginuid from your /etc/pam.d/* configs. You could file a bug against it or audit arguing that they should check whether audit is enabled in the kernel and silently exit in that case. > I'm a bit less concerned with it now after all this discussion, but I > doubt if I'll bring it back in. Why? Well, so far, the instructions as > to how to recover the system once its been disabled have not been good > enough to re-enable everything, so even if its set permissive, my logs > will have many kilobytes a day saying that this or that was blocked. My > nightly amanda run probably makes 50k of entries all by itself. > > Those recovery instructions should be in a 'man selinux' but I don't > recall seeing them in there when I did look 2 weeks ago. Were they, and > I can't read? Do you mean how to relabel your filesystems? That is mentioned there as well as in the Fedora SELinux FAQ, and rc.sysinit should do it automatically upon booting a selinux-enabled kernel after previously running disabled. Possibly it needs to run fixfiles with the -F flag to force relabeling of even customizable contexts. File bugs on the appropriate packages (initscripts if it isn't working correctly, libselinux for the man page). -- Stephen Smalley National Security Agency
