On Fri, Sep 21, 2007 at 15:35:51 +0000, Beartooth <Beartooth@xxxxxxxx> wrote: > # SELINUXTYPE= type of policy in use. Possible values are: > # targeted - Only targeted network daemons are protected. > # strict - Full SELinux protection. > SELINUXTYPE=targeted > Note that it says "targeted" -- typically, without giving me any > faintest hint at what. The same file on the machine I disabled selinux > from yesterday is the same except for "disabled" instead of "permissive." You didn't happen to notice the comment lines preceding the definition? Though it is a bit out of date as the targeted policy is covering some non-deamons now. But most stuff run by users is going to run in the unconfined domain. In F8 there will be a way to have some users run programs in a confined domain by default. > I *hope* targeted makes no difference so long as selinux is > disabled. But that doesn't tell me what is targeted on the other > machines, nor whether the default choices fit my kind of situation. (If > they do, I'll take it on faith that they're well chosen.) It makes a difference in permissive in that newly created files get a context based on the definitions from the policy being used. This doesn't happen when SELinux is disabled, which is related to why this mode is discouraged. Even in disabled mode it might have some effect if you were to run some of the relabelling programs. I never tried that though and its possible they wouldn't actually do any relabelling when SELinux is disabled.