SELinux Disable

Are you thinking of a dual-boot system?

Fri, 16 Mar 2007 09:17:11 -0400 skrev "Caleb
Cushing" 
<xenoterracidegmail.com>:
> I'm thinking of running SElinux on my desktop, as an
experiment, but in
> order to safeguard myself, because I'm not yet that
familiar with it is
> there a way to disable selinux at boot? or some other
way I can disable it
> entirely in case it's making my system unusable.
> 
> I use grub as a bootloader.

-- 
gentoo-hardenedgentoo.org mailing list

Hi Caleb,

> I'm thinking of running SElinux on my desktop, as an
experiment, but in
> order to safeguard myself, because I'm not yet that
familiar with it is
> there a way to disable selinux at boot? or some other
way I can disable it
> entirely in case it's making my system unusable.
> 
> I use grub as a bootloader.

Use selinux=0 as kernel parameter. After booting without
SeLinux enabled
you propably will need to relabel your files to switch back
to SeLinux.

Some googleling found this URL:


http://www.crypt.gen.nz/selinux/disable_selinux.html

As for using SeElinux as a Desktop-System: It is not (yet)
supported by
gentoo.

<heretic-mode> Redhat/Fedora support SeLinux enabled
GUI systems, if you
are new to selinux and are indifferent to the distro you use
you might
want to try them. </heretic-mode>

> 

Jens

-- 
gentoo-hardenedgentoo.org mailing list

On Fri, 2007-03-16 at 09:17 -0400, Caleb Cushing wrote:
> I'm thinking of running SElinux on my desktop, as an
experiment, but
> in order to safeguard myself, because I'm not yet that
familiar with
> it is there a way to disable selinux at boot? or some
other way I can
> disable it entirely in case it's making my system
unusable. 
> 
> I use grub as a bootloader.

Aside from disabling selinux entirely with the kernel
paramater
selinux=0 (as previously described), you can also run
selinux in
permissive mode.  In this case, it will allow anything and
log what
would have been denied in enforcing mode.

The following describes how to switch between permissive and
enforcing:

http://www.gentoo
.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&am
p;chap=2#doc_chap8

sf

-- 
gentoo-hardenedgentoo.org mailing list

On 16.03.2007, at 16:57, Jens Neuhalfen wrote:

> 
http://www.crypt.gen.nz/selinux/disable_selinux.html

Theese guides often talk about "/etc/selinux/config
(for Fedora/ 
RedHat)". Where do i find a corresponding file on
Gentoo, if there is  
one?

Philipp
-- 
gentoo-hardenedgentoo.org mailing list

On 16.03.2007, at 17:40, Stephen Fromm wrote:

> Aside from disabling selinux entirely with the kernel
paramater
> selinux=0 (as previously described), you can also run
selinux in
> permissive mode.  In this case, it will allow anything
and log what
> would have been denied in enforcing mode.

I wanted to try out SELinux but not lock me out of my
system.  
Therefore i used permissive mode. Now the 100s of error
messages in  
dmesg

"
audit(1175815400.344:300): avc:  denied  { read write } for 
pid=7223  
comm="su" name="access" dev=selinuxfs
ino=6 ipaddr=*censored*  
scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t  
tclass=file
"

got on my nerves, so i decided to disable SELinux until i
find more  
time to read all the docs and solve theese issues:

"
chris ~ # cat /proc/cmdline
root=/dev/hda3 noexec=on selinux=0
chris ~ # selinuxenabled && echo 1
1
"

Well... looks like it did not work. Any idea what i could
do?

Philipp
-- 
gentoo-hardenedgentoo.org mailing list

Philipp Riegger a écrit :
>
> On 16.03.2007, at 17:40, Stephen Fromm wrote:
>
>> Aside from disabling selinux entirely with the
kernel paramater
>> selinux=0 (as previously described), you can also
run selinux in
>> permissive mode.  In this case, it will allow
anything and log what
>> would have been denied in enforcing mode.
>
> I wanted to try out SELinux but not lock me out of my
system. 
> Therefore i used permissive mode. Now the 100s of error
messages in dmesg
>
> "
> audit(1175815400.344:300): avc:  denied  { read write }
for  pid=7223 
> comm="su" name="access"
dev=selinuxfs ino=6 ipaddr=*censored* 
> scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t 
> tclass=file
This looks wrong, maybe you filesystem needs relabelling?
> "
>
> got on my nerves, so i decided to disable SELinux until
i find more 
> time to read all the docs and solve theese issues:
>
> "
> chris ~ # cat /proc/cmdline
> root=/dev/hda3 noexec=on selinux=0
> chris ~ # selinuxenabled && echo 1
selinux=0 is a kernel boot option which is normally always
allowed 
unless you tweaked the selinux options when compiling your
kernel. It 
does what it says on the tin, selinux would not be enabled
and /selinux 
could not be mounted if set to 0.
Are you sure selinux is still enabled?
ls /selinux
> 1
> "
>
> Well... looks like it did not work. Any idea what i
could do?
>
> Philipp
> --gentoo-hardenedgentoo.org mailing list
>
>

-- 
gentoo-hardenedgentoo.org mailing list

On 07.04.2007, at 18:40, Antoine Martin wrote:

> This looks wrong, maybe you filesystem needs
relabelling?

I don't know, i relabeled my filesystem after installing
selinux and  
again after the first boot. Is there anything that makes
relabeling  
needed, again? Could it be, that i must change something
with my  
ext3? Everything from the selinux guide is enabled in the
kernel, but  
was probably not when i created the fs.

> selinux=0 is a kernel boot option which is normally
always allowed  
> unless you tweaked the selinux options when compiling
your kernel.

It was the kernel option. Thanks a lot.

Philipp

-- 
gentoo-hardenedgentoo.org mailing list

Hi

>> 
http://www.crypt.gen.nz/selinux/disable_selinux.html
>
> Theese guides often talk about
"/etc/selinux/config (for
> Fedora/RedHat)". Where do i find a corresponding
file on Gentoo, if
> there is one?

/etc/security/selinux

greetings pete
-- 
gentoo-hardenedgentoo.org mailing list