How best get rid of SELinux?

Arthur Pemberton pemboa at
Fri Sep 21 17:10:26 UTC 2007

On 9/21/07, Gene Heskett <gene.heskett at> wrote:
> On Friday 21 September 2007, Ed Greshko wrote:
> >Gene Heskett wrote:
> >> I have a firewall that has so far been bulletproof.  Its called dd-wrt,
> >> run on an old scrap x86 box, booting busybox from a cf card, no drives in
> >> it & only 2 fans.
> >
> >I'm not sure why you are comparing the functions of SELinux with the
> >functions of a firewall.  It would be nice to hear your interpretation of
> >the issues that SELinux targets v.s. what a Firewall targets.  If you think
> >they serve the same functions it would be nice if you would cite your
> > source.
> Several people have referred to 'that hacker' getting into the system, which
> is how I at least made the connection to a firewall.

So you're firewalls are capable of protecting against 'that hacker'
who _is_ on your box, ie. has gotten past your firewall somehow -
getting past a firewall is by no means an impossible task

> And to me, the firewall
> function of standing guard between my stuff and the rest of the planet is at
> least 10,000 times more important than silently, no log was generated,
> blocking off any and all access to the hardware data ports (usb and serial)
> even when that file says SELINUX=disabled.

So umm, why do you think it was SELinux causing the problem?

> In truth, and from the clues this old troubleshooter has detected, the only
> thing disabled by the above line is the logging, selinux is still standing
> behind the user, with a baseball bat hitting you in the back of the knee
> joints but using a pillow to muffle the noise.  But that will be denied
> vociferously by those whose purpose it is to see to it that we run with it
> enabled.  If you don't believe that, just watch this space...

I have several machines with SELinux disabled, and I see no messages from it.

> Questions that need answered _here_, where the whole list will read them are:

You make it sound like there is some attempted coverup going on

> Why do the supposed selinux functions, if 10,000% less important than a
> firewall (my personal estimation anyway) seem to take 10,000 times more
> maintenance than the far more important firewall?

Well besides the obvious possibility that your personal estimation is
wrong, there is the fact that they provide very different
functionality. Here's a bad metric, but one I think is still somewhat
useful. The SElinux howto/tutorial is at least 50% the size of that
Iptables howto, while providing all the necessary information

> And why is it that any "refutation of my claims messages" all have little or
> nothing to say except point the reader to other net locations where the
> propaganda to be read was written by someone WITH an agenda.

I haven't notice any specific claims. Please provide a list that we
can go through, and/or join the fedora-selinux list. Please, it
doesn't seem rational to be throwing around the word propaganda just

> And why is it that an error if logged, can't it be grepped for in the
> man-pages and the correct command line option to fix it be found?

There is a tool that gives you the exact command you need to fix an
SElinux error, much simpler than grepping i believe.

> I suppose the theory there is not to make it too simple for the hacker to fix,
> but if the hacker has gotten to that point, I'll submit that you already have
> a hell of a lot bigger problem than selinux is ever going to fix.

That is not the theory as far as I know. With SELinux present, said
hacker would likely not get far enough to disable SELinux. They didn't
in my case.

> Rant/Observation:
> Its a 'solution' looking for a 'problem' and if it can't find a problem, it
> will make 10 problems just for spite.

It solves problems for me, if you do not share this, that is
understandable. But it does infact solve problems.

Fedora 7 : sipping some of that moonshine
( )

More information about the users mailing list