I've finally turned SELinux fully off even on my laptop

June 24, 2015

As I've mentioned before, I started out with SELinux turned on on my laptop because it's essentially a stock Fedora install and that's how Fedora defaults, and using SELinux felt virtuous. Last year I reached the end of my patience with running SELinux in enforcing mode, where it actually denies access to things; instead I switched it to permissive, where it just whines about things that it would have forbidden and then a whole complicated pile of software springs into action to tell you about these audit failures with notifications, popup dialogs and so on.

Today I gave up on that. My laptop now has SELinux disabled entirely (as my desktop machines have for years). The cause is simple: too many SELinux violations kept happening and especially too many new and different ones kept coming up. I am only willing to play whack a mole on notification alerts for so long before I stop caring entirely, and I reached that point today. The simplest and most easily reversed way to stop getting notifications about SELinux violations is to set the SELinux policy to disabled in /etc/selinux/config, so that's what I did.

It's possible that some of the problem is due to just upgrading to Fedora 22 with yum instead of, say, fedup, and perhaps it could be patched up somewhat with 'restorecon -R /'. Perhaps a wholesale reinstall would reduce it even more (at the cost of putting me through a wholesale reinstall and then figuring out how to set up my environment and my account and keys and wifi access and VPNs and so on all over again). Certainly I assume that SELinux has to work for some people on Fedora. But I no longer care. I am done with being quixotically virtuous and suffering for it.

(I originally put a rant about Fedora and SELinux here, but after thinking about it I took it out again. It's nothing I haven't said before and I can't be sure that my SELinux problems would still be there if I did absolutely everything the officially approved Fedora way. Since I'm never going to stop eg doing Fedora version updates with yum, well, that case will never apply to me.)

Comments on this page:

By Marc at 2015-06-24 11:20:35:

Fedora's upgrade program is called 'fedup'?

Cool :)

By cks at 2015-06-24 15:45:47:

It really is: FedUp.

I'm sure some people had fun with the name.

Written on 24 June 2015.
« A Bash test limitation and the brute force way around it
Multiple set matches with Linux's iptables 'ipset' extension »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Twitter: @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Wed Jun 24 02:28:51 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.