Fedora 41 -- SElinux

March 14, 2025

Fedora 41 -- SElinux

I view SElinux as my mortal enemy. If I am working on a linux system, doing everything right, double checking things and still having problems I have learned to ask, "Is SElinux running?".

If it is, I disable it. I try to remember to make disabling it part of my checklist for setting up new systems. Anything that consistently does things that are stupid, troublesome, and unexpected needs to be gotten rid of. Network Manager also used to be in this class, but now, after several years, it no longer is a stupid troublemaker.

Is selinux running?

The command "sestatus" or "getenforce" are the tools to tell you whether selinux is an active trouble maker. You want to see:

root@trona:/etc/selinux# sestatus
SELinux status:                 disabled
root@trona:/etc/selinux# getenforce
Disabled

Let's get rid of it!

In the good old days, you used to edit the file /etc/selinux/config, and you should still do so. Find this line and make it "disabled"

SELINUX=disabled

You will then need to reboot -- but wait! Now there is more. You now need to add "selinux=0" to the kernel command line. You use a tool called "grubby" and issue this command:

grubby --update-kernel ALL --args selinux=0

So, edit the config file, run grubby as shown, then reboot. After the system is booted, check using the sestatus and/or getenforce commands.

If you are curious as to whether the kernel command line already has this set, do this:

grubby --default-kernel
/boot/vmlinuz-6.13.6-200.fc41.x86_64
root@crater:/home/tom# grubby --info=/boot/vmlinuz-6.13.6-200.fc41.x86_64
...
args="ro resume=UUID=71001cbf-8204-4098-8155-976XXXXX51c rhgb quiet selinux=0"

Maybe we could learn to get along?

I view this kind of talk as Chamberlain making efforts to placate Hitler before WW-II. Don't waste time going down this road, if will simply lead to needless bloodshed.

Have any comments? Questions? Drop me a line!

Adventures in Computing / tom@mmto.org