Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
safely remove selinux from an existing install?
kutulu at kutulu
Mar 23, 2013, 5:34 AM
Post #1 of 3 (2126 views)
Permalink
I have a couple of old servers that are being replaced and repurposed as
developer testbed systems. Since they are already configured with all of the
software and settings that our production boxes need I want to keep them as
intact as possible. However, I want to remove selinux (and hardened in
general) from a couple of them.

The one and only time I tried to remove selinux from a running system it
severely broke coreutils and I ended up basically reinstalling. Is there a
known-safe procedure to remove the selinux bits from a system while leaving
everything else installed? What order do I need to do things to prevent the
existing selinux-aware stuff from falling apart?

--Mike
Re: safely remove selinux from an existing install? [ In reply to ]
sven.vermeulen at siphos
Mar 23, 2013, 11:13 AM
Post #2 of 3 (2081 views)
Permalink
On Mar 23, 2013 1:34 PM, "Mike Edenfield" <kutulu@kutulu.org> wrote:
>
> I have a couple of old servers that are being replaced and repurposed as
> developer testbed systems. Since they are already configured with all of
the
> software and settings that our production boxes need I want to keep them
as
> intact as possible. However, I want to remove selinux (and hardened in
> general) from a couple of them.
>
> The one and only time I tried to remove selinux from a running system it
> severely broke coreutils and I ended up basically reinstalling. Is there a
> known-safe procedure to remove the selinux bits from a system while
leaving
> everything else installed? What order do I need to do things to prevent
the
> existing selinux-aware stuff from falling apart?
>

I'm not aware of such a procedure for now... :-(

wkr,
Sven Vermeulen
Re: safely remove selinux from an existing install? [ In reply to ]
ben at bennyp
Mar 24, 2013, 8:01 AM
Post #3 of 3 (2082 views)
Permalink
On Saturday, March 23, 2013 07:13:44 PM Sven Vermeulen wrote:



kutulu@kutulu.org[1]> wrote:>> I have a couple of old servers that are being
replaced and repurposed as> developer testbed systems. Since they are
already configured with all of the> software and settings that our production
boxes need I want to keep them as> intact as possible. However, I want to
remove selinux (and hardened in> general) from a couple of them.>> The one
and only time I tried to remove selinux from a running system it> severely broke
coreutils and I ended up basically reinstalling. Is there a> known-safe procedure
to remove the selinux bits from a system while leaving> everything else
installed? What order do I need to do things to prevent the> existing selinux-
aware stuff from falling apart?>
I'm not aware of such a procedure for now... :-(
wkr, Sven Vermeulen



1.) Boot with selinux disabled (selinux=0 on the boot line). I think this would be
the most important thing. Or, boot with a kernel without selinux?
2.) Switch profile
3.) emerge --deep --newuse -av @world
4.) Slightly tricky part that took me a while - reinstall all packages that have a
companion '-selinux' package. For me, these weren't detected above. If you
don't do this, those companion -selinux packages will still be dependencies and
you can't remove them.
5.) Depclean all selinux packages (companion packages, plus policy, etc)
6.) Remove mountpoint from fstab, etc

NOTE: This probably doesn't qualify as a "known, safe" way, but it worked for me,
although my setup is relatively uncomplicated.

Ben
ben@bennyp.org



--------
[1] mailto:kutulu@kutulu.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal