> I have a problem that how to specify selinux=permissive at grub > prompt, when /etc/sysconfig/selinux=enforcing? > > > >
Selinux related Kernel Parameters..
autorelabel=1 # Forces system to relabel
enforcing=0 #Sets selinux to Permissive (log only, no denials).
Yuan the above is what you want selinux=permissive does not exist..
enforcing=1 # Sets selinux to Enforcing (deny and log).
selinux=0 # THIS IS NOT SAME AS ENFORCING this will cause the kernel to not load any of the selinux infrastructure hence files that are created at boot time will not get a label and are market as file_t ( Unlabeled file).
After booting with selinux=0 make sure that you do "touch /.autorelabel" ( This should be done by default but hey this is rawhide we are talking about :) ) or better yet do "echo 0 > /selinux/enforce && fixfiles relabel " or on next reboot pass the "enforcing=0 autorelabel=1" to the kernel.
( That is if you are gonna run selinux in either permissive or enforcing mode )
selinux=1 # Turns the selinux infrastructure on ( Default )...
selinux_compat_net=0 # Sets selinux to use new secmark-based packet controls ( default )
selinux_compat_net=1 # Sets selinux to use legacy packet controls
If you wanna change the value of selinux at runtime do....
echo 0 > /selinux/enforce # Sets selinux in permissive mode
echo 1 > /selinux/enforce #Sets selinux to enforce again..
For compat_net do..
echo 0 > /selinux/compat_net # secmark-based packet controls
echo 1 > /selinux/compat_net # legacy packet controls
To get the status of selinux use "getenforce"
To permanently change the status of selinux either edit /etc/selinux/config manually ( disabled,permissive,enabled ) or use setenforce=0 ( permissive ) or setenforce=1 (enabled ) or set kernel parameters to grub.conf
Best regards Johann B.