Bill Nottingham wrote:
Richard Hally (rhally(a)mindspring.com) said:
>The purpose of the file is to set one of the three values when the
>system boots but not change it on the fly while the system is up?
>
>
Mainly to set the value when the system boots, although it will
change the enforcing level if you change it while it's operational.
>OK, so the next question is where is that file read and used ? the
>init program? sysinit?
>
>
By init, yes.
>I get the impression that it will be overridden
>by kernel parameters, how does that happen?
>
>
It's a priority mechanism - kernel parameters (selinux=0, or enforcing=(1|0))
take precedence, then the values in /etc/sysconfig/selinux, then whatever
the kernel default is.
>Last question, has consideration been given to changing the value in
>that file when someone changes the actual status of SELinux(enforcing or
>permissive) with setenforce.
>
>
Not really... setenforce is (IMO) used for temporary changes.
/selinux/enforce value changes depending whether you are enforcing mode
or not. Of course you can report
this via getenforce.
Bill