> By definition, linux rescue will only be used by someone on site so I
> don't see why it should assume SEL is enabled.  I think it should be
> disabled.  I realise that the Upstream Vendor is married to SEL but there
> are those of us who would rather not use it at all, particularly as we
> patch the kernels with alternatives.  Would there ever be a possibility of
> SL without SEL?

(you can turn it off at boot time via selinux=0). One problem I see with
turning it off in general for the rescue media is that weird things
happen when you reboot a SELinux-aware system with a non-SELinux kernel,
make changes to the file system and boot back into SELinux. SELinux uses
extended attributes inside the filesystem for the security context, if
these don't get updated properly (e.g. on copy/rename) things tend to
fail later. While these problems can typically get fixed by
"relabeling", troubleshooting takes some time if the box refuses to let
you in..

Since "boot to fix things on the file system" looks like a major use
case for the rescue disk, this would get people regularly.

A safer alternative to totally disabling SELinux would be to run the
rescue disk in non-enforcing mode. That way the attributes will get
updated, but SELinux stays out of the way (except for complaining a bit
now and then).

Regards
Jan