SELinux Understanding
Nigel Henry
cave.dnb at tiscali.fr
Tue Oct 16 14:59:27 UTC 2007
On Tuesday 16 October 2007 14:59, Claude Jones wrote:
> On Mon October 15 2007, Bruno Wolff III wrote:
> > On Mon, Oct 15, 2007 at 13:57:11 -0400,
> >
> > Claude Jones <cjones at levitjames.com> wrote:
> > > On Monday October 15 2007 1:35:17 pm Nigel Henry wrote:
> > > > but as
> > > > re-enabling SELinux, in either permissive, or enforcing mode
> > > > results in the relabelling process being run, it's almost
> > > > impossible to know if the relabelling has resolved a genuine
> > > > problem or not.
> > >
> > > This is where you're mistaken. It's perfectly possible to set
> > > permissive and enforcing modes, without relabeling - relabeling
> > > is only forced after some updates, and that not very often -
> > > perhaps, this is something that should be addressed. Perhaps a
> > > warning message when you turn on enforcing, with instructions to
> > > relabel if you've run in permissive mode for some period of
> > > time...
> >
> > If you have run with selinux disabled, when you reenable it you are going
> > to need to check file labels. Any files created while selinux was
> > disabled are not going to be properly labelled.
> >
> > Even rebooting a machine can fix a problem, since that will effectively
> > relabel processes. So if an update didn't happen correctly, a reboot may
> > fix the problem and getting back to the preupdate state may take some
> > work.
>
> Are you objecting to what I said? I'm not sure, really. All I'm saying is
> that re-enabling SELinux doesn't automagically run the relabelling process
> as Nigel seems to be asserting - there are several ways to trigger a
> relabel on next reboot, but one has to issue a command to make that happen,
> or at least that's the way it used to work - I keep SELinux on, and have
> for a couple of years, now, so things may have changed since I last had it
> disabled.
>
> --
> Claude Jones
> Levit & James, Inc.
> Leesburg, VA, USA
Well I was only relating my experience, when having disabled SELinux for some
reason or other. Perhaps it was to see if the FTP problem I mentioned was
resolved with SELinux disabled. That aside, when I re-enabled SELinux in
enforcing mode on Fedora 7, then rebooted, it did run the relabelling process
automatically, saying something like "this may take some time".
I'm no SELinux guru, and only left it enabled (enforcing) on the Fedora 7
install, to see how it behaved. None of my other distros have it enabled, and
you could say I was being a bit curious. As it so happens the FTP problem was
easily resolvable using setroubleshoot's suggestion.
Nigel.
More information about the fedora-list
mailing list