selinux -- or is it

Rick Stevens ricks at nerd.com
Thu May 8 18:19:58 UTC 2008 

g wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Daniel J Walsh wrote:
>> touch /.autorelabel
>> reboot
> 
> ok, '/.autorelabel' was there. it was there from install.
> 
> i did 'touch' it again to put new date on it. i did not boot into f8, as
> 
> i did not know what state to have selinux in. now that i know how easy it
> is to disable selinux, which level should i put it in, 'enforcing' or
> 'permissive'?
> 
> [btw. i will not discuss how to easily disable selinux on this or any list.
>  nor do i believe it should be. no need to make it easy for system hackers.
>  if it has been told, please do not blame me just because i mentioned it.]

"disabled" means just that...SELinux is disabled.

"permissive" means that SELinux is running, but all operations are 
permitted and violations of the SELinux rules will be logged to
/var/log/audit/audit.log.  In other words, you aren't protected and
you'll be able to see what's going on.

"enforcing" means that SELinux is running and violations of the rule
will be blocked (and logged).

Note that from a disabled state, you can NOT use "setenforce" to switch
to permissive or enforcing mode.  It must _boot_ in permissive or
enforcing mode for the "setenforce" command to be used.

If you're still sorting things, I'd boot the system in "permissive"
mode.  You can then use the "audit2allow" tool to see what violations
are occurring.  Using that data, you can create new rules to permit them
or recognize that they really SHOULDN'T be happening and NOT include
rules (I won't get into how to determine that or how to use audit2allow
to generate local rules...that's a whole big can of worms that really
isn't appropriate for a list format).

You can continue to run in permissive mode to sort those rules and
implement them, then do a "setenforce" to put it in enforcing mode to
make sure things are correct.  If it runs in enforcing mode correctly
with your new rules added, THEN you can edit the /etc/selinux/config
file and have it boot in enforcing mode.

At least that's how I do it.  If anyone has better ideas, chime in
anytime.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2 at nerd.com -
- Hosting Consulting, Inc.                                           -
-                                                                    -
-       "Yeah, but you're taking the universe out of context."       -
----------------------------------------------------------------------

More information about the fedora-list mailing list