Enabling SELinux (was Re: How to make SELinux in Fedora work?)
Stephen Smalley
sds at epoch.ncsc.mil
Thu Jun 3 14:50:47 UTC 2004
On Thu, 2004-06-03 at 09:37, park lee wrote:
> ON Thu, 27 May 2004 11:07:33 ,Tom London wrote:
>
> >Following the attached advice, here's what I did:
> > 1. Modified /etc/sysconfig/selinux to have 'SELINUX=permissive'
> > 2. Rebooted single-user and ran 'fixfiles relabel'
> > 3. Rebooted multi-user
>
> For the 2nd item, I want to ask why you must reboot in single-user?
> can't we run 'fixfiles relabel' directly?
It is generally safer to run it in single-user mode, both to ensure that
you don't have any stray processes still running in the wrong domain
(and thus creating files in the wrong types after the relabel) and to
avoid problems with the purging of /tmp performed by relabel (as that
will kill files on which windowing applications depend). fixfiles
restore avoids the purging of /tmp.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list