restoring default selinux policy configuration
Paul Howarth
paul at city-fan.org
Wed Sep 17 23:29:27 UTC 2008
On Thu, 18 Sep 2008 09:17:40 +1000
Murray McAllister <mmcallis at redhat.com> wrote:
> Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Eric Paris wrote:
> >> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Murray McAllister wrote:
> >>>> Hi,
> >>>>
> >>>> If I change a lot of booleans, or install a lot of custom
> >>>> policies, is there any way to restore selinux policy (targeted)
> >>>> to its default configuration?
> >>>>
> >>>> Thanks.
> >>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>> Well semanage does have a -D option to remove all local
> >>> customizations for the object
> >>>
> >>> man semanage
> >>> ..
> >>>
> >>> -D, --deleteall
> >>> Remove all OBJECTS local customizations
> >>>
> >>>
> >>>
> >>> Example:
> >>>
> >>> semanage ports -D
> >>>
> >>> Would remove all port changes.
> >>>
> >>> There is no way to do this with modules currently.
> >>>
> >>> You could look at the modules in /usr/share/selinux/targeted/*.pp
> >>> and compare them to semodule -l to see any modules that were
> >>> different and use semodule -r MODNAME to remove them.
> >> Gross horrible dangerous hack, be VERY careful, might eat your
> >> first born, kidnap your grandmother, and blow your house down...
> >>
> >> rpm -e --nodeps --justdb selinux-policy-targeted
> >> rm -rf /etc/selinux/targeted
> >> yum install selinux-policy-targeted
> >> touch /.autorelabel
> >> reboot
> >>
> >> yes? no?
> >>
> > I would put the machine in permissive before doing this.
>
> Thanks. Should something like this be in the selinux user guide? The
> commands above look safe to me - what's the worse that can happen?
>
> Do problems occur if you don't relabel after the above steps?
You may have removed policy modules that included new file context
types that were in use on the system. Files originally labelled with
those types will be unlabelled after removing the modules, hence the
need to relabel.
Paul.
More information about the fedora-selinux-list
mailing list