restoring default selinux policy configuration

Daniel J Walsh dwalsh at redhat.com
Thu Sep 18 18:18:22 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Daniel J Walsh wrote:
> Eric Paris wrote:
>>>> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Murray McAllister wrote:
>>>>>> Hi,
>>>>>>
>>>>>> If I change a lot of booleans, or install a lot of custom policies, is
>>>>>> there any way to restore selinux policy (targeted) to its default
>>>>>> configuration?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> -- 
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> Well semanage does have a -D option to remove all local customizations
>>>>> for the object
>>>>>
>>>>> man semanage
>>>>> ..
>>>>>
>>>>>        -D, --deleteall
>>>>>               Remove all OBJECTS local customizations
>>>>>
>>>>>
>>>>>
>>>>> Example:
>>>>>
>>>>> semanage ports -D
>>>>>
>>>>> Would remove all port changes.
>>>>>
>>>>> There is no way to do this with modules currently.
>>>>>
>>>>> You could look at the modules in /usr/share/selinux/targeted/*.pp
>>>>> and compare them to semodule -l to see any modules that were different
>>>>> and use semodule -r MODNAME to remove them.
>>>> Gross horrible dangerous hack, be VERY careful, might eat your first
>>>> born, kidnap your grandmother, and blow your house down...
>>>>
>>>> rpm -e --nodeps --justdb selinux-policy-targeted
>>>> rm -rf /etc/selinux/targeted
>>>> yum install selinux-policy-targeted
>>>> touch /.autorelabel
>>>> reboot
>>>>
>>>> yes? no?
>>>>
> I would put the machine in permissive before doing this.
> 
>> Thanks. Should something like this be in the selinux user guide? The
>> commands above look safe to me - what's the worse that can happen?
> 
>> Do problems occur if you don't relabel after the above steps?
> 
> 
> 
No I believe a better solution would be

# setenforce 0
# yum remove selinux-policy\*
# rm -rf /etc/selinux/targeted /etc/selinux/config
# yum install selinux-policy-targeted
# yum install selinux-policy-devel policycoreutils-gui  *** Only if
these were removed byt the yum remove.
touch /.autorelabel; reboot

Which will get the postinstall scripts to run properly.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjSm2oACgkQrlYvE4MpobPB7wCfU7jyn9S2OITIVqqj9urtWIvr
zpcAoKfCIRR2oEVTcmxwBHqSzRCg8Xrr
=aRvi
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list