restoring default selinux policy configuration
Murray McAllister
mmcallis at redhat.com
Wed Sep 17 23:17:40 UTC 2008
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Eric Paris wrote:
>> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Murray McAllister wrote:
>>>> Hi,
>>>>
>>>> If I change a lot of booleans, or install a lot of custom policies, is
>>>> there any way to restore selinux policy (targeted) to its default
>>>> configuration?
>>>>
>>>> Thanks.
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> Well semanage does have a -D option to remove all local customizations
>>> for the object
>>>
>>> man semanage
>>> ..
>>>
>>> -D, --deleteall
>>> Remove all OBJECTS local customizations
>>>
>>>
>>>
>>> Example:
>>>
>>> semanage ports -D
>>>
>>> Would remove all port changes.
>>>
>>> There is no way to do this with modules currently.
>>>
>>> You could look at the modules in /usr/share/selinux/targeted/*.pp
>>> and compare them to semodule -l to see any modules that were different
>>> and use semodule -r MODNAME to remove them.
>> Gross horrible dangerous hack, be VERY careful, might eat your first
>> born, kidnap your grandmother, and blow your house down...
>>
>> rpm -e --nodeps --justdb selinux-policy-targeted
>> rm -rf /etc/selinux/targeted
>> yum install selinux-policy-targeted
>> touch /.autorelabel
>> reboot
>>
>> yes? no?
>>
> I would put the machine in permissive before doing this.
Thanks. Should something like this be in the selinux user guide? The
commands above look safe to me - what's the worse that can happen?
Do problems occur if you don't relabel after the above steps?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkjRa3kACgkQrlYvE4MpobNB+QCfWVCQQ+BceAXpRLMHl78wlyao
> 59wAoIXrGXp1u928nxPC1GzCH2HwOVsW
> =n7BG
> -----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list