restoring default selinux policy configuration
Eric Paris
eparis at redhat.com
Thu Sep 18 13:53:16 UTC 2008
On Thu, 2008-09-18 at 09:17 +1000, Murray McAllister wrote:
> Thanks. Should something like this be in the selinux user guide? The
> commands above look safe to me - what's the worse that can happen?
>
> Do problems occur if you don't relabel after the above steps?
It could be in the guide, but it better be prefaced with something like
I gave it :)
The worst that happens is your system completely dies and locks you out
the instant you start to install selinux-policy-targeted. If your local
customizations caused your shell process to run as a type or user or
whatever that isn't defined when you start loading the new policy things
could esplode (permissive is a must and should stop you from locking
yourself out/failing to actually install the original policy, I'm glad
dan remembered)
You need to autorelabel because you have no idea what types were valid
that are not longer valid (all of those in custom modules you just
removed are now invalid) Labeling could be so different that you need
to reboot in permissive to even get it boot to the point where it can
autorelabel.
Perfect steps would be
setenforce 0
[run my steps]
stop grub and add enforcing=0
finish boot
setenforce 1
Do all that and you should be safe :)
-Eric
More information about the fedora-selinux-list
mailing list