SELinux Reset
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 10 17:38:30 UTC 2009
On Mon, 2009-08-10 at 10:26 -0700, Peter Joseph wrote:
> >>> It was the unconfined_login boolean that got him
> >>
> >> So disabling unconfined_login boolean stopped him from being able to
> >> login?
>
> That is correct.
>
> [root at rf57 active]# cat booleans.local
> # This file is auto-generated by libsemanage
> # Do not edit directly.
>
> allow_xserver_execmem=1
> unconfined_login=0
> __________________________________
>
> Not being able to solve the problem I re-installed F11 and change the
> default setting of unconfined_login again. Sure enough, the only way to
> get back in is by setting selinux=0.
>
> I tried all sorts of ways to restore it to its default, but the problem I am
> running into is:
>
> root at rf57 r5f7]# /usr/sbin/getenforce
> Disabled
>
> [root at rf57 r5f7]# /usr/sbin/getsebool unconfined_login
> /usr/sbin/getsebool: SELinux is disabled
>
> [root at rf57 selinux]# setsebool unconfined_login 1
> setsebool: SELinux is disabled.
>
> There has to be a way of getting around this.
Hmm..setsebool probably shouldn't require SELinux to be enabled (but
you'd want the -P option anyway to set it persistently). What about
semanage or system-config-selinux, e.g.:
semanage boolean -m --on unconfined_login
Or you could edit the file directly (despite the comments) and run
semodule -B afterward.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list