SELinux Reset

Stephen Smalley sds at
Mon Aug 10 17:38:30 UTC 2009

On Mon, 2009-08-10 at 10:26 -0700, Peter Joseph wrote:
> >>> It was the unconfined_login boolean that got him
> >>
> >> So disabling unconfined_login boolean stopped him from being able to
> >> login?
> That is correct.
> [root at rf57 active]# cat booleans.local
> # This file is auto-generated by libsemanage
> # Do not edit directly.
> allow_xserver_execmem=1
> unconfined_login=0 
> __________________________________
> Not being able to solve the problem I re-installed F11 and change the
> default setting of unconfined_login again.  Sure enough,  the only way to
> get back in is by setting selinux=0.
> I tried all sorts of ways to restore it to its default, but the problem I am
> running into is:
> root at rf57 r5f7]# /usr/sbin/getenforce
> Disabled
> [root at rf57 r5f7]# /usr/sbin/getsebool unconfined_login
> /usr/sbin/getsebool:  SELinux is disabled
> [root at rf57 selinux]# setsebool unconfined_login 1
> setsebool:  SELinux is disabled.
> There has to be a way of getting around this.

Hmm..setsebool probably shouldn't require SELinux to be enabled (but
you'd want the -P option anyway to set it persistently).  What about
semanage or system-config-selinux, e.g.:

semanage boolean -m --on unconfined_login

Or you could edit the file directly (despite the comments) and run
semodule -B afterward.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list