SELinux Reset
Stephen Smalley
sds at tycho.nsa.gov
Mon Aug 10 19:39:17 UTC 2009
On Mon, 2009-08-10 at 12:10 -0700, Peter Joseph wrote:
>
> Peter Joseph wrote:
> >
> >>While experimenting with SELinux, I finally managed to lock myself out of
> the system. The only way to get back in, I had >to add "selinux=0" to the
> end of the kernel line.
> >>Now, if I run in a permissive mode the following message appears when I
> try to log in:
> >
> >>"Could not connect to session bus: An SELinux policy prevents this sender
> from sending this message to this recipient >(rejected message had sender
> "(unset)" interface "org.freedesktop.DBus" member "Hello" error name
> "(unset)" destination >"org.freedesktop.DBus)."
> >
> >>I am forced to go back to the grub prompt and disable SELinux again, in
> order to get in. What is the best way to reset >SEL to its original state?
> >
>
> Problem solved.
>
> Appending selinux=0 to the end of the kernel line enabled me to get back
> into the system, however, I found no way of working with SELinux on account
> of it being disabled.
> Appending unconfined_login = 1 instead, brought me to a root prompt with
> SELinux enabled.
> Used the following to check and restore:
>
> # getsebool unconfined_login
> unconfined_login --> off
>
> # setsebool -P unconfined_login=1
>
> # getsebool unconfined_login
> unconfined_login --> on
>
> # poweroff
>
> One thing though, the "unconfined_login = 1" added to the kernel line has to
> contain a space before and after the equal sign.
I think that just caused it to boot to runlevel 1, i.e. single-user
mode. AFAIK, the kernel command line isn't used for booleans at all,
but an integer argument will be taken as the runlevel by init.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list