Re: SELinux Understanding

[Karl Larsen <k5di@xxxxxxxxxx>]

Nigel Henry wrote:
> On Monday 15 October 2007 19:57, Claude Jones wrote:
>   
> > On Monday October 15 2007 1:35:17 pm Nigel Henry wrote:
> >     
> > > but as
> > > re-enabling SELinux, in either permissive, or enforcing mode
> > > results in the relabelling process being run, it's almost
> > > impossible to know if the relabelling has resolved a genuine
> > > problem or not.
> > >       
> > This is where you're mistaken. It's perfectly possible to set
> > permissive and enforcing modes, without relabeling - relabeling
> > is only forced after some updates, and that not very often -
> > perhaps, this is something that should be addressed. Perhaps a
> > warning message when you turn on enforcing, with instructions to
> > relabel if you've run in permissive mode for some period of
> > time...
> >
> > --
> > Claude Jones
> > Brunswick, MD, USA
> >     
>
> Well I disabled SELinux some weeks ago for some reason or other. I didn't want 
> to, as it had been behaving itself. Sorry, but I forget stuff easily these 
> days, and can't remember why I disabled it. Anyway when I re-enabled it as 
> forcing, and rebooted, it did the relabelling stuff. As I've said. I'm not 
> too clued up on SELinux, but it was running in enforcing mode, then I 
> disabled it (for some reason or other), and rebooted. Then I re-enabled it as 
> enforcing, rebooted, and by default it ran it's relabelling program.
>
> Now I'm not too bothered about SELinux. I've seen it around since FC2, but for 
> the first time on Fedora 7 I've given it a try. I'm only a home user, so 
> nothing critical going on, and apart from the little FTP problem it's working 
> ok.
>
> I'm not sure what you're saying though in your reply above. From what I 
> understand, if you disable SELinux (not sure if a reboot has to occur before 
> the next step), then re-enable SELinux in enforcing mode (as it was 
> previously). I found that re-enabling SELinux in enforcing mode, then 
> rebooting, resulted in the relabelling stuff being done. So is there some 
> incantation you can apply to the kernel on bootup to prevent SELinux doing 
> it's relabel stuff?
>
> Nigel.
>
>   
   Hi Nigel, I think you can tell the SELinux loader not to relabel; 
but once saying that I am pretty sure you WANT to relabel any time you 
turn SELinux on, after it has been off. If you think your memory is 
short my 72 year old head is overflowing with stuff and it has moved 
down causing my tummy to be too round

   I am running with SELinux on and will keep book on how long it runs 
without a problem. The fellow with trouble in his http area sounds like 
he made a lot of new directories and SELinux didn't like it. This sort 
of thing may well hit me.



--

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.