Re: selinux -- or is it

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

g wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel J Walsh wrote:

touch /.autorelabel
reboot


ok, '/.autorelabel' was there. it was there from install.

i did 'touch' it again to put new date on it. i did not boot into f8, as

i did not know what state to have selinux in. now that i know how easy it
is to disable selinux, which level should i put it in, 'enforcing' or
'permissive'?

[btw. i will not discuss how to easily disable selinux on this or any list.
 nor do i believe it should be. no need to make it easy for system hackers.
 if it has been told, please do not blame me just because i mentioned it.]


"disabled" means just that...SELinux is disabled.
"permissive" means that SELinux is running, but all operations are permitted and violations of the SELinux rules will be logged to 
/var/log/audit/audit.log.  In other words, you aren't protected and
you'll be able to see what's going on.

"enforcing" means that SELinux is running and violations of the rule
will be blocked (and logged).

Note that from a disabled state, you can NOT use "setenforce" to switch
to permissive or enforcing mode.  It must _boot_ in permissive or
enforcing mode for the "setenforce" command to be used.

If you're still sorting things, I'd boot the system in "permissive"
mode.  You can then use the "audit2allow" tool to see what violations
are occurring.  Using that data, you can create new rules to permit them
or recognize that they really SHOULDN'T be happening and NOT include
rules (I won't get into how to determine that or how to use audit2allow
to generate local rules...that's a whole big can of worms that really
isn't appropriate for a list format).

You can continue to run in permissive mode to sort those rules and
implement them, then do a "setenforce" to put it in enforcing mode to
make sure things are correct.  If it runs in enforcing mode correctly
with your new rules added, THEN you can edit the /etc/selinux/config
file and have it boot in enforcing mode.

At least that's how I do it.  If anyone has better ideas, chime in
anytime.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                       rps2@xxxxxxxx -
- Hosting Consulting, Inc.                                           -
-                                                                    -
-       "Yeah, but you're taking the universe out of context."       -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux