Re: Selinux so badly corrupted machine can't start

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/19/07, Tony Nelson <tonynelson@xxxxxxxxxxxxxxxxx> wrote:

Again you state the obvious.  Do you know what happens if SELinux is in
enforcing mode when relabeling?


Yes ... it relabels. I have done so many times ... especially during
quick policy churns in Rawhide test releases.

I'm sorry that my response trying to help was unhelpful. Please ignore
me in the future rather than giving a rude response. However, it would
be more preferable to give a thoughtful response that tries to bridge
the difficult communication gap that arises from having discussions
with limited context.

I have never had any problems with SELinux that have prevented
booting. I also have never had any problems with SELinux
autorelabelling with enforcing enabled.

In my reading of this mailing list since SELinux was introduced, I
have found that people having trouble with SELinux mainly fall into
two categories. Either they are noobs blindly trying to run a
precompiled app that they unpacked from a tarball or they are
old-school *nix hackers who are blindly trying to run an app that they
built from a tarball or have made some customization to make their
system resemble the way "things used to be done in the olden-days".

What I was thinking in my response but perhaps not suggesting
explicitly was either:
1) touching the .autolabel file after you booted with enforcing off
and rebooting with enforcing off to avoid the need for a RescueCD
or
2) just putting *both* parameters that Daniel told you about
(enforcing=0 and autorelabel=1) in the grub entry at boot time to
avoid the need for a RescueCD.

Because while Tim thinks that booting from a RescueCD might have other
advantages, I would think that it might have many hidden disadvantages
from a SELinux point of view that seem to always arise when you are
trying to do things outside the scope of SELinux with an older kernel
on a sub-directory-mounted or chrooted root filesystem. This is likely
where the *nix gurus get tripped up with SELinux as they instantly
turn to their old toolbag when things break ... and their old tools
stomp all over SELinux in knowing nothing of it.

/Mike

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux