Re: rc.local question/problem (partly solved w/ setenforce=0)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Jul 3, 2011 5:38 PM, "Paul Allen Newell" <pnewell@xxxxxxxxxx> wrote:
>
> On 7/3/2011 12:53 AM, Cameron Simpson wrote:
> > On 02Jul2011 22:26, Paul Allen Newell<pnewell@xxxxxxxxxx>  wrote:
> > | On 7/2/2011 10:06 PM, Joe Zeff wrote:
> > |>  On 07/02/2011 09:45 PM, Cameron Simpson wrote:
> > |>>  That should be the case. (Of course, SELinux can break anything - if you
> >
> >
> > You can put it into non-enforcing mode on the fly with the command:
> >
> >    setenforce 0
> >
> > Run "setenforce 1" to turn it back on.
> >
>
> That seemed to do it ... wrapping the clamscan in setenforce=0 /
> setenforce=1 produced scans of all files and no errors. Many thanks for
> the advice on how to do.
>
> Of course, your comment in other email about "if you can establish that
> disabling selinux makes it work", I sure got alot of barking from
> selinux and guess I need to learn all about rules for it.
>
> Total of 355 errors regarding "read", "getattr", "search", "open", and
> "write". It appears that it is related to files/binaries/whatever in
> /bin, /sbin, and ~root (maybe /tmp?). I need to do some further
> debugging to confirm this (and to reduce the testing to something
> manageable)
>
> The suggestions the pop-up gives me are for "allow this access for now"
> as opposed to something more permanent.
>
> Before I go starting to learn about selinux rules, I wanted to check
> whether my sense that "if I do a setenforce=0 then I would expect
> selinux to be disabled until setenforce=1; hence, why does it need rules
> when disabled" is a proper way to look at it.
>
> And, yes, my security stance is such that I don't mind a temporary
> disable while clamscan is running, I would rather not permanently
> disable selinux.
>
> Thanks in advance,
> Paul

it really is bad form to run a script out of root's home directory. Perhaps put it in /usr/sbin , restorecon, and leave selinux enforcing the whole time.

-paul

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux