On Thu, Sep 10, 2020 at 03:46:38PM +0200, Michal Schorm wrote: > Does this mean, the "setenforce 0" won't work anymore? No, setenforce will not be affected by this change. > I use it quite a lot to examine the denials and audit2allow to > generate updated rules which fixes my issues. > > I would see the inability of such workflow as a major drawback for > *anyone* who doesn't just consume the default configuration. > e.g. "My database datadir should reside elsewhere"; "my container > should access pulseaudio socket"; "I've ran the default configuration > with my data and it crashed" ... > setenforce works only in SELinux enabled system and `setenforce 0` is to put SELinux in permissive mode (not to disable SELinux), see "SELinux states and modes" at https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/ Also it will be possible to switch between enforcing and permissive using SELINUX=enforcing resp SELINUX=permissive in /etc/selinux/config as it is now. Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
