Stephen Smalley wrote:
(please disable html mail at least when posting to public lists)
On Thu, 2006-11-02 at 03:02 -0800, Arthur M. Kang wrote:
On a fresh install of FC6, I'm getting errors when trying to use the
setsebool command.
# setsebool httpd_disable_trans 1
libsemanage.semanage_commit_sandbox: Error while
renaming /etc/selinux/targeted/modules/active
to /etc/selinux/targeted/modules/previous.
Could not change policy booleans
This usually means that there is a labeling problem with /etc/selinux.
Run /sbin/restorecon -R /etc/selinux/targeted/modules. Then try again.
Check for audit messages in /var/log/messages
or /var/log/audit/audit.log (the latter if running auditd).
Has anyone else experienced similar problems? Is there a problem on
my end? Is there a fix?
Although the error message is generated, the boolean does get set.
However, the -P switch doesn't work and the boolean won't stick across
reboots.
Is there an alternate method to remotely configure booleans that stick
across reboots?
Any help is appreciated.
I have seen this happen on a couple of machines. We are missing a
transition from initrc_t to semanage_t for targeted policy which could
result in a init script that calls setsebool (ypbind) or one of the
other apps to screw up the file context. Also if you run in permissive
mode and did not transition properly when updated rpm's this could
happen. If there is an application that uses libsemanage that is not
labeled semanage_exec_t, or an unconfined_domain that runs semanage
without the transition.
Not sure of any other situations that could cause this.
Dan
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
