On Thu, 18 Sep 2008 09:17:40 +1000 Murray McAllister <mmcallis@xxxxxxxxxx> wrote: > Daniel J Walsh wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Eric Paris wrote: > >> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote: > >>> -----BEGIN PGP SIGNED MESSAGE----- > >>> Hash: SHA1 > >>> > >>> Murray McAllister wrote: > >>>> Hi, > >>>> > >>>> If I change a lot of booleans, or install a lot of custom > >>>> policies, is there any way to restore selinux policy (targeted) > >>>> to its default configuration? > >>>> > >>>> Thanks. > >>>> > >>>> -- > >>>> fedora-selinux-list mailing list > >>>> fedora-selinux-list@xxxxxxxxxx > >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>> Well semanage does have a -D option to remove all local > >>> customizations for the object > >>> > >>> man semanage > >>> .. > >>> > >>> -D, --deleteall > >>> Remove all OBJECTS local customizations > >>> > >>> > >>> > >>> Example: > >>> > >>> semanage ports -D > >>> > >>> Would remove all port changes. > >>> > >>> There is no way to do this with modules currently. > >>> > >>> You could look at the modules in /usr/share/selinux/targeted/*.pp > >>> and compare them to semodule -l to see any modules that were > >>> different and use semodule -r MODNAME to remove them. > >> Gross horrible dangerous hack, be VERY careful, might eat your > >> first born, kidnap your grandmother, and blow your house down... > >> > >> rpm -e --nodeps --justdb selinux-policy-targeted > >> rm -rf /etc/selinux/targeted > >> yum install selinux-policy-targeted > >> touch /.autorelabel > >> reboot > >> > >> yes? no? > >> > > I would put the machine in permissive before doing this. > > Thanks. Should something like this be in the selinux user guide? The > commands above look safe to me - what's the worse that can happen? > > Do problems occur if you don't relabel after the above steps? You may have removed policy modules that included new file context types that were in use on the system. Files originally labelled with those types will be unlabelled after removing the modules, hence the need to relabel. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
