-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Murray McAllister wrote: > Daniel J Walsh wrote: > Eric Paris wrote: >>>> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA1 >>>>> >>>>> Murray McAllister wrote: >>>>>> Hi, >>>>>> >>>>>> If I change a lot of booleans, or install a lot of custom policies, is >>>>>> there any way to restore selinux policy (targeted) to its default >>>>>> configuration? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> -- >>>>>> fedora-selinux-list mailing list >>>>>> fedora-selinux-list@xxxxxxxxxx >>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>>> Well semanage does have a -D option to remove all local customizations >>>>> for the object >>>>> >>>>> man semanage >>>>> .. >>>>> >>>>> -D, --deleteall >>>>> Remove all OBJECTS local customizations >>>>> >>>>> >>>>> >>>>> Example: >>>>> >>>>> semanage ports -D >>>>> >>>>> Would remove all port changes. >>>>> >>>>> There is no way to do this with modules currently. >>>>> >>>>> You could look at the modules in /usr/share/selinux/targeted/*.pp >>>>> and compare them to semodule -l to see any modules that were different >>>>> and use semodule -r MODNAME to remove them. >>>> Gross horrible dangerous hack, be VERY careful, might eat your first >>>> born, kidnap your grandmother, and blow your house down... >>>> >>>> rpm -e --nodeps --justdb selinux-policy-targeted >>>> rm -rf /etc/selinux/targeted >>>> yum install selinux-policy-targeted >>>> touch /.autorelabel >>>> reboot >>>> >>>> yes? no? >>>> > I would put the machine in permissive before doing this. > >> Thanks. Should something like this be in the selinux user guide? The >> commands above look safe to me - what's the worse that can happen? > >> Do problems occur if you don't relabel after the above steps? > > > No I believe a better solution would be # setenforce 0 # yum remove selinux-policy\* # rm -rf /etc/selinux/targeted /etc/selinux/config # yum install selinux-policy-targeted # yum install selinux-policy-devel policycoreutils-gui *** Only if these were removed byt the yum remove. touch /.autorelabel; reboot Which will get the postinstall scripts to run properly. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkjSm2oACgkQrlYvE4MpobPB7wCfU7jyn9S2OITIVqqj9urtWIvr zpcAoKfCIRR2oEVTcmxwBHqSzRCg8Xrr =aRvi -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
