On 08/10/2009 09:06 AM, max bianco wrote: > On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley<sds@xxxxxxxxxxxxx> wrote: >> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote: >>> Peter Joseph wrote: >>>>> enforcing =0 should work. >>>>> are you putting it the right area in grub/lilo? >>>>> also you should be able to just change >>>>> /etc/selinux/config >>>>> set to permissive mode to avoid using the boot command line. >>>>> or >>>>> setenforce 0 >>>>> and >>>>> echo 0> /selinux/enforce >>>>> to put the policy in permissive mode until things get cleaned. >>>>> Justin P. Mattock >>>>> >>>> -- >>>> SELinux has to be completely DISABLED for anybody to log in. Changing >>>> /etc/selinux/config to a permissive mode is of no use. >>>> I am thinking about trying to change all booleans from deny to allow (wow, >>>> what a monstrous task). After all, that is how this trouble started in the >>>> first place. >>>> PJ >>>> >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@xxxxxxxxxx >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>>> >>>> >>>> >>>> >>> yeah but booleans don't mess with the >>> MBR or the bootloader of the kernel? >> >> No, they are part of the policy image (if set persistently). >> >> But the booleans only affect what allow rules are enabled at any given >> time. If the system is in permissive mode, then the boolean settings >> shouldn't prevent anything from working; they will just affect what avc >> denials get logged. >> >> enforcing=0 on the kernel command line or SELINUX=permissive >> in /etc/selinux/config should resolve any SELinux-related denials. >> >> Out of curiosity, you didn't happen to change the xserver_object_manager >> boolean, did you? >> > It was the unconfined_login boolean that got him. > > > So disabling unconfined_login boolean stopped him from being able to login? -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
