Re: SELinux Reset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Aug 10, 2009 at 9:55 AM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote:
> On 08/10/2009 09:06 AM, max bianco wrote:
>> On Mon, Aug 10, 2009 at 7:45 AM, Stephen Smalley<sds@xxxxxxxxxxxxx> wrote:
>>> On Sat, 2009-08-08 at 00:45 -0700, Justin P. Mattock wrote:
>>>> Peter Joseph wrote:
>>>>>> enforcing =0 should work.
>>>>>> are you putting it the right area in grub/lilo?
>>>>>> also you should be able to just change
>>>>>> /etc/selinux/config
>>>>>> set to permissive mode to avoid using the boot command line.
>>>>>> or
>>>>>> setenforce 0
>>>>>> and
>>>>>> echo 0>  /selinux/enforce
>>>>>> to put the policy in permissive mode until things get cleaned.
>>>>>> Justin P. Mattock
>>>>>>
>>>>> --
>>>>> SELinux has to be completely DISABLED for anybody to log in.  Changing
>>>>> /etc/selinux/config to a permissive mode is of no use.
>>>>> I am thinking about trying to change all booleans from deny to allow (wow,
>>>>> what a monstrous task).  After all, that is how this trouble started in the
>>>>> first place.
>>>>> PJ
>>>>>
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>>
>>>>>
>>>>>
>>>>>
>>>> yeah but booleans don't mess with the
>>>> MBR or the bootloader of the kernel?
>>>
>>> No, they are part of the policy image (if set persistently).
>>>
>>> But the booleans only affect what allow rules are enabled at any given
>>> time.  If the system is in permissive mode, then the boolean settings
>>> shouldn't prevent anything from working; they will just affect what avc
>>> denials get logged.
>>>
>>> enforcing=0 on the kernel command line or SELINUX=permissive
>>> in /etc/selinux/config should resolve any SELinux-related denials.
>>>
>>> Out of curiosity, you didn't happen to change the xserver_object_manager
>>> boolean, did you?
>>>
>> It was the unconfined_login boolean that got him.
>>
>>
>>
> So disabling unconfined_login boolean stopped him from being able to login?
>

That's what he told me. I told him to check xserver_allow_execmem and
unconfined_login.
It would have hit the list but I did the reply instead of reply all.
Anyway he said the unconfined_login fixed his problem.

here it is:

On Sun, Aug 9, 2009 at 4:51 PM, <peterjb@xxxxxxxx> wrote:
>>check the xserver_allow_execmem and unconfined_login booleans.
>
> You got it!  The problem stems from unconfined_login --> off.
>
> Thanks for your help.
>
> pj
>

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux