On Mon, 2009-08-10 at 12:10 -0700, Peter Joseph wrote: > > Peter Joseph wrote: > > > >>While experimenting with SELinux, I finally managed to lock myself out of > the system. The only way to get back in, I had >to add "selinux=0" to the > end of the kernel line. > >>Now, if I run in a permissive mode the following message appears when I > try to log in: > > > >>"Could not connect to session bus: An SELinux policy prevents this sender > from sending this message to this recipient >(rejected message had sender > "(unset)" interface "org.freedesktop.DBus" member "Hello" error name > "(unset)" destination >"org.freedesktop.DBus)." > > > >>I am forced to go back to the grub prompt and disable SELinux again, in > order to get in. What is the best way to reset >SEL to its original state? > > > > Problem solved. > > Appending selinux=0 to the end of the kernel line enabled me to get back > into the system, however, I found no way of working with SELinux on account > of it being disabled. > Appending unconfined_login = 1 instead, brought me to a root prompt with > SELinux enabled. > Used the following to check and restore: > > # getsebool unconfined_login > unconfined_login --> off > > # setsebool -P unconfined_login=1 > > # getsebool unconfined_login > unconfined_login --> on > > # poweroff > > One thing though, the "unconfined_login = 1" added to the kernel line has to > contain a space before and after the equal sign. I think that just caused it to boot to runlevel 1, i.e. single-user mode. AFAIK, the kernel command line isn't used for booleans at all, but an integer argument will be taken as the runlevel by init. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
