On Fri, Jan 22, 2010 at 4:48 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Any comments? What should we add? What should we remove? > > http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720 > I think there could be confusion between "disabling SELinux" and "disabling enforcement". In fact, I remember seeing posts that appear to at least touch on this. Would it make sense to help this (perceived) confusion by expanding a bit on booting with "enforcing=0" (as opposed to booting with "selinux=0")? Perhaps something like: Q: After updating policy, my system won't boot; gnome/kde won't start, my application stopped working. What do I do? A: One way to determine quickly if SELinux is the culprit is to re-boot in permissive mode. This allows all accesses, but provides an audit trail that is useful to localize policy or application changes. Also, newly created files will get the policy specified labels. This is done by adding "enforcing=0" to the kernel boot parameters or by setting SELINUX=permissive in /etc/selinux/config. If your system now boots, gnome/kde now starts, or your application now works, 'audit2allow -al' should list policy changes needed. Of course, the "real fix" to the policy may involve changing application code somewhere, but this audit should be useful to identify symptoms. Q: No, I really want to turn SELinux off for good. How do I do that? A: Set SELINUX=disabled ...... tom -- Tom London -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
