On 11/8/18 10:11 AM, Mahmood Naderan wrote: >>For filesystem labels: > >>touch /./autorelabel >>reboot/ > > OK I did that. What is the effect then?! How can I find out that > something has been reset? Relabeling only sets the filesystem to the defined SELinux labels. It doesn't change any custom file contexts you've set up. You can also run: semanage fcontext -C -l to see what local file context changes have been made, as well as looking at the file_contexts.local file. Then you can remove them if you want to go back to the default config that came with the distro. >>So to see all the changes that have been made, you can do >>find /etc/selinux -name "*.local" > > Yes I can see this for example > > [root@sn snadmin]# cat /etc/selinux/targeted/active/booleans.local > # This file is auto-generated by libsemanage > # Do not edit directly. > > httpd_unified=1 > httpd_read_user_content=1 > ftpd_full_access=1 > httpd_can_connect_ftp=1 > httpd_can_network_connect=1 > httpd_can_sendmail=1 Well, if you want to go back to the default config from when you first installed the OS, you could back those out. For instance, setsebool -P httpd_unified 0 will revert the boolean back to the default setting. But before we go any further, what are you actually trying to accomplish? Any fcontext changes or boolean changes made were probably made for a reason. It might make more sense to discover what's been changed and then determine if that change is appropriate. As an aside, I learned today that you can also run: semanage boolean -C -l to see all the changed booleans. So you can look at the *.local files, or use the command line. Thanks for asking this question, it made me learn something new. :-) Once you've determined what changed, you could change them back to "factory default" if that's what you're trying to do. I do recommend that you see what's been changed, then determine if it makes sense to change it back rather than blindly setting the system back to defaults. Thomas _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
