On 05. 02. 22 11:06, justina colmena
~biz wrote:
The command "restorecon -Rv /" _should_ do the same thing as creating the file "/.autorelabel" and rebooting, but the risk to restoring contexts after the system has already booted is that the privileges necessary to restore certain security contexts may have been dropped already.
Even using /.autorelabel the system loads the security policy before relabeling, the only difference from manually executing restorecon/fixfiles is that the relabeling is performed in permissive mode (so running restorecon/fixfiles in permissive mode should have the same effect as /.autorelabel).
"setenforce 0" just sets a boolean, AFAIK. It depends on policy whether or not that does or should drop all SELinux enforcement mechanisms at runtime, but only the boot-time relabel is _guaranteed_ to restore _all_ system and user files to the "correct" security context according to the prescribed policy.
Not really. "Setenforce 0" (i.e. permissive mode) actually changes behaviour of SELinux regardless of the loaded security policy. The security policy is NOT enforced in permissive mode -- system calls not permitted by the policy will go through just fine and the policy violation will be logged.
On February 5, 2022 12:34:30 AM AKST, Geert Janssens <geert@xxxxxxxxxxxx> wrote:Op vrijdag 4 februari 2022 14:57:10 CET schreef justina colmena ~biz:Have you tried this? # touch /.autorelabel && rebootI didn't exactly run that command but I remember running "restorecon -Rv /" which I believe should have the same effect. That didn't fix my issue and it possibly even printed errors on the console as well. With the help of Vit Mojzis I managed to fix the issue. The problem turned out to be a broken custom policy. I don't know what broke it but the system works properly now. So I can't go back to reproduce any details other than those I reported in a previous reply. Regards, Geert-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
