* /From/: Bob Gustafson <bobgus rcn com>
[root hoho2 user1]# cat /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing SELINUXTYPE=strict POLICYTYPE=strict [root hoho2 user1]#
Then I changed the /etc/selinux/config to the version shown below and rebooted.
I got far less messages, and I was even able to go to root when clicking on gnome applications that required higher priority (with above config contents, whatever I typed was not enough, gnome kept coming back for more)
[root hoho2 user1]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing #SELINUXTYPE=strict SELINUXTYPE=permissive POLICYTYPE=strict [root hoho2 user1]#
My assumption has been that the boot parameters override the contents of the /etc/selinux/config file, and that the boot param 'enforcing=0' will make the selinux a permissive one.
Have these assumptions changed?
Well, the names have changed a bit ;) POLICYTYPE is no longer operative, so I think you have booted up in 'targeted' mode, not strict. 'enforcing=0' still works for me.
Here is what you need for strict:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
# SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=strict
tom
On Mon, 28 Jun 2004 14:02:03 -0700, Tom London wrote:
* /From/: Bob Gustafson <bobgus rcn com>
[root hoho2 user1]# cat /etc/selinux/config
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing SELINUXTYPE=strict POLICYTYPE=strict [root hoho2 user1]#
Then I changed the /etc/selinux/config to the version shown below and rebooted.
I got far less messages, and I was even able to go to root when clicking on gnome applications that required higher priority (with above config contents, whatever I typed was not enough, gnome kept coming back for more)
[root hoho2 user1]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. #SELINUX=disabled SELINUX=enforcing #SELINUXTYPE=strict SELINUXTYPE=permissive POLICYTYPE=strict [root hoho2 user1]#
My assumption has been that the boot parameters override the contents of the /etc/selinux/config file, and that the boot param 'enforcing=0' will make the selinux a permissive one.
Have these assumptions changed?
Well, the names have changed a bit ;) POLICYTYPE is no longer operative, so I think you have booted up in 'targeted' mode, not strict. 'enforcing=0' still works for me.
Here is what you need for strict:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcinfg - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing
# SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=strict
tom
If POLICYTYPE is no longer used, then the file that contains that deprecated param should be either overwritten during the 'yum update' process, or a note or message should show up somewhere (visibly) during the 'yum update' process.
If the user's config file is not changed, but the program changes in the 'yum update', then there is a problem (perhaps even a 'process bug').
Is there a 'permissive' value for SELINUXTYPE?
Using the boot param 'enforcing=0' seems to be different than setting the SELINUXTYPE=permissive for me.
enforcing=0 was less permissive...
BobG
selinux@lists.fedoraproject.org