On 05. 02. 22 11:06, justina colmena ~biz wrote:
The command "restorecon -Rv /" _should_ do the same thing
as creating
the file "/.autorelabel" and rebooting, but the risk to restoring
contexts after the system has already booted is that the privileges
necessary to restore certain security contexts may have been dropped
already.
Even using /.autorelabel the system loads the security policy before
relabeling, the only difference from manually executing
restorecon/fixfiles is that the relabeling is performed in permissive
mode (so running restorecon/fixfiles in permissive mode should have the
same effect as /.autorelabel).
"setenforce 0" just sets a boolean, AFAIK. It depends on
policy
whether or not that does or should drop all SELinux enforcement
mechanisms at runtime, but only the boot-time relabel is _guaranteed_
to restore _all_ system and user files to the "correct" security
context according to the prescribed policy.
Not really. "Setenforce 0" (i.e. permissive mode) actually changes
behaviour of SELinux regardless of the loaded security policy. The
security policy is NOT enforced in permissive mode -- system calls not
permitted by the policy will go through just fine and the policy
violation will be logged.
On February 5, 2022 12:34:30 AM AKST, Geert Janssens
<geert(a)kobaltwit.be> wrote:
Op vrijdag 4 februari 2022 14:57:10 CET schreef justina colmena ~biz:
Have you tried this? # touch /.autorelabel && reboot
I didn't exactly run that command but I remember running "restorecon -Rv
/"
which I believe should have the same effect. That didn't fix my issue and it
possibly even printed errors on the console as well. With the help of Vit
Mojzis I managed to fix the issue. The problem turned out to be a broken
custom policy. I don't know what broke it but the system works properly now.
So I can't go back to reproduce any details other than those I reported in a
previous reply.
Regards,
Geert
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure