-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Murray McAllister wrote:
Daniel J Walsh wrote:
Eric Paris wrote:
>>> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Murray McAllister wrote:
>>>>> Hi,
>>>>>
>>>>> If I change a lot of booleans, or install a lot of custom policies,
is
>>>>> there any way to restore selinux policy (targeted) to its default
>>>>> configuration?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list(a)redhat.com
>>>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> Well semanage does have a -D option to remove all local customizations
>>>> for the object
>>>>
>>>> man semanage
>>>> ..
>>>>
>>>> -D, --deleteall
>>>> Remove all OBJECTS local customizations
>>>>
>>>>
>>>>
>>>> Example:
>>>>
>>>> semanage ports -D
>>>>
>>>> Would remove all port changes.
>>>>
>>>> There is no way to do this with modules currently.
>>>>
>>>> You could look at the modules in /usr/share/selinux/targeted/*.pp
>>>> and compare them to semodule -l to see any modules that were different
>>>> and use semodule -r MODNAME to remove them.
>>> Gross horrible dangerous hack, be VERY careful, might eat your first
>>> born, kidnap your grandmother, and blow your house down...
>>>
>>> rpm -e --nodeps --justdb selinux-policy-targeted
>>> rm -rf /etc/selinux/targeted
>>> yum install selinux-policy-targeted
>>> touch /.autorelabel
>>> reboot
>>>
>>> yes? no?
>>>
I would put the machine in permissive before doing this.
> Thanks. Should something like this be in the selinux user guide? The
> commands above look safe to me - what's the worse that can happen?
> Do problems occur if you don't relabel after the above steps?
No I believe a better solution would be
# setenforce 0
# yum remove selinux-policy\*
# rm -rf /etc/selinux/targeted /etc/selinux/config
# yum install selinux-policy-targeted
# yum install selinux-policy-devel policycoreutils-gui *** Only if
these were removed byt the yum remove.
touch /.autorelabel; reboot
Which will get the postinstall scripts to run properly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkjSm2oACgkQrlYvE4MpobPB7wCfU7jyn9S2OITIVqqj9urtWIvr
zpcAoKfCIRR2oEVTcmxwBHqSzRCg8Xrr
=aRvi
-----END PGP SIGNATURE-----