Hello,
I tried to set relabel by using system-config-selinux, but nothing happens I have to keep selinux=0 to be able to boot!
On Sat, 28 Dec 2013 16:28:33 +0100, Patrick Dupre wrote:
(I did not have a rsync command on the gparted live distribution that I have)
Does its "cp" command copy SELinux file contexts?
And I get always the same behavior: failed to start ....... create static device modes in /dev journal service open pack file: permission denied
Is this with SELinux enforcing or permissive or disabled?
users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
=========================================================================== Patrick DUPRÉ | | email: pdupre@gmx.com Laboratoire de Physico-Chimie de l'Atmosphère | | Université du Littoral-Côte d'Opale | | Tel. (33)-(0)3 28 23 76 12 | | Fax: 03 28 65 82 44 189A, avenue Maurice Schumann | | 59140 Dunkerque, France ===========================================================================
On Dec 28, 2013, at 8:15 PM, Patrick Dupre pdupre@gmx.com wrote:
Hello,
I tried to set relabel by using system-config-selinux, but nothing happens I have to keep selinux=0 to be able to boot!
Try autorelabel=1, and in the future if you have selinux problems you don't want to troubeleshoot use enforcing=0. Disabling selinux is a hammer and eventually causes more problems. Better to abandon Fedora kernels, and build your own without selinux compiled in (which you can do with Fedora tools of course, just change the kernel config and recompile).
http://danwalsh.livejournal.com/10972.html
Chris Murphy
On 12/30/2013 07:01 AM, Chris Murphy wrote:
On Dec 28, 2013, at 8:15 PM, Patrick Dupre pdupre@gmx.com wrote:
Hello,
I tried to set relabel by using system-config-selinux, but nothing happens I have to keep selinux=0 to be able to boot!
Try autorelabel=1, and in the future if you have selinux problems you don't want to troubeleshoot use enforcing=0. Disabling selinux is a hammer and eventually causes more problems.
With all due respect, disabling SELinux *must not cause problems*.
If it does, somebody is critically broken and needs to be fixed, ASAP.
Ralf
Allegedly, on or about 30 December 2013, Ralf Corsepius sent:
With all due respect, disabling SELinux *must not cause problems*.
If it does, somebody is critically broken and needs to be fixed, ASAP.
Usually, yes. But you cannot expect SELinux relabelling to be done when you've disabled SELinux. It's just plain illogical. You've turned it off, why would it be doing anything?
On Dec 29, 2013, at 11:37 PM, Ralf Corsepius rc040203@freenet.de wrote:
On 12/30/2013 07:01 AM, Chris Murphy wrote:
On Dec 28, 2013, at 8:15 PM, Patrick Dupre pdupre@gmx.com wrote:
Hello,
I tried to set relabel by using system-config-selinux, but nothing happens I have to keep selinux=0 to be able to boot!
Try autorelabel=1, and in the future if you have selinux problems you don't want to troubeleshoot use enforcing=0. Disabling selinux is a hammer and eventually causes more problems.
With all due respect, disabling SELinux *must not cause problems*.
The instant you disable SELinux, labeling is no longer being done at all, so any software updates while disabled lack labeling. Upon intentional or inadvertent re-enabling of SELinux, there will be problems due to that. This is why disabling isn't a good idea, and isn't necessary. Use enforcing=0 instead.
If it does, somebody is critically broken and needs to be fixed, ASAP.
Feel free to rebuild your kernel ASAP, and actually disable SELinux at the source.
Chris Murphy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/30/2013 11:11 AM, Chris Murphy wrote:
On Dec 29, 2013, at 11:37 PM, Ralf Corsepius rc040203@freenet.de wrote:
On 12/30/2013 07:01 AM, Chris Murphy wrote:
On Dec 28, 2013, at 8:15 PM, Patrick Dupre pdupre@gmx.com wrote:
Hello,
I tried to set relabel by using system-config-selinux, but nothing happens I have to keep selinux=0 to be able to boot!
Try autorelabel=1, and in the future if you have selinux problems you don't want to troubeleshoot use enforcing=0. Disabling selinux is a hammer and eventually causes more problems.
With all due respect, disabling SELinux *must not cause problems*.
The instant you disable SELinux, labeling is no longer being done at all, so any software updates while disabled lack labeling. Upon intentional or inadvertent re-enabling of SELinux, there will be problems due to that. This is why disabling isn't a good idea, and isn't necessary. Use enforcing=0 instead.
If it does, somebody is critically broken and needs to be fixed, ASAP.
Feel free to rebuild your kernel ASAP, and actually disable SELinux at the source.
Chris Murphy
THere was a bug in libselinux which is now fixed, that was causing the problem.
On Dec 31, 2013, at 8:57 AM, Daniel J Walsh dwalsh@redhat.com wrote:
THere was a bug in libselinux which is now fixed, that was causing the problem.
Right, but I thought that the bug caused the setting in /etc/selinux/config being ignored, while selinux=0 and enforcing=0 still worked?
Chris Murphy
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/31/2013 12:20 PM, Chris Murphy wrote:
On Dec 31, 2013, at 8:57 AM, Daniel J Walsh dwalsh@redhat.com wrote:
THere was a bug in libselinux which is now fixed, that was causing the problem.
Right, but I thought that the bug caused the setting in /etc/selinux/config being ignored, while selinux=0 and enforcing=0 still worked?
Chris Murphy
Just back from break, and I believe that is the case. I am just beginning to dig into the problem.
selinux=0 should cause the kernel to not load SELinux LSM, which should keep selinux disabled. I guess the libselinux could still lie to the init and cause it to attempt a relabel.
Adam Williamson has put out a fixed libselinux-2.2.1-6.fc20, which should fix the problem.
-
Chris Murphy -
Daniel J Walsh -
Patrick Dupre -
Ralf Corsepius -
Tim