We are working on the Fedora SELinux FAQ
Tom London
selinux at gmail.com
Mon Jan 25 21:17:34 UTC 2010
On Fri, Jan 22, 2010 at 4:48 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Any comments? What should we add? What should we remove?
>
> http://sradvan.fedorapeople.org/SELinux_FAQ/#id2654720
>
I think there could be confusion between "disabling SELinux" and
"disabling enforcement". In fact, I remember seeing posts that appear
to at least touch on this.
Would it make sense to help this (perceived) confusion by expanding a
bit on booting with "enforcing=0" (as opposed to booting with
"selinux=0")?
Perhaps something like:
Q: After updating policy, my system won't boot; gnome/kde won't start,
my application stopped working. What do I do?
A: One way to determine quickly if SELinux is the culprit is to
re-boot in permissive mode. This allows all accesses, but provides an
audit trail that is useful to localize policy or application changes.
Also, newly created files will get the policy specified labels.
This is done by adding "enforcing=0" to the kernel boot parameters or
by setting SELINUX=permissive in /etc/selinux/config.
If your system now boots, gnome/kde now starts, or your application
now works, 'audit2allow -al' should list policy changes needed. Of
course, the "real fix" to the policy may involve changing application
code somewhere, but this audit should be useful to identify symptoms.
Q: No, I really want to turn SELinux off for good. How do I do that?
A: Set SELINUX=disabled ......
tom
--
Tom London
More information about the selinux
mailing list