SELinux Attack!
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 15 14:48:59 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chris wrote:
> On Sun, 14 Oct 2007 11:24:59 -0600
> Karl Larsen <k5di at zianet.com> wrote:
>
>> I have learned a lot about SELinux in the past week. It turns out
>> the simple fix is to just turn it off. But it is possible I have
>> learned to live with SELinux turned full on and what to do if there
>> is trouble.
>>
>> This all started when I had to turn on SELinux to use a device,
>> so I did and there was no problem. So I left it turned on. Then one
>> morning I turned on my computer and instead of booting clear up in
>> just one minute, it stopped when init tried to turn on "cups". It
>> stayed there for 10 minutes! My thoughts were, how did I screw up the
>> file system so bad? So turned off the boot and booted up in the
>> rescue mode from a CD, and did #fsck /dev/sdb5 and it said there is
>> nothing wrong.
>
> I too had SELinux issues. Mine were of my own doing though. I soon
> found out the easies way to get my box to boot was as Karl mentioned,
> boot from the CD and rescue it.
>
> I mounted the drive (as suggested) but simply edited
> the /etc/selinux/config file with a simple
>
> SELINUX=disabled
>
> Bingo - that solved that, rebooted and all was good. What I did next
> was simply tar up the /selinux directory from my lappy and then applied
> the tarball to my desktop.
>
> Went back into SELinux and had it enabled and set it to relabel on next
> boot-up.
>
> All seems fine after a week. Not sure how I mucked mine up, but I did
> and this is what I did to correct my fat-fingering.
>
A much easier way would have been
boot the kernel and add to boot line
enforcing=0 autorelabel
This should put the machine in permissive mode and force a relabel.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFHE33brlYvE4MpobMRAk+jAJ466PtaC+nXH6v7Pf3VYkAx8H9cqwCfTSmN
ElLUIMFlyIbCTWPhw/3jIH4=
=931i
-----END PGP SIGNATURE-----
More information about the users
mailing list