[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: restoring default selinux policy configuration

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:

On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:

Hi,

If I change a lot of booleans, or install a lot of custom policies, is
there any way to restore selinux policy (targeted) to its default
configuration?

Thanks.

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Well semanage does have a -D option to remove all local customizations
for the object

man semanage
..

       -D, --deleteall
              Remove all OBJECTS local customizations



Example:

semanage ports -D

Would remove all port changes.

There is no way to do this with modules currently.

You could look at the modules in /usr/share/selinux/targeted/*.pp
and compare them to semodule -l to see any modules that were different
and use semodule -r MODNAME to remove them.

Gross horrible dangerous hack, be VERY careful, might eat your first
born, kidnap your grandmother, and blow your house down...

rpm -e --nodeps --justdb selinux-policy-targeted
rm -rf /etc/selinux/targeted
yum install selinux-policy-targeted
touch /.autorelabel
reboot

yes? no?


I would put the machine in permissive before doing this.
Thanks. Should something like this be in the selinux user guide? The commands above look safe to me - what's the worse that can happen? 

Do problems occur if you don't relabel after the above steps?




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjRa3kACgkQrlYvE4MpobNB+QCfWVCQQ+BceAXpRLMHl78wlyao
59wAoIXrGXp1u928nxPC1GzCH2HwOVsW
=n7BG
-----END PGP SIGNATURE-----
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]