SElinux
Paul Howarth
paul at city-fan.org
Sat Apr 8 20:08:28 UTC 2006
On Sat, 2006-04-08 at 15:03 -0500, Bruno Wolff III wrote:
> On Sat, Apr 08, 2006 at 14:40:47 -0500,
> Bruno Wolff III <bruno at wolff.to> wrote:
> > On Sat, Apr 08, 2006 at 18:23:57 +0100,
> > Paul Howarth <paul at city-fan.org> wrote:
> > >
> > > Don't know much about writing custom policy modules from scratch, but
> > > the context management should be easy enough using semanage.
> > >
> > > semanage doesn't change the contexts of existing files, it changes the
> > > underlying policy. This means that changes made using semanage will be
> > > effected if you use "restorecon" or do a full relabel.
> >
> > Thanks I had missed that.
> > I had a mishap just last night when I rebooted after using setsebool to
> > change a setting and had it unexpectedly reset. I see now, that I should
> > be using semanage to be making persistant changes.
>
> It looks like it isn't so simple for booleans. The man page for booleans(8)
> says that you can use system-sysconfig-securitylevel to set persistant
> boolean values, but the text mode version of that command seems to only
> let you do firewall stuff. And the alternate method given is to edit the
> /etc/selinux/POLICYTYPE/boolean, which appears to be out of date information.
> The documentation/help for semanage doesn't indicate it can do this.
> Looks like I should probably file a couple of bugzillas.
>
> But at least I know how to do the file context stuff correctly now.
Use:
# setsebool -P name_of_boolean 1
to set a boolean persistently.
See the current value of booleans using getsebool.
Paul.
--
Paul Howarth <paul at city-fan.org>
More information about the fedora-list
mailing list