[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux so badly corrupted machine can't start

On 6/19/07, Tony Nelson <tonynelson georgeanelson com> wrote:
Again you state the obvious.  Do you know what happens if SELinux is in
enforcing mode when relabeling?

Yes ... it relabels. I have done so many times ... especially during
quick policy churns in Rawhide test releases.

I'm sorry that my response trying to help was unhelpful. Please ignore
me in the future rather than giving a rude response. However, it would
be more preferable to give a thoughtful response that tries to bridge
the difficult communication gap that arises from having discussions
with limited context.

I have never had any problems with SELinux that have prevented
booting. I also have never had any problems with SELinux
autorelabelling with enforcing enabled.

In my reading of this mailing list since SELinux was introduced, I
have found that people having trouble with SELinux mainly fall into
two categories. Either they are noobs blindly trying to run a
precompiled app that they unpacked from a tarball or they are
old-school *nix hackers who are blindly trying to run an app that they
built from a tarball or have made some customization to make their
system resemble the way "things used to be done in the olden-days".

What I was thinking in my response but perhaps not suggesting
explicitly was either:
1) touching the .autolabel file after you booted with enforcing off
and rebooting with enforcing off to avoid the need for a RescueCD
2) just putting *both* parameters that Daniel told you about
(enforcing=0 and autorelabel=1) in the grub entry at boot time to
avoid the need for a RescueCD.

Because while Tim thinks that booting from a RescueCD might have other
advantages, I would think that it might have many hidden disadvantages
from a SELinux point of view that seem to always arise when you are
trying to do things outside the scope of SELinux with an older kernel
on a sub-directory-mounted or chrooted root filesystem. This is likely
where the *nix gurus get tripped up with SELinux as they instantly
turn to their old toolbag when things break ... and their old tools
stomp all over SELinux in knowing nothing of it.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]