SELinux Understanding

Nigel Henry cave.dnb at tiscali.fr
Mon Oct 15 20:31:53 UTC 2007


On Monday 15 October 2007 19:57, Claude Jones wrote:
> On Monday October 15 2007 1:35:17 pm Nigel Henry wrote:
> > but as
> > re-enabling SELinux, in either permissive, or enforcing mode
> > results in the relabelling process being run, it's almost
> > impossible to know if the relabelling has resolved a genuine
> > problem or not.
>
> This is where you're mistaken. It's perfectly possible to set
> permissive and enforcing modes, without relabeling - relabeling
> is only forced after some updates, and that not very often -
> perhaps, this is something that should be addressed. Perhaps a
> warning message when you turn on enforcing, with instructions to
> relabel if you've run in permissive mode for some period of
> time...
>
> --
> Claude Jones
> Brunswick, MD, USA

Well I disabled SELinux some weeks ago for some reason or other. I didn't want 
to, as it had been behaving itself. Sorry, but I forget stuff easily these 
days, and can't remember why I disabled it. Anyway when I re-enabled it as 
forcing, and rebooted, it did the relabelling stuff. As I've said. I'm not 
too clued up on SELinux, but it was running in enforcing mode, then I 
disabled it (for some reason or other), and rebooted. Then I re-enabled it as 
enforcing, rebooted, and by default it ran it's relabelling program.

Now I'm not too bothered about SELinux. I've seen it around since FC2, but for 
the first time on Fedora 7 I've given it a try. I'm only a home user, so 
nothing critical going on, and apart from the little FTP problem it's working 
ok.

I'm not sure what you're saying though in your reply above. From what I 
understand, if you disable SELinux (not sure if a reboot has to occur before 
the next step), then re-enable SELinux in enforcing mode (as it was 
previously). I found that re-enabling SELinux in enforcing mode, then 
rebooting, resulted in the relabelling stuff being done. So is there some 
incantation you can apply to the kernel on bootup to prevent SELinux doing 
it's relabel stuff?

Nigel.




More information about the fedora-list mailing list