Re: SELinux Understanding

Nigel Henry wrote:
On Monday 15 October 2007 19:57, Claude Jones wrote:
On Monday October 15 2007 1:35:17 pm Nigel Henry wrote:
but as
re-enabling SELinux, in either permissive, or enforcing mode
results in the relabelling process being run, it's almost
impossible to know if the relabelling has resolved a genuine
problem or not.
This is where you're mistaken. It's perfectly possible to set
permissive and enforcing modes, without relabeling - relabeling
is only forced after some updates, and that not very often -
perhaps, this is something that should be addressed. Perhaps a
warning message when you turn on enforcing, with instructions to
relabel if you've run in permissive mode for some period of

Claude Jones
Brunswick, MD, USA

Well I disabled SELinux some weeks ago for some reason or other. I didn't want to, as it had been behaving itself. Sorry, but I forget stuff easily these days, and can't remember why I disabled it. Anyway when I re-enabled it as forcing, and rebooted, it did the relabelling stuff. As I've said. I'm not too clued up on SELinux, but it was running in enforcing mode, then I disabled it (for some reason or other), and rebooted. Then I re-enabled it as enforcing, rebooted, and by default it ran it's relabelling program.

Now I'm not too bothered about SELinux. I've seen it around since FC2, but for the first time on Fedora 7 I've given it a try. I'm only a home user, so nothing critical going on, and apart from the little FTP problem it's working ok.

I'm not sure what you're saying though in your reply above. From what I understand, if you disable SELinux (not sure if a reboot has to occur before the next step), then re-enable SELinux in enforcing mode (as it was previously). I found that re-enabling SELinux in enforcing mode, then rebooting, resulted in the relabelling stuff being done. So is there some incantation you can apply to the kernel on bootup to prevent SELinux doing it's relabel stuff?


Hi Nigel, I think you can tell the SELinux loader not to relabel; but once saying that I am pretty sure you WANT to relabel any time you turn SELinux on, after it has been off. If you think your memory is short my 72 year old head is overflowing with stuff and it has moved down causing my tummy to be too round

I am running with SELinux on and will keep book on how long it runs without a problem. The fellow with trouble in his http area sounds like he made a lot of new directories and SELinux didn't like it. This sort of thing may well hit me.


	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.

