FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-30-2011, 07:08 PM
"Michael D. Berger"
 
Default selinux & iptables

In setting up my new CentOS 6 laptop, I replaced
/etc/sysconfig/iptables with my own, very restrictive
version. I then tried to restart the iptables daemon,
but it reported that my new iptables was unreadable.
On a guess, I disabled selinux, and my problem was
solved. Later, I re-enabled selinux and on reboot, it
had to go through a very long setup procedure.

Is there something better I could have done when
replacing iptables, so that I would not have to
disable selinux?

Thanks for your help.
Mike.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-30-2011, 07:10 PM
Daniel J Walsh
 
Default selinux & iptables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/30/2011 03:08 PM, Michael D. Berger wrote:
> In setting up my new CentOS 6 laptop, I replaced
> /etc/sysconfig/iptables with my own, very restrictive version. I
> then tried to restart the iptables daemon, but it reported that my
> new iptables was unreadable. On a guess, I disabled selinux, and my
> problem was solved. Later, I re-enabled selinux and on reboot, it
> had to go through a very long setup procedure.
>
> Is there something better I could have done when replacing
> iptables, so that I would not have to disable selinux?
>
> Thanks for your help. Mike.
>
> _______________________________________________ CentOS mailing
> list CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

Run restorecon on the files you changed.

restorecon -R -v /etc/sysconfig

Is all you probably needed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5dNZIACgkQrlYvE4MpobPSygCgvb9bm6KEcI hv+VoR+uEAapeN
DwoAn2NTPyTykCcMpwwr9nfamgqgzifm
=PkaT
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-30-2011, 07:10 PM
 
Default selinux & iptables

Michael D. Berger wrote:
> In setting up my new CentOS 6 laptop, I replaced
> /etc/sysconfig/iptables with my own, very restrictive
> version. I then tried to restart the iptables daemon,
> but it reported that my new iptables was unreadable.
> On a guess, I disabled selinux, and my problem was
> solved. Later, I re-enabled selinux and on reboot, it
> had to go through a very long setup procedure.
>
> Is there something better I could have done when
> replacing iptables, so that I would not have to
> disable selinux?

ll -Z /etc/sysconfig/iptables.orig
Look at the results, then
chcon or semanage to change
/etc/sysconfig/iptables.michael to match.

mark "or disable selinux"

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-30-2011, 07:23 PM
Ned Slider
 
Default selinux & iptables

On 30/08/11 20:08, Michael D. Berger wrote:
> In setting up my new CentOS 6 laptop, I replaced
> /etc/sysconfig/iptables with my own, very restrictive
> version. I then tried to restart the iptables daemon,
> but it reported that my new iptables was unreadable.
> On a guess, I disabled selinux, and my problem was
> solved. Later, I re-enabled selinux and on reboot, it
> had to go through a very long setup procedure.
>

Rather than disabling, you can put SELinux in permissive mode to
troubleshoot. Permissive mode will warn but still allow all actions that
would otherwise be blocked in enforcing mode.

When you disable SELinux and then later re-enable it, the whole file
system will need to be relabeled at boot, and this is probably what took
the time on your system. Switching between permissive and enforcing
modes avoids this.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-30-2011, 11:07 PM
Phil Savoie
 
Default selinux & iptables

On 08/30/2011 03:23 PM, Ned Slider wrote:
> On 30/08/11 20:08, Michael D. Berger wrote:
>> In setting up my new CentOS 6 laptop, I replaced
>> /etc/sysconfig/iptables with my own, very restrictive
>> version. I then tried to restart the iptables daemon,
>> but it reported that my new iptables was unreadable.
>> On a guess, I disabled selinux, and my problem was
>> solved. Later, I re-enabled selinux and on reboot, it
>> had to go through a very long setup procedure.

> Rather than disabling, you can put SELinux in permissive mode to
> troubleshoot. Permissive mode will warn but still allow all actions that
> would otherwise be blocked in enforcing mode.
>

Further to this, chcon --reference <originalfile> <newfile>, then test
with selinux back in enforcing mode.


> When you disable SELinux and then later re-enable it, the whole file
> system will need to be relabeled at boot, and this is probably what took
> the time on your system. Switching between permissive and enforcing
> modes avoids this.
>


Regards,

Phil
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org