FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-17-2008, 12:10 PM
Daniel J Walsh
 
Default restoring default selinux policy configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Hi,
>
> If I change a lot of booleans, or install a lot of custom policies, is
> there any way to restore selinux policy (targeted) to its default
> configuration?
>
> Thanks.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Well semanage does have a -D option to remove all local customizations
for the object

man semanage
...

-D, --deleteall
Remove all OBJECTS local customizations



Example:

semanage ports -D

Would remove all port changes.

There is no way to do this with modules currently.

You could look at the modules in /usr/share/selinux/targeted/*.pp
and compare them to semodule -l to see any modules that were different
and use semodule -r MODNAME to remove them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjQ87gACgkQrlYvE4MpobMHigCfXrph1Kpagt Xk2EbwYrsGTrjb
c3YAn04JaTzLSTanFK5irxBC1mBKlmAh
=wNCb
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-17-2008, 12:16 PM
Eric Paris
 
Default restoring default selinux policy configuration

On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Murray McAllister wrote:
> > Hi,
> >
> > If I change a lot of booleans, or install a lot of custom policies, is
> > there any way to restore selinux policy (targeted) to its default
> > configuration?
> >
> > Thanks.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Well semanage does have a -D option to remove all local customizations
> for the object
>
> man semanage
> ..
>
> -D, --deleteall
> Remove all OBJECTS local customizations
>
>
>
> Example:
>
> semanage ports -D
>
> Would remove all port changes.
>
> There is no way to do this with modules currently.
>
> You could look at the modules in /usr/share/selinux/targeted/*.pp
> and compare them to semodule -l to see any modules that were different
> and use semodule -r MODNAME to remove them.

Gross horrible dangerous hack, be VERY careful, might eat your first
born, kidnap your grandmother, and blow your house down...

rpm -e --nodeps --justdb selinux-policy-targeted
rm -rf /etc/selinux/targeted
yum install selinux-policy-targeted
touch /.autorelabel
reboot

yes? no?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-17-2008, 08:41 PM
Daniel J Walsh
 
Default restoring default selinux policy configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:
> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Murray McAllister wrote:
>>> Hi,
>>>
>>> If I change a lot of booleans, or install a lot of custom policies, is
>>> there any way to restore selinux policy (targeted) to its default
>>> configuration?
>>>
>>> Thanks.
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Well semanage does have a -D option to remove all local customizations
>> for the object
>>
>> man semanage
>> ..
>>
>> -D, --deleteall
>> Remove all OBJECTS local customizations
>>
>>
>>
>> Example:
>>
>> semanage ports -D
>>
>> Would remove all port changes.
>>
>> There is no way to do this with modules currently.
>>
>> You could look at the modules in /usr/share/selinux/targeted/*.pp
>> and compare them to semodule -l to see any modules that were different
>> and use semodule -r MODNAME to remove them.
>
> Gross horrible dangerous hack, be VERY careful, might eat your first
> born, kidnap your grandmother, and blow your house down...
>
> rpm -e --nodeps --justdb selinux-policy-targeted
> rm -rf /etc/selinux/targeted
> yum install selinux-policy-targeted
> touch /.autorelabel
> reboot
>
> yes? no?
>
I would put the machine in permissive before doing this.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjRa3kACgkQrlYvE4MpobNB+QCfWVCQQ+BceA XpRLMHl78wlyao
59wAoIXrGXp1u928nxPC1GzCH2HwOVsW
=n7BG
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-17-2008, 11:17 PM
Murray McAllister
 
Default restoring default selinux policy configuration

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Paris wrote:

On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:

Hi,

If I change a lot of booleans, or install a lot of custom policies, is
there any way to restore selinux policy (targeted) to its default
configuration?

Thanks.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Well semanage does have a -D option to remove all local customizations
for the object

man semanage
..

-D, --deleteall
Remove all OBJECTS local customizations



Example:

semanage ports -D

Would remove all port changes.

There is no way to do this with modules currently.

You could look at the modules in /usr/share/selinux/targeted/*.pp
and compare them to semodule -l to see any modules that were different
and use semodule -r MODNAME to remove them.

Gross horrible dangerous hack, be VERY careful, might eat your first
born, kidnap your grandmother, and blow your house down...

rpm -e --nodeps --justdb selinux-policy-targeted
rm -rf /etc/selinux/targeted
yum install selinux-policy-targeted
touch /.autorelabel
reboot

yes? no?


I would put the machine in permissive before doing this.


Thanks. Should something like this be in the selinux user guide? The
commands above look safe to me - what's the worse that can happen?


Do problems occur if you don't relabel after the above steps?




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjRa3kACgkQrlYvE4MpobNB+QCfWVCQQ+BceA XpRLMHl78wlyao
59wAoIXrGXp1u928nxPC1GzCH2HwOVsW
=n7BG
-----END PGP SIGNATURE-----


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-17-2008, 11:29 PM
Paul Howarth
 
Default restoring default selinux policy configuration

On Thu, 18 Sep 2008 09:17:40 +1000
Murray McAllister <mmcallis@redhat.com> wrote:

> Daniel J Walsh wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Eric Paris wrote:
> >> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> Murray McAllister wrote:
> >>>> Hi,
> >>>>
> >>>> If I change a lot of booleans, or install a lot of custom
> >>>> policies, is there any way to restore selinux policy (targeted)
> >>>> to its default configuration?
> >>>>
> >>>> Thanks.
> >>>>
> >>>> --
> >>>> fedora-selinux-list mailing list
> >>>> fedora-selinux-list@redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>> Well semanage does have a -D option to remove all local
> >>> customizations for the object
> >>>
> >>> man semanage
> >>> ..
> >>>
> >>> -D, --deleteall
> >>> Remove all OBJECTS local customizations
> >>>
> >>>
> >>>
> >>> Example:
> >>>
> >>> semanage ports -D
> >>>
> >>> Would remove all port changes.
> >>>
> >>> There is no way to do this with modules currently.
> >>>
> >>> You could look at the modules in /usr/share/selinux/targeted/*.pp
> >>> and compare them to semodule -l to see any modules that were
> >>> different and use semodule -r MODNAME to remove them.
> >> Gross horrible dangerous hack, be VERY careful, might eat your
> >> first born, kidnap your grandmother, and blow your house down...
> >>
> >> rpm -e --nodeps --justdb selinux-policy-targeted
> >> rm -rf /etc/selinux/targeted
> >> yum install selinux-policy-targeted
> >> touch /.autorelabel
> >> reboot
> >>
> >> yes? no?
> >>
> > I would put the machine in permissive before doing this.
>
> Thanks. Should something like this be in the selinux user guide? The
> commands above look safe to me - what's the worse that can happen?
>
> Do problems occur if you don't relabel after the above steps?

You may have removed policy modules that included new file context
types that were in use on the system. Files originally labelled with
those types will be unlabelled after removing the modules, hence the
need to relabel.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-18-2008, 01:53 PM
Eric Paris
 
Default restoring default selinux policy configuration

On Thu, 2008-09-18 at 09:17 +1000, Murray McAllister wrote:
> Thanks. Should something like this be in the selinux user guide? The
> commands above look safe to me - what's the worse that can happen?
>
> Do problems occur if you don't relabel after the above steps?

It could be in the guide, but it better be prefaced with something like
I gave it

The worst that happens is your system completely dies and locks you out
the instant you start to install selinux-policy-targeted. If your local
customizations caused your shell process to run as a type or user or
whatever that isn't defined when you start loading the new policy things
could esplode (permissive is a must and should stop you from locking
yourself out/failing to actually install the original policy, I'm glad
dan remembered)

You need to autorelabel because you have no idea what types were valid
that are not longer valid (all of those in custom modules you just
removed are now invalid) Labeling could be so different that you need
to reboot in permissive to even get it boot to the point where it can
autorelabel.

Perfect steps would be

setenforce 0
[run my steps]
stop grub and add enforcing=0
finish boot
setenforce 1

Do all that and you should be safe

-Eric

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 09-18-2008, 06:18 PM
Daniel J Walsh
 
Default restoring default selinux policy configuration

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Daniel J Walsh wrote:
> Eric Paris wrote:
>>>> On Wed, 2008-09-17 at 08:10 -0400, Daniel J Walsh wrote:
>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>> Hash: SHA1
>>>>>
>>>>> Murray McAllister wrote:
>>>>>> Hi,
>>>>>>
>>>>>> If I change a lot of booleans, or install a lot of custom policies, is
>>>>>> there any way to restore selinux policy (targeted) to its default
>>>>>> configuration?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>> --
>>>>>> fedora-selinux-list mailing list
>>>>>> fedora-selinux-list@redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>> Well semanage does have a -D option to remove all local customizations
>>>>> for the object
>>>>>
>>>>> man semanage
>>>>> ..
>>>>>
>>>>> -D, --deleteall
>>>>> Remove all OBJECTS local customizations
>>>>>
>>>>>
>>>>>
>>>>> Example:
>>>>>
>>>>> semanage ports -D
>>>>>
>>>>> Would remove all port changes.
>>>>>
>>>>> There is no way to do this with modules currently.
>>>>>
>>>>> You could look at the modules in /usr/share/selinux/targeted/*.pp
>>>>> and compare them to semodule -l to see any modules that were different
>>>>> and use semodule -r MODNAME to remove them.
>>>> Gross horrible dangerous hack, be VERY careful, might eat your first
>>>> born, kidnap your grandmother, and blow your house down...
>>>>
>>>> rpm -e --nodeps --justdb selinux-policy-targeted
>>>> rm -rf /etc/selinux/targeted
>>>> yum install selinux-policy-targeted
>>>> touch /.autorelabel
>>>> reboot
>>>>
>>>> yes? no?
>>>>
> I would put the machine in permissive before doing this.
>
>> Thanks. Should something like this be in the selinux user guide? The
>> commands above look safe to me - what's the worse that can happen?
>
>> Do problems occur if you don't relabel after the above steps?
>
>
>
No I believe a better solution would be

# setenforce 0
# yum remove selinux-policy*
# rm -rf /etc/selinux/targeted /etc/selinux/config
# yum install selinux-policy-targeted
# yum install selinux-policy-devel policycoreutils-gui *** Only if
these were removed byt the yum remove.
touch /.autorelabel; reboot

Which will get the postinstall scripts to run properly.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjSm2oACgkQrlYvE4MpobPB7wCfU7jyn9S2OI TIVqqj9urtWIvr
zpcAoKfCIRR2oEVTcmxwBHqSzRCg8Xrr
=aRvi
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 06:30 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org