Boolean resets don't stick
Why is it that when I changed some SELinux variables to allow certain
processes, the allowances did not persist with the next shutdown and reboot cycle? I had occasion to set allow_execmod and several Samba-related Booleans. And then this morning, it was as if I hadn't customized anything. I had to revert and reset every one of those custom variables, and then I did a complete relabel. Once I did that, a certain application that needed execmod allowed, would run. Samba runs as well, though I probably discovered another issue--failure to turn on the nmb service as well as the smb service. But when I change a part of the Samba policy, I thought that should hold for good. Why doesn't it? Or did the relabeling finally make the issue go away? I just don't want that issue to come back, that's all--but I don't want to disable SELinux in order to do that. Temlakos -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Boolean resets don't stick
On 08/03/10 14:03, Temlakos wrote:
> Why is it that when I changed some SELinux variables to allow certain > processes, the allowances did not persist with the next shutdown and > reboot cycle? > > I had occasion to set allow_execmod and several Samba-related Booleans. > And then this morning, it was as if I hadn't customized anything. > > I had to revert and reset every one of those custom variables, and > /then/ I did a complete relabel. Once I did that, a certain application > that needed execmod allowed, would run. Samba runs as well, though I > probably discovered another issue--failure to turn on the nmb service as > well as the smb service. > > But when I change a part of the Samba policy, I thought that should hold > for good. Why doesn't it? Or did the relabeling finally make the issue > go away? > > I just don't want that issue to come back, that's all--but I don't want > to disable SELinux in order to do that. You did use the "-P" option to setsebool, didn't you? Paul. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Boolean resets don't stick
On 03/08/2010 09:10 AM, Paul Howarth wrote:
> On 08/03/10 14:03, Temlakos wrote: > >> Why is it that when I changed some SELinux variables to allow certain >> processes, the allowances did not persist with the next shutdown and >> reboot cycle? >> >> I had occasion to set allow_execmod and several Samba-related Booleans. >> And then this morning, it was as if I hadn't customized anything. >> >> I had to revert and reset every one of those custom variables, and >> /then/ I did a complete relabel. Once I did that, a certain application >> that needed execmod allowed, would run. Samba runs as well, though I >> probably discovered another issue--failure to turn on the nmb service as >> well as the smb service. >> >> But when I change a part of the Samba policy, I thought that should hold >> for good. Why doesn't it? Or did the relabeling finally make the issue >> go away? >> >> I just don't want that issue to come back, that's all--but I don't want >> to disable SELinux in order to do that. >> > You did use the "-P" option to setsebool, didn't you? > > Paul. > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > I was using the GUI manager for SELinux, not Konsole. I did not know about option -P. Is this another example of how the GUIs aren't up to par? Temlakos -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Boolean resets don't stick
On 03/08/2010 09:15 AM, Temlakos wrote:
> On 03/08/2010 09:10 AM, Paul Howarth wrote: > >> On 08/03/10 14:03, Temlakos wrote: >> >> >>> Why is it that when I changed some SELinux variables to allow certain >>> processes, the allowances did not persist with the next shutdown and >>> reboot cycle? >>> >>> I had occasion to set allow_execmod and several Samba-related Booleans. >>> And then this morning, it was as if I hadn't customized anything. >>> >>> I had to revert and reset every one of those custom variables, and >>> /then/ I did a complete relabel. Once I did that, a certain application >>> that needed execmod allowed, would run. Samba runs as well, though I >>> probably discovered another issue--failure to turn on the nmb service as >>> well as the smb service. >>> >>> But when I change a part of the Samba policy, I thought that should hold >>> for good. Why doesn't it? Or did the relabeling finally make the issue >>> go away? >>> >>> I just don't want that issue to come back, that's all--but I don't want >>> to disable SELinux in order to do that. >>> >>> >> You did use the "-P" option to setsebool, didn't you? >> >> Paul. >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> >> > I was using the GUI manager for SELinux, not Konsole. I did not know > about option -P. Is this another example of how the GUIs aren't up to par? > > Temlakos > > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > Something strange is going on. # grep setsebool /usr/share/system-config-selinux/booleansPage.py setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val) -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Boolean resets don't stick
On 03/08/2010 09:24 AM, Daniel J Walsh wrote:
> On 03/08/2010 09:15 AM, Temlakos wrote: >> On 03/08/2010 09:10 AM, Paul Howarth wrote: >>> On 08/03/10 14:03, Temlakos wrote: >>> >>>> Why is it that when I changed some SELinux variables to allow certain >>>> processes, the allowances did not persist with the next shutdown and >>>> reboot cycle? >>>> >>>> I had occasion to set allow_execmod and several Samba-related >>>> Booleans. >>>> And then this morning, it was as if I hadn't customized anything. >>>> >>>> I had to revert and reset every one of those custom variables, and >>>> /then/ I did a complete relabel. Once I did that, a certain >>>> application >>>> that needed execmod allowed, would run. Samba runs as well, though I >>>> probably discovered another issue--failure to turn on the nmb >>>> service as >>>> well as the smb service. >>>> >>>> But when I change a part of the Samba policy, I thought that should >>>> hold >>>> for good. Why doesn't it? Or did the relabeling finally make the issue >>>> go away? >>>> >>>> I just don't want that issue to come back, that's all--but I don't >>>> want >>>> to disable SELinux in order to do that. >>>> >>> You did use the "-P" option to setsebool, didn't you? >>> >>> Paul. >>> -- >>> selinux mailing list >>> selinux@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >> I was using the GUI manager for SELinux, not Konsole. I did not know >> about option -P. Is this another example of how the GUIs aren't up to >> par? >> >> Temlakos >> >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> > Something strange is going on. > > # grep setsebool /usr/share/system-config-selinux/booleansPage.py > setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val) > > Yes, I show the same from that grep command. In other words, system-config-selinux is supposed to use the -P option. I just went directly to Konsole and issued a setsebool command with the -P option. Now I'll reboot and see what happens. Recall the other thing that I did to get things to work again: I relabeled my whole file system. It took five minutes. Temlakos -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Boolean resets don't stick
On 03/08/2010 09:24 AM, Daniel J Walsh wrote:
> On 03/08/2010 09:15 AM, Temlakos wrote: >> On 03/08/2010 09:10 AM, Paul Howarth wrote: >>> On 08/03/10 14:03, Temlakos wrote: >>> >>>> Why is it that when I changed some SELinux variables to allow certain >>>> processes, the allowances did not persist with the next shutdown and >>>> reboot cycle? >>>> >>>> I had occasion to set allow_execmod and several Samba-related >>>> Booleans. >>>> And then this morning, it was as if I hadn't customized anything. >>>> >>>> I had to revert and reset every one of those custom variables, and >>>> /then/ I did a complete relabel. Once I did that, a certain >>>> application >>>> that needed execmod allowed, would run. Samba runs as well, though I >>>> probably discovered another issue--failure to turn on the nmb >>>> service as >>>> well as the smb service. >>>> >>>> But when I change a part of the Samba policy, I thought that should >>>> hold >>>> for good. Why doesn't it? Or did the relabeling finally make the issue >>>> go away? >>>> >>>> I just don't want that issue to come back, that's all--but I don't >>>> want >>>> to disable SELinux in order to do that. >>>> >>> You did use the "-P" option to setsebool, didn't you? >>> >>> Paul. >>> -- >>> selinux mailing list >>> selinux@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >> I was using the GUI manager for SELinux, not Konsole. I did not know >> about option -P. Is this another example of how the GUIs aren't up to >> par? >> >> Temlakos >> >> -- >> selinux mailing list >> selinux@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> > Something strange is going on. > > # grep setsebool /usr/share/system-config-selinux/booleansPage.py > setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val) > > OK, here's the reboot test. At first my application still didn't run, though all the Booleans showed up as set when I ran getsebool in Konsole. Then it occurred to me to launch KWallet directly. That solved the problem. I think I know what might have happened: KWallet doesn't start automatically every time. So SELinux was probably not at issue. Temlakos -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
Boolean resets don't stick
On 03/08/2010 09:48 AM, Temlakos wrote:
> On 03/08/2010 09:24 AM, Daniel J Walsh wrote: > >> On 03/08/2010 09:15 AM, Temlakos wrote: >> >>> On 03/08/2010 09:10 AM, Paul Howarth wrote: >>> >>>> On 08/03/10 14:03, Temlakos wrote: >>>> >>>> >>>>> Why is it that when I changed some SELinux variables to allow certain >>>>> processes, the allowances did not persist with the next shutdown and >>>>> reboot cycle? >>>>> >>>>> I had occasion to set allow_execmod and several Samba-related >>>>> Booleans. >>>>> And then this morning, it was as if I hadn't customized anything. >>>>> >>>>> I had to revert and reset every one of those custom variables, and >>>>> /then/ I did a complete relabel. Once I did that, a certain >>>>> application >>>>> that needed execmod allowed, would run. Samba runs as well, though I >>>>> probably discovered another issue--failure to turn on the nmb >>>>> service as >>>>> well as the smb service. >>>>> >>>>> But when I change a part of the Samba policy, I thought that should >>>>> hold >>>>> for good. Why doesn't it? Or did the relabeling finally make the issue >>>>> go away? >>>>> >>>>> I just don't want that issue to come back, that's all--but I don't >>>>> want >>>>> to disable SELinux in order to do that. >>>>> >>>>> >>>> You did use the "-P" option to setsebool, didn't you? >>>> >>>> Paul. >>>> -- >>>> selinux mailing list >>>> selinux@lists.fedoraproject.org >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>> >>>> >>>> >>> I was using the GUI manager for SELinux, not Konsole. I did not know >>> about option -P. Is this another example of how the GUIs aren't up to >>> par? >>> >>> Temlakos >>> >>> -- >>> selinux mailing list >>> selinux@lists.fedoraproject.org >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> >>> >>> >> Something strange is going on. >> >> # grep setsebool /usr/share/system-config-selinux/booleansPage.py >> setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val) >> >> >> > OK, here's the reboot test. At first my application still didn't run, > though all the Booleans showed up as set when I ran getsebool in Konsole. > > Then it occurred to me to launch KWallet directly. That solved the problem. > > I think I know what might have happened: KWallet doesn't start > automatically every time. So SELinux was probably not at issue. > > Temlakos > -- > selinux mailing list > selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > Thats ok. Just rounding up the usual suspects... -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 03:38 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.