FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-08-2010, 01:03 PM
Temlakos
 
Default Boolean resets don't stick

Why is it that when I changed some SELinux variables to allow certain
processes, the allowances did not persist with the next shutdown and
reboot cycle?



I had occasion to set allow_execmod and several Samba-related Booleans.
And then this morning, it was as if I hadn't customized anything.



I had to revert and reset every one of those custom variables, and then
I did a complete relabel. Once I did that, a certain application that
needed execmod allowed, would run. Samba runs as well, though I
probably discovered another issue--failure to turn on the nmb service
as well as the smb service.



But when I change a part of the Samba policy, I thought that should
hold for good. Why doesn't it? Or did the relabeling finally make the
issue go away?



I just don't want that issue to come back, that's all--but I don't want
to disable SELinux in order to do that.



Temlakos





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-08-2010, 01:10 PM
Paul Howarth
 
Default Boolean resets don't stick

On 08/03/10 14:03, Temlakos wrote:
> Why is it that when I changed some SELinux variables to allow certain
> processes, the allowances did not persist with the next shutdown and
> reboot cycle?
>
> I had occasion to set allow_execmod and several Samba-related Booleans.
> And then this morning, it was as if I hadn't customized anything.
>
> I had to revert and reset every one of those custom variables, and
> /then/ I did a complete relabel. Once I did that, a certain application
> that needed execmod allowed, would run. Samba runs as well, though I
> probably discovered another issue--failure to turn on the nmb service as
> well as the smb service.
>
> But when I change a part of the Samba policy, I thought that should hold
> for good. Why doesn't it? Or did the relabeling finally make the issue
> go away?
>
> I just don't want that issue to come back, that's all--but I don't want
> to disable SELinux in order to do that.

You did use the "-P" option to setsebool, didn't you?

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-08-2010, 01:15 PM
Temlakos
 
Default Boolean resets don't stick

On 03/08/2010 09:10 AM, Paul Howarth wrote:
> On 08/03/10 14:03, Temlakos wrote:
>
>> Why is it that when I changed some SELinux variables to allow certain
>> processes, the allowances did not persist with the next shutdown and
>> reboot cycle?
>>
>> I had occasion to set allow_execmod and several Samba-related Booleans.
>> And then this morning, it was as if I hadn't customized anything.
>>
>> I had to revert and reset every one of those custom variables, and
>> /then/ I did a complete relabel. Once I did that, a certain application
>> that needed execmod allowed, would run. Samba runs as well, though I
>> probably discovered another issue--failure to turn on the nmb service as
>> well as the smb service.
>>
>> But when I change a part of the Samba policy, I thought that should hold
>> for good. Why doesn't it? Or did the relabeling finally make the issue
>> go away?
>>
>> I just don't want that issue to come back, that's all--but I don't want
>> to disable SELinux in order to do that.
>>
> You did use the "-P" option to setsebool, didn't you?
>
> Paul.
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

I was using the GUI manager for SELinux, not Konsole. I did not know
about option -P. Is this another example of how the GUIs aren't up to par?

Temlakos

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-08-2010, 01:24 PM
Daniel J Walsh
 
Default Boolean resets don't stick

On 03/08/2010 09:15 AM, Temlakos wrote:
> On 03/08/2010 09:10 AM, Paul Howarth wrote:
>
>> On 08/03/10 14:03, Temlakos wrote:
>>
>>
>>> Why is it that when I changed some SELinux variables to allow certain
>>> processes, the allowances did not persist with the next shutdown and
>>> reboot cycle?
>>>
>>> I had occasion to set allow_execmod and several Samba-related Booleans.
>>> And then this morning, it was as if I hadn't customized anything.
>>>
>>> I had to revert and reset every one of those custom variables, and
>>> /then/ I did a complete relabel. Once I did that, a certain application
>>> that needed execmod allowed, would run. Samba runs as well, though I
>>> probably discovered another issue--failure to turn on the nmb service as
>>> well as the smb service.
>>>
>>> But when I change a part of the Samba policy, I thought that should hold
>>> for good. Why doesn't it? Or did the relabeling finally make the issue
>>> go away?
>>>
>>> I just don't want that issue to come back, that's all--but I don't want
>>> to disable SELinux in order to do that.
>>>
>>>
>> You did use the "-P" option to setsebool, didn't you?
>>
>> Paul.
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
> I was using the GUI manager for SELinux, not Konsole. I did not know
> about option -P. Is this another example of how the GUIs aren't up to par?
>
> Temlakos
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
Something strange is going on.

# grep setsebool /usr/share/system-config-selinux/booleansPage.py
setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-08-2010, 01:31 PM
Temlakos
 
Default Boolean resets don't stick

On 03/08/2010 09:24 AM, Daniel J Walsh wrote:
> On 03/08/2010 09:15 AM, Temlakos wrote:
>> On 03/08/2010 09:10 AM, Paul Howarth wrote:
>>> On 08/03/10 14:03, Temlakos wrote:
>>>
>>>> Why is it that when I changed some SELinux variables to allow certain
>>>> processes, the allowances did not persist with the next shutdown and
>>>> reboot cycle?
>>>>
>>>> I had occasion to set allow_execmod and several Samba-related
>>>> Booleans.
>>>> And then this morning, it was as if I hadn't customized anything.
>>>>
>>>> I had to revert and reset every one of those custom variables, and
>>>> /then/ I did a complete relabel. Once I did that, a certain
>>>> application
>>>> that needed execmod allowed, would run. Samba runs as well, though I
>>>> probably discovered another issue--failure to turn on the nmb
>>>> service as
>>>> well as the smb service.
>>>>
>>>> But when I change a part of the Samba policy, I thought that should
>>>> hold
>>>> for good. Why doesn't it? Or did the relabeling finally make the issue
>>>> go away?
>>>>
>>>> I just don't want that issue to come back, that's all--but I don't
>>>> want
>>>> to disable SELinux in order to do that.
>>>>
>>> You did use the "-P" option to setsebool, didn't you?
>>>
>>> Paul.
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> I was using the GUI manager for SELinux, not Konsole. I did not know
>> about option -P. Is this another example of how the GUIs aren't up to
>> par?
>>
>> Temlakos
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> Something strange is going on.
>
> # grep setsebool /usr/share/system-config-selinux/booleansPage.py
> setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val)
>
>

Yes, I show the same from that grep command. In other words,
system-config-selinux is supposed to use the -P option.

I just went directly to Konsole and issued a setsebool command with the
-P option.

Now I'll reboot and see what happens.

Recall the other thing that I did to get things to work again: I
relabeled my whole file system. It took five minutes.

Temlakos
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-08-2010, 01:48 PM
Temlakos
 
Default Boolean resets don't stick

On 03/08/2010 09:24 AM, Daniel J Walsh wrote:
> On 03/08/2010 09:15 AM, Temlakos wrote:
>> On 03/08/2010 09:10 AM, Paul Howarth wrote:
>>> On 08/03/10 14:03, Temlakos wrote:
>>>
>>>> Why is it that when I changed some SELinux variables to allow certain
>>>> processes, the allowances did not persist with the next shutdown and
>>>> reboot cycle?
>>>>
>>>> I had occasion to set allow_execmod and several Samba-related
>>>> Booleans.
>>>> And then this morning, it was as if I hadn't customized anything.
>>>>
>>>> I had to revert and reset every one of those custom variables, and
>>>> /then/ I did a complete relabel. Once I did that, a certain
>>>> application
>>>> that needed execmod allowed, would run. Samba runs as well, though I
>>>> probably discovered another issue--failure to turn on the nmb
>>>> service as
>>>> well as the smb service.
>>>>
>>>> But when I change a part of the Samba policy, I thought that should
>>>> hold
>>>> for good. Why doesn't it? Or did the relabeling finally make the issue
>>>> go away?
>>>>
>>>> I just don't want that issue to come back, that's all--but I don't
>>>> want
>>>> to disable SELinux in order to do that.
>>>>
>>> You did use the "-P" option to setsebool, didn't you?
>>>
>>> Paul.
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> I was using the GUI manager for SELinux, not Konsole. I did not know
>> about option -P. Is this another example of how the GUIs aren't up to
>> par?
>>
>> Temlakos
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> Something strange is going on.
>
> # grep setsebool /usr/share/system-config-selinux/booleansPage.py
> setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val)
>
>

OK, here's the reboot test. At first my application still didn't run,
though all the Booleans showed up as set when I ran getsebool in Konsole.

Then it occurred to me to launch KWallet directly. That solved the problem.

I think I know what might have happened: KWallet doesn't start
automatically every time. So SELinux was probably not at issue.

Temlakos
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-08-2010, 02:23 PM
Daniel J Walsh
 
Default Boolean resets don't stick

On 03/08/2010 09:48 AM, Temlakos wrote:
> On 03/08/2010 09:24 AM, Daniel J Walsh wrote:
>
>> On 03/08/2010 09:15 AM, Temlakos wrote:
>>
>>> On 03/08/2010 09:10 AM, Paul Howarth wrote:
>>>
>>>> On 08/03/10 14:03, Temlakos wrote:
>>>>
>>>>
>>>>> Why is it that when I changed some SELinux variables to allow certain
>>>>> processes, the allowances did not persist with the next shutdown and
>>>>> reboot cycle?
>>>>>
>>>>> I had occasion to set allow_execmod and several Samba-related
>>>>> Booleans.
>>>>> And then this morning, it was as if I hadn't customized anything.
>>>>>
>>>>> I had to revert and reset every one of those custom variables, and
>>>>> /then/ I did a complete relabel. Once I did that, a certain
>>>>> application
>>>>> that needed execmod allowed, would run. Samba runs as well, though I
>>>>> probably discovered another issue--failure to turn on the nmb
>>>>> service as
>>>>> well as the smb service.
>>>>>
>>>>> But when I change a part of the Samba policy, I thought that should
>>>>> hold
>>>>> for good. Why doesn't it? Or did the relabeling finally make the issue
>>>>> go away?
>>>>>
>>>>> I just don't want that issue to come back, that's all--but I don't
>>>>> want
>>>>> to disable SELinux in order to do that.
>>>>>
>>>>>
>>>> You did use the "-P" option to setsebool, didn't you?
>>>>
>>>> Paul.
>>>> --
>>>> selinux mailing list
>>>> selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>>
>>> I was using the GUI manager for SELinux, not Konsole. I did not know
>>> about option -P. Is this another example of how the GUIs aren't up to
>>> par?
>>>
>>> Temlakos
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>>
>> Something strange is going on.
>>
>> # grep setsebool /usr/share/system-config-selinux/booleansPage.py
>> setsebool="/usr/sbin/setsebool -P %s=%d" % (key, not val)
>>
>>
>>
> OK, here's the reboot test. At first my application still didn't run,
> though all the Booleans showed up as set when I ran getsebool in Konsole.
>
> Then it occurred to me to launch KWallet directly. That solved the problem.
>
> I think I know what might have happened: KWallet doesn't start
> automatically every time. So SELinux was probably not at issue.
>
> Temlakos
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Thats ok. Just rounding up the usual suspects...

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:18 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org