Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 161035 - SELinux FAQ - [summarize FAQ change or addition]
Summary: SELinux FAQ - [summarize FAQ change or addition]
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq
Version: devel
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karsten Wade
QA Contact: Tammy Fox
URL: http://fedora.redhat.com/docs/selinux...
Whiteboard:
Depends On:
Blocks: 118757
TreeView+ depends on / blocked
 
Reported: 2005-06-20 04:29 UTC by Russell Coker
Modified: 2009-02-27 21:44 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-02-27 21:44:13 UTC


Attachments (Terms of Use)

Description Russell Coker 2005-06-20 04:29:36 UTC
Description of change/FAQ addition.  If a change, include the original 
text first, then the changed text: 
 
Please preface the following text with the string "if you are using strict 
policy".  Targeted policy has no need for running newrole. 
 
sysadm_r role required 
 You must issue the setenforce command with the sysadm_r role; to do so, use 
the newrole command. Alternately, if you switch to root using su -, you gain 
the sysadm_r role automatically. 
 
In FC4 there is now an answer to the following question.  Steve Grubb would be 
the best person to provide it. 
How do I temporarily turn off system-call auditing without having to reboot? 
 
 
Please replace this: 
For example, if an application running under an enforcing mode was denied 
trying to read a number of files in a directory, it would be stopped once at 
the beginning of the action. In a non-enforcing mode, the application is not 
stopped from traversing the directory tree, and would receive a denial message 
for each file read in the directory. 
With this: 
For example, if an application running under an enforcing mode was denied 
trying to read a directory. In a non-enforcing mode, the application is not 
stopped from traversing the directory tree, and would receive a denial message 
for each file read in the directory. 
 
 
We need a new question: 
Q) When my machine has wrong values for the security contexts of important 
files how do I recover it? 
A) You can create the file /.autorelabel and then reboot the machine for a 
file relabel on boot.  If the machine is not in a state to allow booting or 
logging in (so you can't create the file) then you can boot and put 
"autorelabel" on the boot command-line.  Note that the machine may need to be 
booted with "enforcing=0" to work in the case of system boot scripts with the 
wrong security context.

Comment 1 Steve Grubb 2005-06-20 13:15:05 UTC
If you are wanting to turn off syscall auditing, you delete the rules. That is 
auditctl -D. No rules, no auditing. You can see the rules by auditctl -l. 
 
This does not affect SE Linux though. If you want to turn off the whole audit 
system then auditctl -e 0  will do it. -e 1 turns it back on. 

Comment 2 Susan Lauber 2009-02-27 21:44:13 UTC
Th FC3 version of the SELinux FAQ is no longer being maintained
I am closing this ancient bug.

FYI
The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at
https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/


Note You need to log in before you can comment on or make changes to this bug.