Bug 161035

Summary: SELinux FAQ - [summarize FAQ change or addition]
Product: [Fedora] Fedora Documentation Reporter: Russell Coker <rcoker>
Component: selinux-faqAssignee: Karsten Wade <kwade>
Status: CLOSED WONTFIX QA Contact: Tammy Fox <tammy.c.fox>
Severity: medium Docs Contact:
Priority: medium    
Version: develCC: laubersm+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://fedora.redhat.com/docs/selinux-faq-fc3/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-27 21:44:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 118757    

Description Russell Coker 2005-06-20 04:29:36 UTC 
Description of change/FAQ addition.  If a change, include the original 
text first, then the changed text: 
 
Please preface the following text with the string "if you are using strict 
policy".  Targeted policy has no need for running newrole. 
 
sysadm_r role required 
 You must issue the setenforce command with the sysadm_r role; to do so, use 
the newrole command. Alternately, if you switch to root using su -, you gain 
the sysadm_r role automatically. 
 
In FC4 there is now an answer to the following question.  Steve Grubb would be 
the best person to provide it. 
How do I temporarily turn off system-call auditing without having to reboot? 
 
 
Please replace this: 
For example, if an application running under an enforcing mode was denied 
trying to read a number of files in a directory, it would be stopped once at 
the beginning of the action. In a non-enforcing mode, the application is not 
stopped from traversing the directory tree, and would receive a denial message 
for each file read in the directory. 
With this: 
For example, if an application running under an enforcing mode was denied 
trying to read a directory. In a non-enforcing mode, the application is not 
stopped from traversing the directory tree, and would receive a denial message 
for each file read in the directory. 
 
 
We need a new question: 
Q) When my machine has wrong values for the security contexts of important 
files how do I recover it? 
A) You can create the file /.autorelabel and then reboot the machine for a 
file relabel on boot.  If the machine is not in a state to allow booting or 
logging in (so you can't create the file) then you can boot and put 
"autorelabel" on the boot command-line.  Note that the machine may need to be 
booted with "enforcing=0" to work in the case of system boot scripts with the 
wrong security context.
Comment 1 Steve Grubb 2005-06-20 13:15:05 UTC 
If you are wanting to turn off syscall auditing, you delete the rules. That is 
auditctl -D. No rules, no auditing. You can see the rules by auditctl -l. 
 
This does not affect SE Linux though. If you want to turn off the whole audit 
system then auditctl -e 0  will do it. -e 1 turns it back on.
Comment 2 Susan Lauber 2009-02-27 21:44:13 UTC 
Th FC3 version of the SELinux FAQ is no longer being maintained
I am closing this ancient bug.

FYI
The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at
https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/