Bug 161035 - SELinux FAQ - [summarize FAQ change or addition]
SELinux FAQ - [summarize FAQ change or addition]
Status: CLOSED WONTFIX
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://fedora.redhat.com/docs/selinux...
:
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2005-06-20 00:29 EDT by Russell Coker
Modified: 2009-02-27 16:44 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-27 16:44:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Russell Coker 2005-06-20 00:29:36 EDT
Description of change/FAQ addition.  If a change, include the original 
text first, then the changed text: 
 
Please preface the following text with the string "if you are using strict 
policy".  Targeted policy has no need for running newrole. 
 
sysadm_r role required 
 You must issue the setenforce command with the sysadm_r role; to do so, use 
the newrole command. Alternately, if you switch to root using su -, you gain 
the sysadm_r role automatically. 
 
In FC4 there is now an answer to the following question.  Steve Grubb would be 
the best person to provide it. 
How do I temporarily turn off system-call auditing without having to reboot? 
 
 
Please replace this: 
For example, if an application running under an enforcing mode was denied 
trying to read a number of files in a directory, it would be stopped once at 
the beginning of the action. In a non-enforcing mode, the application is not 
stopped from traversing the directory tree, and would receive a denial message 
for each file read in the directory. 
With this: 
For example, if an application running under an enforcing mode was denied 
trying to read a directory. In a non-enforcing mode, the application is not 
stopped from traversing the directory tree, and would receive a denial message 
for each file read in the directory. 
 
 
We need a new question: 
Q) When my machine has wrong values for the security contexts of important 
files how do I recover it? 
A) You can create the file /.autorelabel and then reboot the machine for a 
file relabel on boot.  If the machine is not in a state to allow booting or 
logging in (so you can't create the file) then you can boot and put 
"autorelabel" on the boot command-line.  Note that the machine may need to be 
booted with "enforcing=0" to work in the case of system boot scripts with the 
wrong security context.
Comment 1 Steve Grubb 2005-06-20 09:15:05 EDT
If you are wanting to turn off syscall auditing, you delete the rules. That is 
auditctl -D. No rules, no auditing. You can see the rules by auditctl -l. 
 
This does not affect SE Linux though. If you want to turn off the whole audit 
system then auditctl -e 0  will do it. -e 1 turns it back on. 
Comment 2 Susan Lauber 2009-02-27 16:44:13 EST
Th FC3 version of the SELinux FAQ is no longer being maintained
I am closing this ancient bug.

FYI
The is an FC5 FAQ http://docs.fedoraproject.org/selinux-faq/
and a list of proposed updates in the wiki at
https://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Additional FAQ work will likely remain in the wiki but there is also
a F10 SELinux Users Guide http://docs.fedoraproject.org/selinux-user-guide/

Note You need to log in before you can comment on or make changes to this bug.