From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8) Gecko/20051103 Fedora/1.5-0.5.0.rc1 Firefox/1.5 Description of problem: Boolean defaults defined in /etc/selinux/targeted/booleans are not in effect when the system is brought up. An NFS server, for example, won't let clients access mount points, because nfs_export_all_* are not enabled. As soon as I run setsebool $(grep -v ^# /etc/selinux/targeted/booleans ) everything starts working as expected (modulo other known policy bugs :-) I don't even have a booleans.local file, so that's not it. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.27.2-19 How reproducible: Always Steps to Reproduce: 1.Boot up 2.Check whether the default booleans are set Actual Results: They are not Expected Results: They should be Additional info:
Did you install reference policy and then remove it? If yes could you rm -rf /etc/selinux/targeted/modules? This might be causing init to be confused and think you are running reference policy. Reference policy ignores the booleans file, because it gets compiled into the policy. Dan
If you mean selinux-targeted-policy-2.0.0 that hit rawhide a few days ago and was later downgraded, yes, I did. Unfortunately, even after rm -rf /etc/selinux/targeted/modules and a reboot, I still get: getsebool -a | grep nfs nfs_export_all_ro --> inactive nfs_export_all_rw --> inactive nfsd_disable_trans --> inactive use_nfs_home_dirs --> inactive whereas # grep nfs /etc/selinux/targeted/booleans nfs_export_all_ro=1 nfs_export_all_rw=1 use_nfs_home_dirs=0 :-( where is it that these booleans get set up? I could try to debug it from there, but I just can't figure out where they're supposed to be loaded. Thanks,
In /etc/selinux/config, remove the # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 or set it to 1 See if that fixes it.
Thank you very much, that did it. I was about to close this as NOTABUG, but then I thought you might want to take such downgrade cases into account in the reference package (if at all possible) to avoid problems like the one I ran into.