209372 – enforce value on runtime system changed BEFORE updating /etc/sysconfig/selinux

Bug 209372 - enforce value on runtime system changed BEFORE updating /etc/sysconfig/selinux

Summary: enforce value on runtime system changed BEFORE updating /etc/sysconfig/selinux

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	system-config-securitylevel
Sub Component:
Version:	6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Chris Lumens
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-04 21:39 UTC by Gene Czarcinski
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-10-19 18:02:21 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gene Czarcinski 2006-10-04 21:39:25 UTC

Description of problem:

If you have switched to a new policy (e.g., from targeted to mls) and then the
system does not work with that policy, the solution is to reboot with
enforcing=0 and than change the policy back (e.g., from mls to targeted).

Since I normally run with targeted/enforcing (not permissive), I just changed
the policy.  But, the tool appears to change the runtime value of
/selinux/enforce BEFORE it changes /etc/sysconfig/selinux

Solution: change /etc/sysconfig/selinux file first.

Better Solution: make changing the value of SELINUX in the file a separate and
distict action from changing the runtime system

Comment 1 Chris Lumens 2006-10-19 18:02:21 UTC

Changed to write the config file before setting/unsetting enforcing.  The new
order of things on save is:  write config, change enforcing mode, touch
/.autorelabel if required, save modifiers.  Thanks for the bug report.  Might
make an FC6 update for this.

Note You need to log in before you can comment on or make changes to this bug.