Hello!
I was playing with some app (ZoneMinder) which recommends to disable SELinux, but solved my problem with the IP camera by using some app on my tablet and now would like to re-enable SELinux as it was initially configured.
However, I cannot boot (without passing selinux=0) by just editing /etc/selinux/config so wonder what is correct/recommended way to re-enable SELinux on Fedora (f26)?
Sincerely, Gour
Re-sending to the list..... sigh...
On 09/15/17 10:19, Gour wrote:
Hello!
I was playing with some app (ZoneMinder) which recommends to disable SELinux, but solved my problem with the IP camera by using some app on my tablet and now would like to re-enable SELinux as it was initially configured.
However, I cannot boot (without passing selinux=0) by just editing /etc/selinux/config so wonder what is correct/recommended way to re-enable SELinux on Fedora (f26)?
You didn't say what error, if any, you're hitting when you try to reboot with selinux enabled.
Without knowing that, this is a guess. You may need to relabel.
Edit the /etc/selinux/config to set "enforcing"
Then....
touch /.autorelabel reboot
On Fri, 15 Sep 2017 10:39:41 +0800 Ed Greshko ed.greshko@greshko.com wrote:
You didn't say what error, if any, you're hitting when you try to reboot with selinux enabled.
Well, bunch of services were not able to start...
Without knowing that, this is a guess. You may need to relabel.
Edit the /etc/selinux/config to set "enforcing"
Then....
touch /.autorelabel reboot
I was trying that, but didn't work, so had to go via the:
disabled --> permissive --> enforcing
route in order to restore previous status of my system:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30
Sincerely, Gour
On 09/15/2017 11:30 AM, Gour wrote:
On Fri, 15 Sep 2017 10:39:41 +0800 Ed Greshko ed.greshko@greshko.com wrote:
You didn't say what error, if any, you're hitting when you try to reboot with selinux enabled.
Well, bunch of services were not able to start...
Without knowing that, this is a guess. You may need to relabel.
Edit the /etc/selinux/config to set "enforcing"
Then....
touch /.autorelabel reboot
I was trying that, but didn't work, so had to go via the:
disabled --> permissive --> enforcing
route in order to restore previous status of my system:
SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30
Sincerely, Gour
Hi,
Could you boot in permissive mode, try to reproduce (start broken services) and then attach output of: # ausearch -m AVC,USE_AVC -ts today
Thanks, Lukas.
On Fri, 15 Sep 2017 11:37:59 +0200 Lukas Vrabec lvrabec@redhat.com wrote:
Could you boot in permissive mode, try to reproduce (start broken services) and then attach output of: # ausearch -m AVC,USE_AVC -ts today
Here is the reply which I sent to the list, but it was held in moderation queue - probably due to attachment:
"When I did boot in permissive mode there were no errors in boot console, but in the attachment I send a screenshot that I captured with the phone that was visible when I tried: disabled --> enforcing, if it helps?"
Sincerely, Gour
On 09/15/2017 02:30 AM, Gour wrote:
Ed Greshko ed.greshko@greshko.com wrote:
Without knowing that, this is a guess. You may need to relabel.
Edit the /etc/selinux/config to set "enforcing"
Then....
touch /.autorelabel reboot
I was trying that, but didn't work, so had to go via the:
disabled --> permissive --> enforcing
If you've been running with selinux disabled for a while, then yes, you probably need to do the relabel steps in permissive mode and then turn it back to enforcing after.
Are you saying that it's all working now?
On Fri, 15 Sep 2017 10:43:15 -0700 Samuel Sieb samuel@sieb.net wrote:
If you've been running with selinux disabled for a while, then yes, you probably need to do the relabel steps in permissive mode and then turn it back to enforcing after.
Thank you for confirming it and I learnt the lesson. :-)
Are you saying that it's all working now?
Yes, everything is working fine now.
Sincerely, Gour