Linko22's Wiki

Инструменты пользователя

Инструменты сайта

Вы посетили:
linux:selinux
Warning: Undefined array key -1 in /home/virtwww/w_linko22-ru_c0d3353b/http/inc/html.php on line 1458

Различия

Показаны различия между двумя версиями страницы.

Ссылка на это сравнение

Предыдущая версия справа и слева Предыдущая версия
Следующая версия 		Предыдущая версия
linux:selinux [2011/10/10 14:14]
linko22@gmail.com 		linux:selinux [2011/10/10 14:18] (текущий)
linko22@gmail.com [Re-Enabling SELinux]
Строка 7: Строка 7:
  
 SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : **every** file on your system has extra labels attached to it which tie-in with those access rules. Run  SELinux has two major components on your system. There's the kernel mechanism which is enforcing a bunch of access rules which apply to processes and files. And secondly, there's file labels : **every** file on your system has extra labels attached to it which tie-in with those access rules. Run 
-<code bash>ls -Z<code>+<code bash>ls -Z</code>
  and you'll see what I mean.  and you'll see what I mean.
 ===== Should you really disable SELinux? ===== ===== Should you really disable SELinux? =====
Строка 41: Строка 41:
 In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this: In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
  
 +<code bash>
 # This file controls the state of SELinux on the system. # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values: # SELINUX= can take one of these three values:
Строка 52: Строка 52:
 # strict - Full SELinux protection. # strict - Full SELinux protection.
 SELINUXTYPE=targeted SELINUXTYPE=targeted
-... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it. +</code> 
-For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf if you're using the GRUB boot loader. On the kernel line, add enforcing=0 at the end. For example, +... just change **SELINUX=enforcing** to **SELINUX=permissive**, and you're done. Reboot if you want to prove it. 
 +For the other Linuxes which don't have the **/etc/selinux/config** file, you just need to edit the kernel boot line, usually in **/boot/grub/grub.conf** if you're using the GRUB boot loader. On the kernel line, add **enforcing=0** at the end. For example,
  
 +<code bash>
 title SE-Linux Test System title SE-Linux Test System
  root (hd0,0)  root (hd0,0)
  kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0  kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb enforcing=0
  #initrd /boot/initrd-2.4.20-selinux-2003040709.img  #initrd /boot/initrd-2.4.20-selinux-2003040709.img
 +</code>
 ===== Fully Disabling SELinux ===== ===== Fully Disabling SELinux =====
  
 Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling. Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.
-In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled: +In Fedora Core and RedHat Enterprise, edit **/etc/selinux/config** and change the SELINUX line to **SELINUX=disabled**:
  
 +<code bash>
 # This file controls the state of SELinux on the system. # This file controls the state of SELinux on the system.
 # SELINUX= can take one of these three values: # SELINUX= can take one of these three values:
Строка 76: Строка 78:
 # strict - Full SELinux protection. # strict - Full SELinux protection.
 SELINUXTYPE=targeted SELINUXTYPE=targeted
 +</code>
 ... and then reboot the system. ... and then reboot the system.
-For the other Linuxes which don't have the /etc/selinux/config file, you just need to edit the kernel boot line, usually in /boot/grub/grub.conf, if you're using the GRUB boot loader. On the kernel line, add selinux=0 at the end. For example, +For the other Linuxes which don't have the **/etc/selinux/config** file, you just need to edit the kernel boot line, usually in **/boot/grub/grub.conf**, if you're using the GRUB boot loader. On the kernel line, add **selinux=0** at the end. For example,
  
 +<code bash>
 title SE-Linux Test System title SE-Linux Test System
         root (hd0,0)         root (hd0,0)
         kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0         kernel /boot/vmlinuz-2.4.20-selinux-2003040709 ro root=/dev/hda1 nousb selinux=0
         #initrd /boot/initrd-2.4.20-selinux-2003040709.img         #initrd /boot/initrd-2.4.20-selinux-2003040709.img
 +</code>
 You will have to reboot to disable SELinux, you just can't do it while the system is running.  You will have to reboot to disable SELinux, you just can't do it while the system is running. 
 ===== Re-Enabling SELinux ===== ===== Re-Enabling SELinux =====
  
 If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly. If you've disabled SELinux as in the section above, and you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.
-What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.+What you need to do is to enable SELinux by editing **/etc/selinux/config** (for Fedora/RedHat) or by adding **selinux=1** to the kernel boot line, then boot into **permissive** mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.
  
 After booting into permissive mode, run After booting into permissive mode, run
-fixfiles relabel+<code bash>fixfiles relabel</code>
 Alternatively, in Fedora and RedHat Enterprise Linux you can run Alternatively, in Fedora and RedHat Enterprise Linux you can run
-touch /.autorelabel+<code bash>touch /.autorelabel</code>
 and reboot or put and reboot or put
-autorelabel+<code bash>autorelabel</code>
 on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files. on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.
  
 After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again.  After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again. 
linux/selinux.1318241674.txt.gz · Последнее изменение: 2011/10/10 14:14 — linko22@gmail.com

Инструменты страницы

Если не указано иное, содержимое этой вики предоставляется на условиях следующей лицензии: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki