From Fedora Project Wiki

< Zh‎ | HowTo

mNo edit summary
mNo edit summary
Line 61: Line 61:




[[Category: 原创]]
[[Category: Howto]]

Revision as of 08:56, 12 December 2008

> I have a problem that how to specify selinux=permissive at grub > prompt, when /etc/sysconfig/selinux=enforcing? > > > >

Selinux related Kernel Parameters..

autorelabel=1 # Forces system to relabel

enforcing=0 #Sets selinux to Permissive (log only, no denials).

Yuan the above is what you want selinux=permissive does not exist..

enforcing=1 # Sets selinux to Enforcing (deny and log).

selinux=0 # THIS IS NOT SAME AS ENFORCING this will cause the kernel to not load any of the selinux infrastructure hence files that are created at boot time will not get a label and are market as file_t ( Unlabeled file).

After booting with selinux=0 make sure that you do "touch /.autorelabel" ( This should be done by default but hey this is rawhide we are talking about :) ) or better yet do "echo 0 > /selinux/enforce && fixfiles relabel " or on next reboot pass the "enforcing=0 autorelabel=1" to the kernel.

( That is if you are gonna run selinux in either permissive or enforcing mode )

selinux=1 # Turns the selinux infrastructure on ( Default )...

selinux_compat_net=0 # Sets selinux to use new secmark-based packet controls ( default )

selinux_compat_net=1 # Sets selinux to use legacy packet controls

If you wanna change the value of selinux at runtime do....

echo 0 > /selinux/enforce # Sets selinux in permissive mode

echo 1 > /selinux/enforce #Sets selinux to enforce again..

For compat_net do..

echo 0 > /selinux/compat_net # secmark-based packet controls

echo 1 > /selinux/compat_net # legacy packet controls

To get the status of selinux use "getenforce"

To permanently change the status of selinux either edit /etc/selinux/config manually ( disabled,permissive,enabled ) or use setenforce=0 ( permissive ) or setenforce=1 (enabled ) or set kernel parameters to grub.conf

Best regards Johann B.