hank-test/quick-docs
1
0
Fork 0
mirror of https://pagure.io/fedora-docs/quick-docs.git synced 2024-11-24 13:32:42 +00:00
Code Issues 1 Projects Releases Packages Wiki Activity Actions

Update modules/ROOT/pages/_partials/ref_changing-selinux-modes-at-boot-time.adoc

Browse source
This commit is contained in:
Mat McCabe 2022-02-12 20:45:28 +00:00 committed by copperi
parent 4e2d4e811f
commit 8769ebf804
1 changed files with 6 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
modules/ROOT/pages/_partials/ref_changing-selinux-modes-at-boot-time.adoc
View file

@ -7,7 +7,9 @@
On boot, you can set several kernel parameters to change the way SELinux runs:
enforcing=0:: Setting this parameter causes the machine to boot in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode. In permissive mode, only the first denial is reported. However, in enforcing mode you might get a denial on reading a directory and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition.
enforcing=0:: Setting this parameter causes the system to start in permissive mode, which is useful when troubleshooting issues. Using permissive mode might be the only option to detect a problem if your file system is too corrupted. Moreover, in permissive mode, the system continues to create the labels correctly. The AVC messages that are created in this mode can be different than in enforcing mode.
+
In permissive mode, only the first denial from a series of the same denials is reported. However, in enforcing mode, you might get a denial related to reading a directory, and an application stops. In permissive mode, you get the same AVC message, but the application continues reading files in the directory and you get an AVC for each denial in addition.
selinux=0:: This parameter causes the kernel to not load any part of the SELinux infrastructure. The init scripts notice that the system booted with the [option]`selinux=0` parameter and touch the `/.autorelabel` file. This causes the system to automatically relabel the next time you boot with SELinux enabled.
+
@ -19,11 +21,11 @@ Using the [option]`selinux=0` parameter is not recommended. To debug your system
autorelabel=1:: This parameter forces the system to relabel similarly to the following commands:
+
----
~]# touch /.autorelabel
~]# reboot
# touch /.autorelabel
# reboot
----
+
If the system labeling contains a large amount of errors, you might need to boot in permissive mode in order that the autorelabel succeeds.
If a file system contains a large amount of mislabeled objects, start the system in permissive mode to make the autorelabel process successful.
For additional SELinux-related kernel boot parameters, such as [option]`checkreqprot`, see the `kernel-parameters.txt` file. This file is available in the source package of your Linux kernel (.src.rpm). To download the source package containing the currently used kernel:
----