Switching Types

From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RF6ZT-0003W0-6v for garchives@archives.gentoo.org; Sat, 15 Oct 2011 15:54:47 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4E1A0E063D; Sat, 15 Oct 2011 15:54:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 1E105E063D for ; Sat, 15 Oct 2011 15:54:38 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 42E091B400C for ; Sat, 15 Oct 2011 15:54:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 4F07B80042 for ; Sat, 15 Oct 2011 15:54:37 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: Subject: [gentoo-commits] proj/hardened-docs:master commit in: xml/selinux/ X-VCS-Repository: proj/hardened-docs X-VCS-Files: xml/selinux/hb-using-states.xml X-VCS-Directories: xml/selinux/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: baca22a640bda143c6f0779866786742aaf73c86 Date: Sat, 15 Oct 2011 15:54:37 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 26762871ccaa4136104dacd9254b1498 commit: baca22a640bda143c6f0779866786742aaf73c86 Author: Sven Vermeulen siphos be> AuthorDate: Sat Oct 15 15:54:23 2011 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 15 15:54:23 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-docs= .git;a=3Dcommit;h=3Dbaca22a6 Updates on states, add information on switching between policytypes --- xml/selinux/hb-using-states.xml | 36 +++++++++++++++++++++++++++++++++= +++ 1 files changed, 36 insertions(+), 0 deletions(-) diff --git a/xml/selinux/hb-using-states.xml b/xml/selinux/hb-using-state= s.xml index 63d3f52..8702550 100644 --- a/xml/selinux/hb-using-states.xml +++ b/xml/selinux/hb-using-states.xml @@ -285,6 +285,42 @@ level can access it. =20 + +Switching Types + + +

+It is not recommended to switch between types often. At best, you choose= your +policy type at install type and stick with it. But it is not impossible = (nor +that hard) to switch between types. +

+ +

+First, you need to edit /etc/selinux/config so that it both +switches the policy type as well as put the mode in permissive. T= his is +necessary, since at your next reboot, many labels might (or will) be inc= orrect. +

+ +

+Next, edit /etc/fstab and make sure that the domains you us= e there +are updated accordingly. For instance, the line for /tmp: +

+ +

+# Example when switching from strict to mcs
+tmpfs  /tmp  tmpfs  defaults,noexec,nosuid,rootcontext=3Dsystem_u:object=
_r:tmp_t:c0  0 0
+

+ +

+When this is done, reboot your system. Log on as root, and relabel your = entire +file system using rlpkg -a -r. Finally, reboot again and then val= idate if +your context (such as when logged on as a user) is correct again. Once y= ou are +confident that the domains and contexts are correct, switch the SELinux = policy +mode back to "enforcing". +

+ + + =20