'setsebool -P' works but throws errors; changes not permanent

Support for security such as Firewalls and securing linux
User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by TrevorH » 2018/06/18 18:52:26

That;s a Fedora bug report and fix.

I'd recommend that you use the selinux mailing list to ask the experts. We could play around and try different things but I suspect the guys on that list have sufficient knowledge so they'll know exactly where to look.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

neutronsnowball
Posts: 16
Joined: 2016/10/27 18:09:29

Re: 'setsebool -P' works but throws errors; changes not permanent

Post by neutronsnowball » 2018/06/19 17:47:38

Thanks for the guidance TrevorH. I received good suggestions there. The solution was dirt simple:

Code: Select all

yum reinstall selinux-policy-targeted
After this I was able to set the Boolean without errors and show that it has set the default value correctly:

Code: Select all

[Cent-7:root@my_server ~]# getsebool authlogin_yubikey
authlogin_yubikey --> off
[Cent-7:root@ my_server ~]# setsebool -P authlogin_yubikey on
[Cent-7:root@ my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
authlogin_yubikey              (on   ,   on)  Allow authlogin to yubikey
Other tips provided from the mailing list include:
  1. Verify it has gpio_device_t defined:

    Code: Select all

    $ seinfo -t | grep gpio_device_t
    gpio_device_t
  2. Verify this type is used in file_contexts:

    Code: Select all

    # semanage fcontext -l | grep gpio_device_t
    /de[/list]v/gpiochip[0-9]+	character device	system_u:object_r:gpio_device_t:s0
    If reinstalling selinux-policy-targeted didn't work, the suggestion was to 'move the old policy out and rebuild', which would be accomplished by:
    1. Code: Select all

      # semanage export -f exports
      # mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old
      # yum reinstall selinux-policy-targeted
    2. Examine the resulting exports file and then re-import:

      Code: Select all

      # cat exports
      # semanage import -f exports
      1. If problems persisted, move the entire policy tree instead of just the active branch:

        Code: Select all

        # mv /etc/selinux/targeted /etc/selinux/targeted.old
        # yum reinstall selinux-policy-targeted
      2. Then re-import as desired. A word of caution regarding the above is that local policy modules will be removed as well. Be sure to have them on-hand for re-activation.

Post Reply