Page 2 of 2
Re: 'setsebool -P' works but throws errors; changes not permanent
Posted: 2018/06/18 18:52:26
by TrevorH
That;s a Fedora bug report and fix.
I'd recommend that you use the selinux mailing list to ask the experts. We could play around and try different things but I suspect the guys on that list have sufficient knowledge so they'll know exactly where to look.
Re: 'setsebool -P' works but throws errors; changes not permanent
Posted: 2018/06/19 17:47:38
by neutronsnowball
Thanks for the guidance TrevorH. I received good suggestions there. The solution was dirt simple:
Code: Select all
yum reinstall selinux-policy-targeted
After this I was able to set the Boolean without errors and show that it has set the default value correctly:
Code: Select all
[Cent-7:root@my_server ~]# getsebool authlogin_yubikey
authlogin_yubikey --> off
[Cent-7:root@ my_server ~]# setsebool -P authlogin_yubikey on
[Cent-7:root@ my_server ~]# semanage boolean -l | grep "authlogin_yubikey"
authlogin_yubikey (on , on) Allow authlogin to yubikey
Other tips provided from the mailing list include:
- Verify it has gpio_device_t defined:
Code: Select all
$ seinfo -t | grep gpio_device_t
gpio_device_t
- Verify this type is used in file_contexts:
Code: Select all
# semanage fcontext -l | grep gpio_device_t
/de[/list]v/gpiochip[0-9]+ character device system_u:object_r:gpio_device_t:s0
If reinstalling selinux-policy-targeted didn't work, the suggestion was to 'move the old policy out and rebuild', which would be accomplished by:
Code: Select all
# semanage export -f exports
# mv /etc/selinux/targeted/active /etc/selinux/targeted/active.old
# yum reinstall selinux-policy-targeted
- Examine the resulting exports file and then re-import:
Code: Select all
# cat exports
# semanage import -f exports
- If problems persisted, move the entire policy tree instead of just the active branch:
Code: Select all
# mv /etc/selinux/targeted /etc/selinux/targeted.old
# yum reinstall selinux-policy-targeted
- Then re-import as desired. A word of caution regarding the above is that local policy modules will be removed as well. Be sure to have them on-hand for re-activation.