On 11/05/2013 05:13 PM, Wes James wrote:
When does echo 0 > /selinux/inforce need to be used? I.e., where is selinux enforcing itself on the system to protect it? When I do yum install of some package, it seems to work (not being blocked). When would doing something not work because selinux is watching it (or whatever that process is doing)?
-wes _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
First you should use setenforce 0/setenforce 1.
Theoretically never. It should really be discouraged. It is like the Enterprise bringing it "Shields" down.
SELinux in permissive mode will continue to do access checks but just logs them but does not block access.
SELinux blocks "confined" processes, but usually does not block the administrator who is running as unconfined_t, and is allowed to do everything he could do if SELinux was disabled.
Confined processes are targeted to system services. Stuff that is started at boot versus processes started by a logged in user.
I blog on the topic alot at danwalsh.livejournal.com
BTW, When do I need to setenforce 0?
SELinux is a labeling system, if your labels get screwed up, you might need to setenforce 0 to get the system to run. Commands like restorecon/fixfiles can be used to restore the labels on your system to the default.