In setting up my new CentOS 6 laptop, I replaced /etc/sysconfig/iptables with my own, very restrictive version. I then tried to restart the iptables daemon, but it reported that my new iptables was unreadable. On a guess, I disabled selinux, and my problem was solved. Later, I re-enabled selinux and on reboot, it had to go through a very long setup procedure.
Is there something better I could have done when replacing iptables, so that I would not have to disable selinux?
Thanks for your help. Mike.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/30/2011 03:08 PM, Michael D. Berger wrote:
In setting up my new CentOS 6 laptop, I replaced /etc/sysconfig/iptables with my own, very restrictive version. I then tried to restart the iptables daemon, but it reported that my new iptables was unreadable. On a guess, I disabled selinux, and my problem was solved. Later, I re-enabled selinux and on reboot, it had to go through a very long setup procedure.
Is there something better I could have done when replacing iptables, so that I would not have to disable selinux?
Thanks for your help. Mike.
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Run restorecon on the files you changed.
restorecon -R -v /etc/sysconfig
Is all you probably needed.
Michael D. Berger wrote:
In setting up my new CentOS 6 laptop, I replaced /etc/sysconfig/iptables with my own, very restrictive version. I then tried to restart the iptables daemon, but it reported that my new iptables was unreadable. On a guess, I disabled selinux, and my problem was solved. Later, I re-enabled selinux and on reboot, it had to go through a very long setup procedure.
Is there something better I could have done when replacing iptables, so that I would not have to disable selinux?
ll -Z /etc/sysconfig/iptables.orig Look at the results, then chcon or semanage to change /etc/sysconfig/iptables.michael to match.
mark "or disable selinux"
On 30/08/11 20:08, Michael D. Berger wrote:
In setting up my new CentOS 6 laptop, I replaced /etc/sysconfig/iptables with my own, very restrictive version. I then tried to restart the iptables daemon, but it reported that my new iptables was unreadable. On a guess, I disabled selinux, and my problem was solved. Later, I re-enabled selinux and on reboot, it had to go through a very long setup procedure.
Rather than disabling, you can put SELinux in permissive mode to troubleshoot. Permissive mode will warn but still allow all actions that would otherwise be blocked in enforcing mode.
When you disable SELinux and then later re-enable it, the whole file system will need to be relabeled at boot, and this is probably what took the time on your system. Switching between permissive and enforcing modes avoids this.
On 08/30/2011 03:23 PM, Ned Slider wrote:
On 30/08/11 20:08, Michael D. Berger wrote:
In setting up my new CentOS 6 laptop, I replaced /etc/sysconfig/iptables with my own, very restrictive version. I then tried to restart the iptables daemon, but it reported that my new iptables was unreadable. On a guess, I disabled selinux, and my problem was solved. Later, I re-enabled selinux and on reboot, it had to go through a very long setup procedure.
Rather than disabling, you can put SELinux in permissive mode to troubleshoot. Permissive mode will warn but still allow all actions that would otherwise be blocked in enforcing mode.
Further to this, chcon --reference <originalfile> <newfile>, then test with selinux back in enforcing mode.
When you disable SELinux and then later re-enable it, the whole file system will need to be relabeled at boot, and this is probably what took the time on your system. Switching between permissive and enforcing modes avoids this.
Regards,
Phil
-
Daniel J Walsh -
m.roth@5-cent.us -
Michael D. Berger -
Ned Slider -
Phil Savoie