next up previous contents
Next: 7 Simplified Policy basics Up: SELinux Policy Editor(seedit) Administration Previous: 5 Then, what should   Contents

Subsections


6 Unconfine applications

You can unconfine application by 2 ways. Use boolean or remove config file.


6.1 GUI

You can do it from GUI. Select Manage Domain, then seedit Domain/Role Manager window opens. Select Delete Domain tab.

Figure 5: Unconfine application
Image manage-delete

6.1.1 Temporally disable

The easiest way to unconfine application is to disable domain temporally.
  1. Select domain which you want to disable
  2. Select radio button Temporally
  3. Press Apply button
For example, Apache is confined by httpd_t domain and you want to unconfine Apache. Select httpd_t, and press apply button. Restart Apache and check domain by Status GUI, you will see Unconfined(initrc_t) is shown in domain.
To confine it again, select domain from Enable temporally disabled domain, and press Apply button.
This behavior is using boolean of SELinux, you can see detail by command line.

6.1.2 Remove domain

Another way to unconfine application is to remove configuration file for domain. The procedure is following.
  1. Select domain which you want to disable
  2. Select radio button Permanently
  3. Press Apply button
To confine application again, you have to do it by hand.
  1. cd /etc/seedit/policy
  2. mv /etc/seedit/policy/extras/name of domain.sp /etc/seedit/policy/name of domain.sp
  3. seedit-load
File size of generated policy will be smaller than previous method.

6.2 Command line

You can also do it from command line.

6.2.1 Use boolean

If you know SELinux boolean, it's very easy. For example, confined domain name is httpd_t, then turn on httpd_disable_trans boolean and restart daemon. 
Example: 
# setsebool -P httpd_disable_trans 1
# /etc/init.d/httpd restart
# seedit-unconfined -e
Current SELinux mode: enforcing
PID     Comm    Domain
1111     httpd    Unconfined(initrc_t)
You can confine again by turning off boolean 
Example: 
# setsebool -P httpd_disable_trans 0
# /etc/init.d/httpd restart
# seedit-unconfined -e
Current SELinux mode: enforcing
PID     Comm    Domain
1111     httpd   Confined by httpd_t domain

6.2.2 Remove config file

Config file of domain is located /etc/seedit/policy/domain name.sp. If you remove it and restart application, you can unconfine application. See example below. 
Example: 
# cd /etc/seedit/policy
# mkdir unused
# mv httpd_t.sp unused
# seedit-load
# /etc/init.d/httpd restart
# seedit-unconfined -e
Current SELinux mode: enforcing
PID     Comm    Domain
1111     httpd    Unconfined(initrc_t)
If you want confine again, place config file to /etc/seedit/policy dir. 
Example: 
# cd /etc/seedit/policy
# mv unused/httpd_t.sp .
# seedit-load
# /etc/init.d/httpd restart
# seedit-unconfined -e
...
next up previous contents
Next: 7 Simplified Policy basics Up: SELinux Policy Editor(seedit) Administration Previous: 5 Then, what should   Contents
2006-07-05