If I make a change to /etc/sysconfig/selinux do I have to restart anything for the change to take effect?
4 thoughts on - CentOS 7 Selinux
Isn’t the correct answer “yes” for every single file under that directory?
If it were otherwise, you’d have services continually restarting to look for updated settings. Then because of all the resulting inadvertent lock-outs and other failures, you’d have big block comments at the top of those files telling you not to save the file until you’re sure you want those settings applied immediately.
If you’re trying to entirely disable SELinux with this change, you’ll have to reboot. If you’re changing between enforcing and permissive, there are commands for that:
If you are changing the SELinux mode from ‘enforcing’ to ‘permissive’ and vice versa, you can make that change active in the running system by issuing the ‘setenforce 1’ or ‘setenforce 0’ command, respectively.
If you want to go to or from ‘disabled’ or change the SELinux policy you’ll need to reboot to activate the change.
Regards,
Peter.
You say that, but NetworkManager’s default setting used to be to monitor the files in /etc/sysconfig/network-scripts/ and restart the network interfaces when you changed the ifcfg-* files. Thankfully, now you need to set ‘monitor-connection-files=true’ in the NetworkManager.conf to get that ‘feature’.
Many times I’d change an IP in the file with vi, save out of muscle memory before I realize what I’ve done.
4 thoughts on - CentOS 7 Selinux
Isn’t the correct answer “yes” for every single file under that directory?
If it were otherwise, you’d have services continually restarting to look for updated settings. Then because of all the resulting inadvertent lock-outs and other failures, you’d have big block comments at the top of those files telling you not to save the file until you’re sure you want those settings applied immediately.
If you’re trying to entirely disable SELinux with this change, you’ll have to reboot. If you’re changing between enforcing and permissive, there are commands for that:
https://unix.stackexchange.com/questions/148890/how-to-disable-selinux-without-restart
Hi Larry,
It depends.
If you are changing the SELinux mode from ‘enforcing’ to ‘permissive’ and vice versa, you can make that change active in the running system by issuing the ‘setenforce 1’ or ‘setenforce 0’ command, respectively.
If you want to go to or from ‘disabled’ or change the SELinux policy you’ll need to reboot to activate the change.
Regards,
Peter.
You say that, but NetworkManager’s default setting used to be to monitor the files in /etc/sysconfig/network-scripts/ and restart the network interfaces when you changed the ifcfg-* files. Thankfully, now you need to set ‘monitor-connection-files=true’ in the NetworkManager.conf to get that ‘feature’.
Many times I’d change an IP in the file with vi, save out of muscle memory before I realize what I’ve done.
—
Jonathan Billings
Thanks!