Help with messed up F11 SELinux

Steve Blackwell zephod at cfl.rr.com
Sun Apr 25 14:39:50 UTC 2010 

On Sun, 25 Apr 2010 11:04:31 +0200
Dominick Grift <domg472 at gmail.com> wrote:

> On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
> > My logwatch report gives me 20 or 30 lines of :
> > 
> > NULL security context for user, but SELinux in permissive mode,
> > continuing ()
> > 
> > in the cron section. Then I looked in /var/log/dmesg and I see this
> > line:
> > 
> > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
> > 
> > System->Administration->SELinux Management, select SELinux User,
> > shows 8 SELinux users: 
...
> > 
> > OK, that looks good but when, as root, I run:
> > 
> > # semanage login -l
> > 
> > Login Name             SELinux User           MLS/MCS
> > Range            
> > 
> > __default__            unconfined_u
> > s0-s0:c0.c1023 root                   unconfined_u
> > s0-s0:c0.c1023 system_u               system_u
> > s0-s0:c0.c1023  
> > 
> > hmmm... only 3 users. It this a problem or is it telling me that
> > only 3 SELinuux users are currently in use (ie assign to any Linux
> > user) because I'm running in permissive mode?
> 
> This should not be a problem because new users get mapped under
> __default__ by default, which is mapped to unconfined_u selinux user.
> 
> > 
> > How can I find out which user has a "NULL security context"?
> 
> Good question, my gut feeling tells me it unconfined_u but i am not
> sure.
> 
> If there is no bug in Fedora 11 selinux policy then you could
> consider reinstalling the policy. 
> 
> The procedure for reinstalling policy is as follows.
> 
> 1. setenforce 0 (put selinux in permisive mode)
> 2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
> policy) 
> 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> (remove -backup- the old selinux policy config) 
> 4. yum install
> selinux-policy selinux-policy-targeted (-re- install fresh selinux
> policy) 
> 5. fixfiles restore (restore contexts) 
> 6. reboot

I tried this procedure and at step 2 I also had to remove
oolicycoreutils-gui and setroubleshoot because of dependencies and then
reinstall them at step 4.
Step 5 started and bailed out with these errors:

#  fixfiles restore
********************/sbin/setfiles:  unable to stat
file /home/steve/.gvfs: Permission denied /sbin/setfiles:  
error while labeling /:  Permission denied /sbin/setfiles:  
error while labeling /boot:  Permission denied /sbin/setfiles:  
error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
Permission denied

The /media/... is an external USB harddrive that I use for backups.

Can I ignore these errors or do they need to be resolved.

Thanks,
Steve

More information about the selinux mailing list