I relabel after each policy change. If you don't, context changes reflected in the new policy files are not made.
tom
[On my system, yum/rpm seem not to be correctly labeling installed files, so I manually check and change via 'fixfiles' or 'setfiles' as appropriate. You can check by running 'fixfiles check'. This is especially tedious if updating the kernel/coreutils/selinux packages since improper labels could prevent rebooting in enforcing mode. When this happened to me, I added 'enforcing=0' to the boot line so I could relabel files in permissive mode.] ------------------------------------------------------------------------
* /From/: Richard Hally <rhally mindspring com> * /To/: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com> * /Subject/: Re: enforcing mode problems * /Date/: Tue, 08 Jun 2004 23:05:54 -0400
------------------------------------------------------------------------ Tom London wrote:
Did you remember to do a 'fixfiles relabel' after installing the new policy files?
If not, I suggest you reboot single-user mode, and then run 'fixfiles relabel'. You probably want fixfiles to clean out /tmp, so move/copy anything you need before running it.
tom ------------------------------------------------------------------------
* /From/: Richard Hally <rhally mindspring com> * /To/: fedora-selinux-list redhat com * /Subject/: enforcing mode problems * /Date/: Tue, 08 Jun 2004 22:43:44 -0400
------------------------------------------------------------------------ when running with the latest "strict" policy in enforcing mode, 'su -' does not work.
[richard new2 richard]$ su - Password: could not open session
Thanks for the suggestion. This system was installed over the past weekend and updated to the (then) latest strict policy. "fixfiles relabel" was run then to allow going to enforcing mode. "yum update" updated the policy today. I am wondering if "fixfiles relabel" will be necessary every time policy is updated? Richard Hally
Tom London wrote:
I relabel after each policy change. If you don't, context changes reflected in the new policy files are not made.
tom
<snip>
Thanks for the suggestion. This system was installed over the past weekend and updated to the (then) latest strict policy. "fixfiles relabel" was run then to allow going to enforcing mode. "yum update" updated the policy today. I am wondering if "fixfiles relabel" will be necessary every time policy is updated? Richard Hally -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Yup, boot single fixfiles relabel fixed this problem. Going thru FC2 test1,2,3 I usually remembered to do the relabeling, I guess what threw me off was the problem with yum updating the policies throwing errors. that is in another thread. Thanks for the help Richard Hally
On Tue, 2004-06-08 at 23:25, Tom London wrote:
[On my system, yum/rpm seem not to be correctly labeling installed files, so I manually check and change via 'fixfiles' or 'setfiles' as appropriate.
This is because rpm hasn't been updated for the new policy layout, so it cannot find the file_contexts configuration. Until it is updated, I have just created a symlink, i.e. ln -sf /etc/selinux/strict/contexts/files/file_contexts /etc/security/selinux/file_contexts
selinux@lists.fedoraproject.org