On Sun, Apr 25, 2010 at 12:19:04PM -0400, Steve Blackwell wrote:
On Sun, 25 Apr 2010 17:44:00 +0200
Dominick Grift <domg472(a)gmail.com> wrote:
> On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > On Sun, 25 Apr 2010 11:04:31 +0200
> > Dominick Grift <domg472(a)gmail.com> wrote:
> >
> > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > ...
> > > > My logwatch report gives me 20 or 30 lines of :
> > > >
> > > > NULL security context for user, but SELinux in permissive mode,
> > > > continuing ()
> > > >
> > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > this line:
> > > >
> > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > cats
> > > >
> > > > System->Administration->SELinux Management, select SELinux
User,
> > > > shows 8 SELinux users:
> > ...
> > > >
> > > > OK, that looks good but when, as root, I run:
> > > >
> > > > # semanage login -l
> > > >
> > > > Login Name SELinux User MLS/MCS
> > > > Range
> > > >
> > > > __default__ unconfined_u
> > > > s0-s0:c0.c1023 root unconfined_u
> > > > s0-s0:c0.c1023 system_u system_u
> > > > s0-s0:c0.c1023
> > > >
> > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > Linux user) because I'm running in permissive mode?
> > >
> > > This should not be a problem because new users get mapped under
> > > __default__ by default, which is mapped to unconfined_u selinux
> > > user.
> > >
> > > >
> > > > How can I find out which user has a "NULL security
context"?
> > >
> > > Good question, my gut feeling tells me it unconfined_u but i am
> > > not sure.
> > >
> > > If there is no bug in Fedora 11 selinux policy then you could
> > > consider reinstalling the policy.
> > >
> > > The procedure for reinstalling policy is as follows.
> > >
> > > 1. setenforce 0 (put selinux in permisive mode)
> > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > selinux policy)
> > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > (remove -backup- the old selinux policy config)
> > > 4. yum install
> > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > policy)
> > > 5. fixfiles restore (restore contexts)
> > > 6. reboot
> >
> > I tried this procedure and at step 2 I also had to remove
> > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > then reinstall them at step 4.
> > Step 5 started and bailed out with these errors:
> >
> > # fixfiles restore
> > ********************/sbin/setfiles: unable to stat
> > file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> > error while labeling /: Permission denied /sbin/setfiles:
> > error while labeling /boot: Permission denied /sbin/setfiles:
> > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > Permission denied
> >
> > The /media/... is an external USB harddrive that I use for backups.
> >
> > Can I ignore these errors or do they need to be resolved.
>
> Looks like a couple of things didnt go the way i expected. I do not
> understand why policycoreutils or setroubleshoot depends on the
> policy.
>
> Anyways..
>
> The errors look like as if selinux was enforcing or as if you were
> not running fixfiles restore as root.
>
> Please try to run fixfiles restore as root in permissive mode.
The previous attempt was as root and in permissive mode. I tried again:
[root@steve ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@steve ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 24
Policy from config file: targeted
[root@steve ~]# fixfiles
restore ********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied
/sbin/setfiles: error while labeling /: Permission
denied
/sbin/setfiles: error while labeling /boot: Permission
denied
/sbin/setfiles: error while
labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1
Thanks,
Steve