From: Russell Coker[SMTP:russell@coker.com.au]
On Wed, 9 Jun 2004 17:42, David Balazic david.balazic@hermes.si wrote:
Because I get a failure right 5 minutes after installation.
I did a SELinux enabled install of FC2 ( Workstation type ). In firstboot I created a user.
This is a known bug, when firstboot creates a user it doesn't give the correct type to the home directory files. Running setfiles is the correct thing to do. But you don't have to label the entire file system, just the home directory for the new user.
setfiles requires some "policy" argument, what do I use ? Well, I just run "fixfiles relabel" ( not is runlevel 1, as suggested by Andrew Farris, but level 5, is that a problem ? ). Now login on VCx is OK, but login in X still does not work. Previously it reported that my home dir does not exist, but now after the "fix" , when I enter my username and password an blank blue screen with a mouse pointer ( pointer, not sandwatch ) appears and nothing happens. I waited 30 seconds and switched to VC1 to check out what is happening, but then the screen started to blink. It went black for ~5 seconds, then back to VC1 for a second , then black again and so on. Maybe the X server was restarting.
Any clues ?
David Balažic
setfiles takes the file_contexts file as the second parameter, if you look at fixfiles that is all that it is doing is execing setfiles.
So with strict policy you would run
setfiles /etc/selinux/strict/contexts/files/file_contexts /home to relabel homedirs.
After running fixfiles relabel you should always reboot in order to start programs under the right context, If you do this in level 5 there is a chance the applications will write files out with bad context after the relabel, before the reboot.
David Balazic wrote:
From: Russell Coker[SMTP:russell@coker.com.au]
On Wed, 9 Jun 2004 17:42, David Balazic david.balazic@hermes.si wrote:
Because I get a failure right 5 minutes after installation.
I did a SELinux enabled install of FC2 ( Workstation type ). In firstboot I created a user.
This is a known bug, when firstboot creates a user it doesn't give the correct type to the home directory files. Running setfiles is the correct thing to do. But you don't have to label the entire file system, just the home directory for the new user.
setfiles requires some "policy" argument, what do I use ? Well, I just run "fixfiles relabel" ( not is runlevel 1, as suggested by Andrew Farris, but level 5, is that a problem ? ). Now login on VCx is OK, but login in X still does not work. Previously it reported that my home dir does not exist, but now after the "fix" , when I enter my username and password an blank blue screen with a mouse pointer ( pointer, not sandwatch ) appears and nothing happens. I waited 30 seconds and switched to VC1 to check out what is happening, but then the screen started to blink. It went black for ~5 seconds, then back to VC1 for a second , then black again and so on. Maybe the X server was restarting.
Any clues ?
David Balažic
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, 2004-06-10 at 06:44, Daniel J Walsh wrote:
After running fixfiles relabel you should always reboot in order to start programs under the right context, If you do this in level 5 there is a chance the applications will write files out with bad context after the relabel, before the reboot.
Is it sufficient to do this in run level 3? So far it's worked for me, but is it risky?
- Karsten
On Fri, 30 Jul 2004 12:22:20 PDT, Karsten Wade kwade@redhat.com said:
On Thu, 2004-06-10 at 06:44, Daniel J Walsh wrote:
After running fixfiles relabel you should always reboot in order to start programs under the right context, If you do this in level 5 there is a chance the applications will write files out with bad context after the relabel, before the reboot.
Is it sufficient to do this in run level 3? So far it's worked for me, but is it risky?
The only real practical difference between 3 and 5 is that 5 launches gdm or other similar graphical GUI interface... so all the *other* daemons are still around and able to possibly blindside you.
On Sat, 31 Jul 2004 05:22, Karsten Wade kwade@redhat.com wrote:
On Thu, 2004-06-10 at 06:44, Daniel J Walsh wrote:
After running fixfiles relabel you should always reboot in order to start programs under the right context, If you do this in level 5 there is a chance the applications will write files out with bad context after the relabel, before the reboot.
Is it sufficient to do this in run level 3? So far it's worked for me, but is it risky?
As has been mentioned 3 is equivalent to 5 for such things.
If the machine booted in enforcing mode and was never in permissive mode then the number of programs which could be in the wrong domain and which could create files with the wrong context on shutdown is small.
If you are running in permissive mode with bad labelling then it's quite likely that programs are in the wrong domain but the only real problem is /etc/mtab which will have restorecon run on it at boot time.
If you change from targetted to strict policy then you can have user processes running in the wrong context. In my lab on writing SE Linux policy at the IBM Technical University the students had a problem because they were using OpenOffice to read the lab notes (didn't have time to get then printed) and when running in unconfined_t OO had created a socket in /tmp which it couldn't access after rebooting in enforcing mode with strict policy.
selinux@lists.fedoraproject.org