Hi I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my directories' (in /proc for example) security context still looks "(null)". I tried the instructions in GettingStartedWithNewSELinux.pdf to relabel all the file system, but i did not work (both permissive and enforcing mode):
[root@santiago /]# [root@santiago /]# make -C /etc/security/selinux/src/policy/ relabel
make: Entering directory /etc/security/selinux/src/policy/ Cleaning out /tmp rm -rf /tmp/.??* /tmp/* /usr/bin/setfiles file_context/file_context 'mount | grep -v bind | grep -v " context=" | awk ' /(ext[23]|xfs).*rw{print $3}'
/usr/bin/setfiles: read 1426 spesifications /usr/bin/setfiles: labeling files under / /usr/bin/setfiles: error while labeling files under / make:*** [relabel] Error 1 make: Leaving directory '/etc/security/selinux/src/policy' [root@santiago policy]#
What have I missed? Could anyone help me on this? Your attention is greatly appreciated. Thank you.
------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr
On Wed, 16 Jun 2004 22:56, Ismail Iyigunler iyigunler@itu.edu.tr wrote:
I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my directories' (in /proc for example) security context still looks "(null)".
There is no kernel support for exporting the security context of files in /proc to user space via the XATTR interface. So "ls -Z /proc" will always show "(null)". This has been discussed on the main SE Linux list, it's currently not considered to be worth the effort of changing this.
Some other file systems that lack the virtual XATTR support that devpts has will get it added.
[root@santiago /]# make -C /etc/security/selinux/src/policy/ relabel
[...]
/usr/bin/setfiles: read 1426 spesifications /usr/bin/setfiles: labeling files under / /usr/bin/setfiles: error while labeling files under / make:*** [relabel] Error 1 make: Leaving directory '/etc/security/selinux/src/policy' [root@santiago policy]#
Are there any AVC messages displayed about setfiles? Are you in enforcing mode?
Hi
But there are some directories and files shown as "(null)". like /lost+found or /sys. Is this normal?
There's no AVC messages shown for it, also in /var/log/messages, and this happens both in enforcing and permissive mode.
Quoting Russell Coker russell@coker.com.au:
On Wed, 16 Jun 2004 22:56, Ismail Iyigunler iyigunler@itu.edu.tr wrote:
I'm using Fedora Core 2 with kernel 2.6.6 with SELinux. However some of my directories' (in /proc for example) security context still looks "(null)".
There is no kernel support for exporting the security context of files in /proc to user space via the XATTR interface. So "ls -Z /proc" will always
show "(null)". This has been discussed on the main SE Linux list, it's currently not considered to be worth the effort of changing this.
Some other file systems that lack the virtual XATTR support that devpts has will get it added.
[root@santiago /]# make -C /etc/security/selinux/src/policy/ relabel
[...]
/usr/bin/setfiles: read 1426 spesifications /usr/bin/setfiles: labeling files under / /usr/bin/setfiles: error while labeling files under / make:*** [relabel] Error 1 make: Leaving directory '/etc/security/selinux/src/policy' [root@santiago policy]#
Are there any AVC messages displayed about setfiles? Are you in enforcing mode?
-- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
------------------------------------------------- This mail sent through IMP: http://webmail.students.itu.edu.tr
On Wed, 2004-06-16 at 10:08, Ismail Iyigunler wrote:
Hi
But there are some directories and files shown as "(null)". like /lost+found or /sys. Is this normal?
For /sys, yes. /lost+found should have a visible context, assuming it is on a filesystem that supports them (e.g. ext3). See http://www.redhat.com/archives/fedora-selinux-list/2004-June/msg00004.html
There's no AVC messages shown for it, also in /var/log/messages, and this happens both in enforcing and permissive mode.
The kernel internally has a context for the inode, but it isn't exported to userspace due to the lack of an xattr handler.
selinux@lists.fedoraproject.org