On Wed, 2008-05-07 at 13:47 -0500, Bruno Wolff III wrote:
On Wed, May 07, 2008 at 13:31:38 -0400,
Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
> On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
> > I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
> > I eventually noticed that I was getting warnings about a NULL security
> > context. I then tracked this down to not having a proper selinux user
> > configuration.
> > Since I was using the default, I expected things would work or at least that
> > there would be *.rpmnew files that acted as a hint that something needed
> > to be looked at. Also, in order to find out what the default was I ended up
> > looking at some other machines that had more recent installs, because there
> > didn't seem to be any obvious place to look on the affected machine for
> > what reasonable default values were.
> Can you provide more details, please?
Here is a sample log messages:
May 4 05:00:01 wolff crond: (bruno) NULL security context for user, but SELinux
in permissive mode, continuing ()
I didn't save the original selinux attached to __default__. It might have been
user_u; it definitely wasn't unconfined_u which is what I got with a fresh
install on another machine. Besides fixing up the login user mapping, I also
fixed up the user mapping to prefix, mls level, range and roles. There were
several new selinux users that weren't in the list I got after the upgrade.
Once I have everything matching that of the fresh install, I stopped seeing
the NULL security context messages.
I can't say I expected that the upgrade would work without manual intervention
when going from FC5 to F9. But I would have liked to have gotten some hint
that I should look at things. And if I hadn't had another machine with a fresh
install to compare against, having some way to do that on a machine would be
nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
encourange people to copy it over rather than using semanage to update things,
so that may not be a good solution for selinux.
Ok, that's a known deficiency of how seusers is managed; it isn't
managed by rpm and there isn't a clean split between base policy
definitions and user customizations there.
The switch to unconfined_u came with the merging of strict and targeted
policies into one policy, and that happened in F8. I suspect that there
was some hackery in the F8 policy package to allow upgrades from F7 to
work, but jumping straight from F5 to F9 wouldn't have done the same.
National Security Agency