On Mon, 2006-08-07 at 11:15 -0400, D. Hugh Redelmeier wrote:
Thanks, Paul and Stepen, for your help.
| From: Stephen Smalley <sds(a)tycho.nsa.gov>
| Unfortunately, aside from patching your FC3 kernel and rebuilding it, I
| think your only option is to disable SELinux for FC3 altogether, i.e.
| boot it with selinux=0 or set SELINUX=disabled in /etc/selinux/config.
Am I correct in my guess that after doing this, the next time FC5 is
booted, I will have to relabel /home? What is the right way of doing
this? (Of course I could disable SELinux in FC5 too.)
Yes, if you keep them sharing /home.
Is "fixfiles relabel /home" the best choice?
/sbin/restorecon -R /home should work.
In my first message, I mentioned that I got the following messages
on
the console:
inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned
22 for dev=hda5 ino=2
inode_doinit_with_dentry: context_to_sid(system_u:object_r:home_root_t:s0) returned
22 for dev=hda5 ino=2
==> What does the error message mean?
inode 2 is the root of the filesystem.
It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid
and context_to_sid is returning EINVAL (because the context was invalid).
But even knowing that, I don't know what it actually means or is caused by.
Your description is correct; while running FC5, the directory was
labeled with the MLS/MCS field (:s0), and the FC3 kernel doesn't
understand it. At the time when FC3 was released, the MLS support in
SELinux was a compile-time option only and not enabled. By FC5, it had
become mainstreamed and turned into a runtime enable based on the policy
loaded at boot time.
--
Stephen Smalley
National Security Agency