selinux config - no warning during upgrades

Daniel J Walsh dwalsh at redhat.com
Wed May 7 19:36:40 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruno Wolff III wrote:
> On Wed, May 07, 2008 at 13:31:38 -0400,
>   Stephen Smalley <sds at tycho.nsa.gov> wrote:
>> On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
>>> I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
>>> I eventually noticed that I was getting warnings about a NULL security
>>> context. I then tracked this down to not having a proper selinux user
>>> configuration.
>>>
>>> Since I was using the default, I expected things would work or at least that
>>> there would be *.rpmnew files that acted as a hint that something needed
>>> to be looked at. Also, in order to find out what the default was I ended up
>>> looking at some other machines that had more recent installs, because there
>>> didn't seem to be any obvious place to look on the affected machine for
>>> what reasonable default values were.
>> Can you provide more details, please?
> 
> Here is a sample log messages:
> May  4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
> 
> I didn't save the original selinux attached to __default__. It might have been
> user_u; it definitely wasn't unconfined_u which is what I got with a fresh
> install on another machine. Besides fixing up the login user mapping, I also
> fixed up the user mapping to prefix, mls level, range and roles. There were
> several new selinux users that weren't in the list I got after the upgrade.
> Once I have everything matching that of the fresh install, I stopped seeing
> the NULL security context messages.
> 
> I can't say I expected that the upgrade would work without manual intervention
> when going from FC5 to F9. But I would have liked to have gotten some hint
> that I should look at things. And if I hadn't had another machine with a fresh
> install to compare against, having some way to do that on a machine would be
> nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
> encourange people to copy it over rather than using semanage to update things,
> so that may not be a good solution for selinux.
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I would advise you to do a full relabel.  Upgrades are shakey when going
from one release to the next, but going from Fedora 5 to Rawhide, is
really a major change.

touch /.autorelabel
reboot

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgiBMgACgkQrlYvE4MpobNGkwCgsunCL0uItsqFSdEvaubSAmoa
mokAoJFVQgDdoa7xHoFb+OVUGl+L2jL8
=N58L
-----END PGP SIGNATURE-----




More information about the selinux mailing list