Relabelling issue
Daniel J Walsh
dwalsh at redhat.com
Wed Oct 28 17:23:15 UTC 2009
On 10/28/2009 11:14 AM, Arthur Dent wrote:
> On Wed, 2009-10-28 at 08:50 -0400, Daniel J Walsh wrote:
>> On 10/28/2009 05:38 AM, Arthur Dent wrote:
>>> On Mon, 2009-10-26 at 11:39 -0400, Daniel J Walsh wrote:
>>>> On 10/25/2009 09:01 AM, Arthur Dent wrote:
>>>>> Hello all,
>>>>>
>>>>> I got an avc the other day that made me suspect that I might have
>>>>> labelling problems on my Fedora 11 box, so I did a "touch /.autorelabel;
>>>>> reboot"
>>>>>
>>>>> The avc turned out to be unrelated to this, but I was a little surprised
>>>>> to see the following errors during the relabelling process:
>>>>>
>>>>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
>>>>> type=1404 audit(1256456979.782:4): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
>>>>> SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
>>>>> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
>>>>> type=1404 audit(1256457362.896:5): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295
>>>>> Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k
>>>>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>>>>>
>>>>>
>>>>> Should I be concerned?
>>>>>
>>>>> Thanks for any suggestions...
>>>>>
>>>>> Mark
>>>>>
>>>>> p.s.
>>>>>
>>>>> Latest yum log entries:
>>>>> [root at localhost ~]# cat /var/log/yum.log | grep -i selinux
>>>>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
>>>>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
>>>>>
>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>> This looks like a mismatch of policy and labels on disk.
>>>>
>>>>
>>>> *_script_exec_t was all changed to *_initrc_exec_t and we do not have all of the aliases defined for these.
>>>>
>>>> So relabeling is probably a good idea.
>>>>
>>>> gamin_exec_t has disappeared.
>>>
>>> OK - I finally got round to doing another relabel - this time in
>>> permissive mode (I wanted to watch for error messages and couldn't face
>>> the thought of sitting watching little asterisks march across the screen
>>> until today).
>>>
>>> Unfortunately I get exactly the same messages during the relabelling
>>> process:
>>> SELinux: initialized (dev sdb6, type ext3), uses xattr
>>> SELinux: initialized (dev sdb11, type vfat), uses genfs_contexts
>>> SELinux: initialized (dev sdb12, type vfat), uses genfs_contexts
>>> fuse init (API version 7.11)
>>> SELinux: initialized (dev sda3, type fuseblk), uses genfs_contexts
>>> SELinux: Context system_u:object_r:gamin_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:tor_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:openvpn_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:kerneloops_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:privoxy_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:setroubleshoot_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:virtd_script_exec_t:s0 is not valid (left unmapped).
>>> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not valid (left unmapped).
>>> Adding 2096440k swap on /dev/sdb10. Priority:-1 extents:1 across:2096440k
>>> SELinux: initialized (dev binfmt_misc, type binfmt_misc), uses genfs_contexts
>>>
>>> So now I'm not sure what to do - just ignore it and wait until I rebuild
>>> with Fedora 12 - or do something now?
>>>
>>> Thanks for any advice...
>>>
>>> Mark
>>>
>>>
>>>
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-l
>> If you do a load_policy do you see these messages?
>>
>> What version of policy and which version of the OS are you using?
>>
>
> Hi Daniel,
>
> Thanks for helping...
>
> If you look a little further up this thread you will see that I am using
> Fedora 11 and...
>
>> Latest yum log entries:
>> [root at localhost ~]# cat /var/log/yum.log | grep -i selinux
>> Oct 14 22:04:23 Updated: selinux-policy-3.6.12-85.fc11.noarch
>> Oct 14 22:04:57 Updated: selinux-policy-targeted-3.6.12-85.fc11.noarch
>
> I have not come across "load_policy" before. I just typed "load_policy"
> on the command line (as root) and got no errors and no feedback at all.
>
> From reading the man page for load_policy I presume that this means exit
> status 0 - and therefore that all is well with the command?
>
> What next?
>
> Thanks for the help so far...
>
> Mark
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I guess now reboot and see if you see these errors.
More information about the selinux
mailing list