Help with messed up F11 SELinux

Dominick Grift domg472 at gmail.com
Sun Apr 25 09:04:31 UTC 2010 

On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> I've always had problems with SELinux but I set it to permissive and
> moved on. Now I want to see if I can fix it.
> 
> My logwatch report gives me 20 or 30 lines of :
> 
> NULL security context for user, but SELinux in permissive mode,
> continuing ()
> 
> in the cron section. Then I looked in /var/log/dmesg and I see this
> line:
> 
> SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
> 
> System->Administration->SELinux Management, select SELinux User, shows
> 8 SELinux users: 
> guest_u, 
> root, 
> staff_u, 
> sysadm_u, 
> system_u,
> unconfined_u,
> user_u
> xguest_u
> 
> OK, that looks good but when, as root, I run:
> 
> # semanage login -l
> 
> Login Name             SELinux User           MLS/MCS Range            
> 
> __default__            unconfined_u           s0-s0:c0.c1023           
> root                   unconfined_u           s0-s0:c0.c1023           
> system_u               system_u               s0-s0:c0.c1023  
> 
> hmmm... only 3 users. It this a problem or is it telling me that only 3
> SELinuux users are currently in use (ie assign to any Linux user) 
> because I'm running in permissive mode?

This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.

> 
> How can I find out which user has a "NULL security context"?

Good question, my gut feeling tells me it unconfined_u but i am not sure.

If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy. 

The procedure for reinstalling policy is as follows.

1. setenforce 0 (put selinux in permisive mode)
2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux policy)
3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config)
4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy)
5. fixfiles restore (restore contexts)
6. reboot

But try at your own risk.

Also just a file system relabeling *may* fix the issue: fixfiles restore; reboot (but i am not sure there either)

hth

> 
> Thanks,
> Steve
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100425/46e4546c/attachment.bin

More information about the selinux mailing list