Help with messed up F11 SELinux
Dominick Grift
domg472 at gmail.com
Sun Apr 25 09:04:31 UTC 2010
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> I've always had problems with SELinux but I set it to permissive and
> moved on. Now I want to see if I can fix it.
>
> My logwatch report gives me 20 or 30 lines of :
>
> NULL security context for user, but SELinux in permissive mode,
> continuing ()
>
> in the cron section. Then I looked in /var/log/dmesg and I see this
> line:
>
> SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
>
> System->Administration->SELinux Management, select SELinux User, shows
> 8 SELinux users:
> guest_u,
> root,
> staff_u,
> sysadm_u,
> system_u,
> unconfined_u,
> user_u
> xguest_u
>
> OK, that looks good but when, as root, I run:
>
> # semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0-s0:c0.c1023
> root unconfined_u s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
>
> hmmm... only 3 users. It this a problem or is it telling me that only 3
> SELinuux users are currently in use (ie assign to any Linux user)
> because I'm running in permissive mode?
This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.
>
> How can I find out which user has a "NULL security context"?
Good question, my gut feeling tells me it unconfined_u but i am not sure.
If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.
The procedure for reinstalling policy is as follows.
1. setenforce 0 (put selinux in permisive mode)
2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux policy)
3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config)
4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy)
5. fixfiles restore (restore contexts)
6. reboot
But try at your own risk.
Also just a file system relabeling *may* fix the issue: fixfiles restore; reboot (but i am not sure there either)
hth
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100425/46e4546c/attachment.bin
More information about the selinux
mailing list