Help with messed up F11 SELinux

Dominick Grift domg472 at gmail.com
Sun Apr 25 18:32:53 UTC 2010 

On Sun, Apr 25, 2010 at 12:19:04PM -0400, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 17:44:00 +0200
> Dominick Grift <domg472 at gmail.com> wrote:
> 
> > On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > > On Sun, 25 Apr 2010 11:04:31 +0200
> > > Dominick Grift <domg472 at gmail.com> wrote:
> > > 
> > > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > > ...
> > > > > My logwatch report gives me 20 or 30 lines of :
> > > > > 
> > > > > NULL security context for user, but SELinux in permissive mode,
> > > > > continuing ()
> > > > > 
> > > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > > this line:
> > > > > 
> > > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > > cats
> > > > > 
> > > > > System->Administration->SELinux Management, select SELinux User,
> > > > > shows 8 SELinux users: 
> > > ...
> > > > > 
> > > > > OK, that looks good but when, as root, I run:
> > > > > 
> > > > > # semanage login -l
> > > > > 
> > > > > Login Name             SELinux User           MLS/MCS
> > > > > Range            
> > > > > 
> > > > > __default__            unconfined_u
> > > > > s0-s0:c0.c1023 root                   unconfined_u
> > > > > s0-s0:c0.c1023 system_u               system_u
> > > > > s0-s0:c0.c1023  
> > > > > 
> > > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > > Linux user) because I'm running in permissive mode?
> > > > 
> > > > This should not be a problem because new users get mapped under
> > > > __default__ by default, which is mapped to unconfined_u selinux
> > > > user.
> > > > 
> > > > > 
> > > > > How can I find out which user has a "NULL security context"?
> > > > 
> > > > Good question, my gut feeling tells me it unconfined_u but i am
> > > > not sure.
> > > > 
> > > > If there is no bug in Fedora 11 selinux policy then you could
> > > > consider reinstalling the policy. 
> > > > 
> > > > The procedure for reinstalling policy is as follows.
> > > > 
> > > > 1. setenforce 0 (put selinux in permisive mode)
> > > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > > selinux policy) 
> > > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > > (remove -backup- the old selinux policy config) 
> > > > 4. yum install
> > > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > > policy) 
> > > > 5. fixfiles restore (restore contexts) 
> > > > 6. reboot
> > > 
> > > I tried this procedure and at step 2 I also had to remove
> > > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > > then reinstall them at step 4.
> > > Step 5 started and bailed out with these errors:
> > > 
> > > #  fixfiles restore
> > > ********************/sbin/setfiles:  unable to stat
> > > file /home/steve/.gvfs: Permission denied /sbin/setfiles:  
> > > error while labeling /:  Permission denied /sbin/setfiles:  
> > > error while labeling /boot:  Permission denied /sbin/setfiles:  
> > > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > > Permission denied
> > > 
> > > The /media/... is an external USB harddrive that I use for backups.
> > > 
> > > Can I ignore these errors or do they need to be resolved.
> > 
> > Looks like a couple of things didnt go the way i expected. I do not
> > understand why policycoreutils or setroubleshoot depends on the
> > policy. 
> > 
> > Anyways..
> > 
> > The errors look like as if selinux was enforcing or as if you were
> > not running fixfiles restore as root.
> > 
> > Please try to run fixfiles restore as root in permissive mode.
> 
> The previous attempt was as root and in permissive mode. I tried again:
> 
> [root at steve ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> 
> [root at steve ~]# sestatus 
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux 
> Current mode:                   permissive 
> Mode from config file:          disabled 
> Policy version:                 24 
> Policy from config file:        targeted 
> 
> [root at steve ~]# fixfiles
> restore ********************/sbin/setfiles:  unable to stat
> file /home/steve/.gvfs: Permission denied 
> /sbin/setfiles:  error while labeling /:  Permission
> denied 
> /sbin/setfiles:  error while labeling /boot:  Permission
> denied 
> /sbin/setfiles:  error while
> labeling /media/blah-blah:  Permission denied

in /etc/selinux/config set "SELINUX=permissive"

then do: touch /.autorelabel && reboot

once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1

> 
> Thanks,
> Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100425/e3cea2da/attachment.bin

More information about the selinux mailing list