Help with messed up F11 SELinux
Dominick Grift
domg472 at gmail.com
Sun Apr 25 18:32:53 UTC 2010
On Sun, Apr 25, 2010 at 12:19:04PM -0400, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 17:44:00 +0200
> Dominick Grift <domg472 at gmail.com> wrote:
>
> > On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > > On Sun, 25 Apr 2010 11:04:31 +0200
> > > Dominick Grift <domg472 at gmail.com> wrote:
> > >
> > > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > > ...
> > > > > My logwatch report gives me 20 or 30 lines of :
> > > > >
> > > > > NULL security context for user, but SELinux in permissive mode,
> > > > > continuing ()
> > > > >
> > > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > > this line:
> > > > >
> > > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > > cats
> > > > >
> > > > > System->Administration->SELinux Management, select SELinux User,
> > > > > shows 8 SELinux users:
> > > ...
> > > > >
> > > > > OK, that looks good but when, as root, I run:
> > > > >
> > > > > # semanage login -l
> > > > >
> > > > > Login Name SELinux User MLS/MCS
> > > > > Range
> > > > >
> > > > > __default__ unconfined_u
> > > > > s0-s0:c0.c1023 root unconfined_u
> > > > > s0-s0:c0.c1023 system_u system_u
> > > > > s0-s0:c0.c1023
> > > > >
> > > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > > Linux user) because I'm running in permissive mode?
> > > >
> > > > This should not be a problem because new users get mapped under
> > > > __default__ by default, which is mapped to unconfined_u selinux
> > > > user.
> > > >
> > > > >
> > > > > How can I find out which user has a "NULL security context"?
> > > >
> > > > Good question, my gut feeling tells me it unconfined_u but i am
> > > > not sure.
> > > >
> > > > If there is no bug in Fedora 11 selinux policy then you could
> > > > consider reinstalling the policy.
> > > >
> > > > The procedure for reinstalling policy is as follows.
> > > >
> > > > 1. setenforce 0 (put selinux in permisive mode)
> > > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > > selinux policy)
> > > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > > (remove -backup- the old selinux policy config)
> > > > 4. yum install
> > > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > > policy)
> > > > 5. fixfiles restore (restore contexts)
> > > > 6. reboot
> > >
> > > I tried this procedure and at step 2 I also had to remove
> > > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > > then reinstall them at step 4.
> > > Step 5 started and bailed out with these errors:
> > >
> > > # fixfiles restore
> > > ********************/sbin/setfiles: unable to stat
> > > file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> > > error while labeling /: Permission denied /sbin/setfiles:
> > > error while labeling /boot: Permission denied /sbin/setfiles:
> > > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > > Permission denied
> > >
> > > The /media/... is an external USB harddrive that I use for backups.
> > >
> > > Can I ignore these errors or do they need to be resolved.
> >
> > Looks like a couple of things didnt go the way i expected. I do not
> > understand why policycoreutils or setroubleshoot depends on the
> > policy.
> >
> > Anyways..
> >
> > The errors look like as if selinux was enforcing or as if you were
> > not running fixfiles restore as root.
> >
> > Please try to run fixfiles restore as root in permissive mode.
>
> The previous attempt was as root and in permissive mode. I tried again:
>
> [root at steve ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> [root at steve ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: disabled
> Policy version: 24
> Policy from config file: targeted
>
> [root at steve ~]# fixfiles
> restore ********************/sbin/setfiles: unable to stat
> file /home/steve/.gvfs: Permission denied
> /sbin/setfiles: error while labeling /: Permission
> denied
> /sbin/setfiles: error while labeling /boot: Permission
> denied
> /sbin/setfiles: error while
> labeling /media/blah-blah: Permission denied
in /etc/selinux/config set "SELINUX=permissive"
then do: touch /.autorelabel && reboot
once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1
>
> Thanks,
> Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100425/e3cea2da/attachment.bin
More information about the selinux
mailing list