selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!

Rick Stevens ricks at nerd.com
Mon Mar 2 22:07:07 UTC 2009 

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Mike Cloaked wrote:
>> I have just updated some f10 boxes a few minutes ago. On logging on again
>> after rebooting to the new kernel this evening, the main user directories
>> have had their contexts changed to usr_t so I presume some kind of
>> relabelling has been done - but not correctly!  After restorecon -vR
>> /home/user the contexts have mostly reverted to where they should be - I
>> initially noticed because ssh suddenly started demanding a passphrase when
>> it should not need one - and then I noted avc denials..... 
>>
>> This is for selinux-policy-3.5.13-46.fc10.noarch and the related targeted
>> policy.  
>>
>> I have tested on several systems and so far all is well after doing 
>> restorecon -vR /home
>> as root to fix all user areas in one go.  Any one user can fix their own
>> user area by doing restorecon -vR /home/user 
>> I presume that this will lose any chcon changes - but any contexts that were
>> saved as a rule using semanage fcontext presumably should be restored -
>> though I have not had time to explore all directories yet.  
>>
>> This update was pushed to stable today so presumably it will take a while to
>> sync to all mirrors.
> This is very strange, I have no idea why SELinux update would do this,
> and suspect that something else might have gone wrong.  Were there other
> packages in the update?
> 
> I will update my F10 and see what is going on.
> 
> Could be someone is doing a chcon -t usr_t in a post install script?
> 
> selinux-policy should only be doing the equivalent of a restorecon -vR
> in its post install.  Actually executes fixfiles
> "fixfiles -C ${FILE_CONTEXT}.pre restore"
> 
> Which figures out what was different between the old file context and
> the new and runs restorecon on them.

Yes, but if the new context list contains an incorrect setting (usr_t
instead of user_home_dir_t), then restorecon is going to set the usr_t
context.  After all, restorecon doesn't have that stuff compiled in, it
reads it from the control file.

That being said, I've got an "exclude=selinux-policy-targeted*" in my
yum configs until this is fixed.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-  Time: Nature's way of keeping everything from happening at once.  -
----------------------------------------------------------------------

More information about the users mailing list