On Mon, Jan 14, 2008 at 01:46:17PM -0500, Stephen Smalley wrote: > load_policy doesn't touch the enforcing status. > > > Anyway, you have some serious labeling issue there in /var... > > > > try restorecon -R /var The labelleing issues I would (perhaps incorrectly) expect from running SELinux in permissive mode. I decided to relabel and reboot into enforcing mode. What a disaster. The system couldn't boot enough to run the "fixfiles restore" from /etc/rc.sysinit, not even in single user mode. I had to eventually boot into single user mode with the selinux=0 kernel parameter and run "fixfiles restore" manully. Then I discovered that somehow a bunch of bogus "unconfined" entries had appeared in /etc/selinux/targeted/contexts/files/file_contexts.homedirs: # # # User-specific file contexts, generated via libsemanage # use semanage command to manage system users to change the file_context # # # # Home Context for user unconfined_u # /etc/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 /etc/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 /etc/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /etc/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /etc/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 /etc/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /etc/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /etc/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /etc/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /etc/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /etc/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /etc/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /etc/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 /etc/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 /etc/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 /etc/lost\+found/.* <<none>> /etc -d system_u:object_r:home_root_t:s0 /etc/\.journal <<none>> /etc/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user unconfined_u # /home/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 /home/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 /home/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /home/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /home/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 /home/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /home/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /home/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /home/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /home/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /home/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /home/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /home/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 /home/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 /home/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 /home/lost\+found/.* <<none>> /home -d system_u:object_r:home_root_t:s0 /home/\.journal <<none>> /home/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user unconfined_u # /opt/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 /opt/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 /opt/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /opt/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /opt/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 /opt/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /opt/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /opt/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /opt/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /opt/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /opt/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /opt/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /opt/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 /opt/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 /opt/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 /opt/lost\+found/.* <<none>> /opt -d system_u:object_r:home_root_t:s0 /opt/\.journal <<none>> /opt/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user unconfined_u # /usr/libexec/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 /usr/libexec/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 /usr/libexec/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /usr/libexec/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /usr/libexec/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 /usr/libexec/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /usr/libexec/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /usr/libexec/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /usr/libexec/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /usr/libexec/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /usr/libexec/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /usr/libexec/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /usr/libexec/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 /usr/libexec/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 /usr/libexec/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 /usr/libexec/lost\+found/.* <<none>> /usr/libexec -d system_u:object_r:home_root_t:s0 /usr/libexec/\.journal <<none>> /usr/libexec/lost\+found -d system_u:object_r:lost_found_t:s0 # # Home Context for user unconfined_u # /var/log/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 /var/log/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 /var/log/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /var/log/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /var/log/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 /var/log/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /var/log/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /var/log/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /var/log/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /var/log/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /var/log/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 /var/log/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 /var/log/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 /var/log/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 /var/log/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 /var/log/lost\+found/.* <<none>> /var/log -d system_u:object_r:home_root_t:s0 /var/log/\.journal <<none>> /var/log/lost\+found -d system_u:object_r:lost_found_t:s0 /tmp/gconfd-.* -d unconfined_u:object_r:unconfined_tmp_t:s0 # # Home Context for user root # /root/.+ root:object_r:sysadm_home_t:s0 /root/.gnome2(/.*)? root:object_r:sysadm_gnome_home_t:s0 /root/.*/plugins/nprhapengine\.so.* -- root:object_r:textrel_shlib_t:s0 /root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0 /root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_sysadm_content_t:s0 /root/\.ssh(/.*)? root:object_r:sysadm_home_ssh_t:s0 /root/\.uml(/.*)? root:object_r:sysadm_uml_rw_t:s0 /root/\.java(/.*)? root:object_r:sysadm_mozilla_home_t:s0 /root/\.xauth.* -- root:object_r:sysadm_xauth_home_t:s0 /root/\.fonts(/.*)? root:object_r:sysadm_fonts_t:s0 /root/\.pyzor(/.*)? root:object_r:sysadm_pyzor_home_t:s0 /root/\.razor(/.*)? root:object_r:sysadm_razor_home_t:s0 /root/vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0 /root/\.galeon(/.*)? root:object_r:sysadm_mozilla_home_t:s0 /root/\.vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0 /root/\.vmware[^/]*/.*\.cfg -- root:object_r:sysadm_vmware_conf_t:s0 /root/\.mozilla(/.*)? root:object_r:sysadm_mozilla_home_t:s0 /root/\.phoenix(/.*)? root:object_r:sysadm_mozilla_home_t:s0 /root/\.mplayer(/.*)? root:object_r:sysadm_mplayer_home_t:s0 /root/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0 /root/\.ethereal(/.*)? root:object_r:sysadm_ethereal_home_t:s0 /root/\.netscape(/.*)? root:object_r:sysadm_mozilla_home_t:s0 /root/\.Xauthority.* -- root:object_r:sysadm_xauth_home_t:s0 /root/\.fonts/auto(/.*)? root:object_r:sysadm_fonts_cache_t:s0 /root/\.gstreamer-.*/[^/]*\.so.* -- root:object_r:textrel_shlib_t:s0 /root/\.config/gtk-.* root:object_r:sysadm_gnome_home_t:s0 /root/\.fonts\.cache-.* -- root:object_r:sysadm_fonts_cache_t:s0 /root/\.ICEauthority.* -- root:object_r:sysadm_iceauth_home_t:s0 /root/\.spamassassin(/.*)? root:object_r:sysadm_spamassassin_home_t:s0 /root -d root:object_r:sysadm_home_dir_t:s0 /root -l root:object_r:sysadm_home_dir_t:s0 /root/\.ircmotd -- root:object_r:sysadm_irc_home_t:s0 /root/\.screenrc -- root:object_r:sysadm_screen_ro_home_t:s0 /root/\.fonts\.conf -- root:object_r:sysadm_fonts_config_t:s0 /tmp/gconfd-root -d root:object_r:sysadm_tmp_t:s0 I deleted all the sections head up with "Home Context for user unconfined_u" then re-ran "fixfiles restore". The conclusion I draw is that running SELinux in permissive mode for an extended period of time isn't well supported at all, and shouldn't be recommended ever. Perhaps more testing should go into running a system in permissive mode while yum updates apply selinux packages, etc. to find these types of issues. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
