-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chuck Anderson wrote: > On Mon, Jan 14, 2008 at 01:46:17PM -0500, Stephen Smalley wrote: >> load_policy doesn't touch the enforcing status. >> >>> Anyway, you have some serious labeling issue there in /var... >>> >>> try restorecon -R /var > > The labelleing issues I would (perhaps incorrectly) expect from > running SELinux in permissive mode. I decided to relabel and reboot > into enforcing mode. What a disaster. The system couldn't boot > enough to run the "fixfiles restore" from /etc/rc.sysinit, not even in > single user mode. I had to eventually boot into single user mode with > the selinux=0 kernel parameter and run "fixfiles restore" manully. > Then I discovered that somehow a bunch of bogus "unconfined" entries > had appeared in > /etc/selinux/targeted/contexts/files/file_contexts.homedirs: > > # > # > # User-specific file contexts, generated via libsemanage > # use semanage command to manage system users to change the file_context > # > # > > > # > # Home Context for user unconfined_u > # > > /etc/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 > /etc/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 > /etc/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /etc/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /etc/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 > /etc/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /etc/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /etc/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /etc/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /etc/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /etc/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /etc/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /etc/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 > /etc/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 > /etc/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 > /etc/lost\+found/.* <<none>> > /etc -d system_u:object_r:home_root_t:s0 > /etc/\.journal <<none>> > /etc/lost\+found -d system_u:object_r:lost_found_t:s0 > > > # > # Home Context for user unconfined_u > # > > /home/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 > /home/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 > /home/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /home/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /home/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 > /home/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /home/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /home/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /home/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /home/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /home/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /home/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /home/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 > /home/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 > /home/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 > /home/lost\+found/.* <<none>> > /home -d system_u:object_r:home_root_t:s0 > /home/\.journal <<none>> > /home/lost\+found -d system_u:object_r:lost_found_t:s0 > > > # > # Home Context for user unconfined_u > # > > /opt/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 > /opt/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 > /opt/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /opt/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /opt/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 > /opt/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /opt/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /opt/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /opt/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /opt/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /opt/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /opt/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /opt/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 > /opt/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 > /opt/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 > /opt/lost\+found/.* <<none>> > /opt -d system_u:object_r:home_root_t:s0 > /opt/\.journal <<none>> > /opt/lost\+found -d system_u:object_r:lost_found_t:s0 > > > # > # Home Context for user unconfined_u > # > > /usr/libexec/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 > /usr/libexec/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 > /usr/libexec/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /usr/libexec/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /usr/libexec/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 > /usr/libexec/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /usr/libexec/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /usr/libexec/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /usr/libexec/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /usr/libexec/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /usr/libexec/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /usr/libexec/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /usr/libexec/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 > /usr/libexec/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 > /usr/libexec/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 > /usr/libexec/lost\+found/.* <<none>> > /usr/libexec -d system_u:object_r:home_root_t:s0 > /usr/libexec/\.journal <<none>> > /usr/libexec/lost\+found -d system_u:object_r:lost_found_t:s0 > > > # > # Home Context for user unconfined_u > # > > /var/log/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0 > /var/log/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0 > /var/log/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /var/log/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /var/log/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0 > /var/log/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /var/log/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /var/log/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /var/log/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /var/log/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /var/log/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0 > /var/log/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0 > /var/log/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0 > /var/log/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0 > /var/log/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0 > /var/log/lost\+found/.* <<none>> > /var/log -d system_u:object_r:home_root_t:s0 > /var/log/\.journal <<none>> > /var/log/lost\+found -d system_u:object_r:lost_found_t:s0 > /tmp/gconfd-.* -d unconfined_u:object_r:unconfined_tmp_t:s0 > > > # > # Home Context for user root > # > > /root/.+ root:object_r:sysadm_home_t:s0 > /root/.gnome2(/.*)? root:object_r:sysadm_gnome_home_t:s0 > /root/.*/plugins/nprhapengine\.so.* -- root:object_r:textrel_shlib_t:s0 > /root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0 > /root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_sysadm_content_t:s0 > /root/\.ssh(/.*)? root:object_r:sysadm_home_ssh_t:s0 > /root/\.uml(/.*)? root:object_r:sysadm_uml_rw_t:s0 > /root/\.java(/.*)? root:object_r:sysadm_mozilla_home_t:s0 > /root/\.xauth.* -- root:object_r:sysadm_xauth_home_t:s0 > /root/\.fonts(/.*)? root:object_r:sysadm_fonts_t:s0 > /root/\.pyzor(/.*)? root:object_r:sysadm_pyzor_home_t:s0 > /root/\.razor(/.*)? root:object_r:sysadm_razor_home_t:s0 > /root/vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0 > /root/\.galeon(/.*)? root:object_r:sysadm_mozilla_home_t:s0 > /root/\.vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0 > /root/\.vmware[^/]*/.*\.cfg -- root:object_r:sysadm_vmware_conf_t:s0 > /root/\.mozilla(/.*)? root:object_r:sysadm_mozilla_home_t:s0 > /root/\.phoenix(/.*)? root:object_r:sysadm_mozilla_home_t:s0 > /root/\.mplayer(/.*)? root:object_r:sysadm_mplayer_home_t:s0 > /root/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0 > /root/\.ethereal(/.*)? root:object_r:sysadm_ethereal_home_t:s0 > /root/\.netscape(/.*)? root:object_r:sysadm_mozilla_home_t:s0 > /root/\.Xauthority.* -- root:object_r:sysadm_xauth_home_t:s0 > /root/\.fonts/auto(/.*)? root:object_r:sysadm_fonts_cache_t:s0 > /root/\.gstreamer-.*/[^/]*\.so.* -- root:object_r:textrel_shlib_t:s0 > /root/\.config/gtk-.* root:object_r:sysadm_gnome_home_t:s0 > /root/\.fonts\.cache-.* -- root:object_r:sysadm_fonts_cache_t:s0 > /root/\.ICEauthority.* -- root:object_r:sysadm_iceauth_home_t:s0 > /root/\.spamassassin(/.*)? root:object_r:sysadm_spamassassin_home_t:s0 > /root -d root:object_r:sysadm_home_dir_t:s0 > /root -l root:object_r:sysadm_home_dir_t:s0 > /root/\.ircmotd -- root:object_r:sysadm_irc_home_t:s0 > /root/\.screenrc -- root:object_r:sysadm_screen_ro_home_t:s0 > /root/\.fonts\.conf -- root:object_r:sysadm_fonts_config_t:s0 > /tmp/gconfd-root -d root:object_r:sysadm_tmp_t:s0 > > > I deleted all the sections head up with "Home Context for user > unconfined_u" then re-ran "fixfiles restore". > > The conclusion I draw is that running SELinux in permissive mode for > an extended period of time isn't well supported at all, and shouldn't > be recommended ever. Perhaps more testing should go into running a > system in permissive mode while yum updates apply selinux packages, > etc. to find these types of issues. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Do you have user accounts setup in /var/log? /lib/libexec? If you have system accounts with homedirs and real shells, you can confuse SELinux. Any system account should have a UID < 500 or a shell of /bin/false or /sbin/nologin. You also look like you have root account setup to login as system_u. You probably want to execute semanage login -m -s unconfined_u root -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkeLucwACgkQrlYvE4MpobMbWQCgjv+H0sqo1AwqbozQuXxQ6gfw WpwAnj7rx4yavBgSPaAIEphpyUiZr/Ud =QQOb -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
