-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bruno Wolff III wrote: > On Wed, May 07, 2008 at 13:31:38 -0400, > Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote: >>> I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards >>> I eventually noticed that I was getting warnings about a NULL security >>> context. I then tracked this down to not having a proper selinux user >>> configuration. >>> >>> Since I was using the default, I expected things would work or at least that >>> there would be *.rpmnew files that acted as a hint that something needed >>> to be looked at. Also, in order to find out what the default was I ended up >>> looking at some other machines that had more recent installs, because there >>> didn't seem to be any obvious place to look on the affected machine for >>> what reasonable default values were. >> Can you provide more details, please? > > Here is a sample log messages: > May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing () > > I didn't save the original selinux attached to __default__. It might have been > user_u; it definitely wasn't unconfined_u which is what I got with a fresh > install on another machine. Besides fixing up the login user mapping, I also > fixed up the user mapping to prefix, mls level, range and roles. There were > several new selinux users that weren't in the list I got after the upgrade. > Once I have everything matching that of the fresh install, I stopped seeing > the NULL security context messages. > > I can't say I expected that the upgrade would work without manual intervention > when going from FC5 to F9. But I would have liked to have gotten some hint > that I should look at things. And if I hadn't had another machine with a fresh > install to compare against, having some way to do that on a machine would be > nice. Normally things stick *.rpmnew files in /etc, but I suspect that would > encourange people to copy it over rather than using semanage to update things, > so that may not be a good solution for selinux. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list I would advise you to do a full relabel. Upgrades are shakey when going from one release to the next, but going from Fedora 5 to Rawhide, is really a major change. touch /.autorelabel reboot -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgiBMgACgkQrlYvE4MpobNGkwCgsunCL0uItsqFSdEvaubSAmoa mokAoJFVQgDdoa7xHoFb+OVUGl+L2jL8 =N58L -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
