On Wed, 2008-05-07 at 13:47 -0500, Bruno Wolff III wrote: > On Wed, May 07, 2008 at 13:31:38 -0400, > Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote: > > > I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards > > > I eventually noticed that I was getting warnings about a NULL security > > > context. I then tracked this down to not having a proper selinux user > > > configuration. > > > > > > Since I was using the default, I expected things would work or at least that > > > there would be *.rpmnew files that acted as a hint that something needed > > > to be looked at. Also, in order to find out what the default was I ended up > > > looking at some other machines that had more recent installs, because there > > > didn't seem to be any obvious place to look on the affected machine for > > > what reasonable default values were. > > > > Can you provide more details, please? > > Here is a sample log messages: > May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing () > > I didn't save the original selinux attached to __default__. It might have been > user_u; it definitely wasn't unconfined_u which is what I got with a fresh > install on another machine. Besides fixing up the login user mapping, I also > fixed up the user mapping to prefix, mls level, range and roles. There were > several new selinux users that weren't in the list I got after the upgrade. > Once I have everything matching that of the fresh install, I stopped seeing > the NULL security context messages. > > I can't say I expected that the upgrade would work without manual intervention > when going from FC5 to F9. But I would have liked to have gotten some hint > that I should look at things. And if I hadn't had another machine with a fresh > install to compare against, having some way to do that on a machine would be > nice. Normally things stick *.rpmnew files in /etc, but I suspect that would > encourange people to copy it over rather than using semanage to update things, > so that may not be a good solution for selinux. Ok, that's a known deficiency of how seusers is managed; it isn't managed by rpm and there isn't a clean split between base policy definitions and user customizations there. The switch to unconfined_u came with the merging of strict and targeted policies into one policy, and that happened in F8. I suspect that there was some hackery in the F8 policy package to allow upgrades from F7 to work, but jumping straight from F5 to F9 wouldn't have done the same. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
