On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote: > On Sun, 25 Apr 2010 11:04:31 +0200 > Dominick Grift <domg472@xxxxxxxxx> wrote: > > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote: > ... > > > My logwatch report gives me 20 or 30 lines of : > > > > > > NULL security context for user, but SELinux in permissive mode, > > > continuing () > > > > > > in the cron section. Then I looked in /var/log/dmesg and I see this > > > line: > > > > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats > > > > > > System->Administration->SELinux Management, select SELinux User, > > > shows 8 SELinux users: > ... > > > > > > OK, that looks good but when, as root, I run: > > > > > > # semanage login -l > > > > > > Login Name SELinux User MLS/MCS > > > Range > > > > > > __default__ unconfined_u > > > s0-s0:c0.c1023 root unconfined_u > > > s0-s0:c0.c1023 system_u system_u > > > s0-s0:c0.c1023 > > > > > > hmmm... only 3 users. It this a problem or is it telling me that > > > only 3 SELinuux users are currently in use (ie assign to any Linux > > > user) because I'm running in permissive mode? > > > > This should not be a problem because new users get mapped under > > __default__ by default, which is mapped to unconfined_u selinux user. > > > > > > > > How can I find out which user has a "NULL security context"? > > > > Good question, my gut feeling tells me it unconfined_u but i am not > > sure. > > > > If there is no bug in Fedora 11 selinux policy then you could > > consider reinstalling the policy. > > > > The procedure for reinstalling policy is as follows. > > > > 1. setenforce 0 (put selinux in permisive mode) > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux > > policy) > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup > > (remove -backup- the old selinux policy config) > > 4. yum install > > selinux-policy selinux-policy-targeted (-re- install fresh selinux > > policy) > > 5. fixfiles restore (restore contexts) > > 6. reboot > > I tried this procedure and at step 2 I also had to remove > oolicycoreutils-gui and setroubleshoot because of dependencies and then > reinstall them at step 4. > Step 5 started and bailed out with these errors: > > # fixfiles restore > ********************/sbin/setfiles: unable to stat > file /home/steve/.gvfs: Permission denied /sbin/setfiles: > error while labeling /: Permission denied /sbin/setfiles: > error while labeling /boot: Permission denied /sbin/setfiles: > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx: > Permission denied > > The /media/... is an external USB harddrive that I use for backups. > > Can I ignore these errors or do they need to be resolved. Looks like a couple of things didnt go the way i expected. I do not understand why policycoreutils or setroubleshoot depends on the policy. Anyways.. The errors look like as if selinux was enforcing or as if you were not running fixfiles restore as root. Please try to run fixfiles restore as root in permissive mode. > > Thanks, > Steve
Attachment:
pgpfSmpwjHWm6.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
