On Sun, 25 Apr 2010 17:44:00 +0200 Dominick Grift <domg472@xxxxxxxxx> wrote: > On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote: > > On Sun, 25 Apr 2010 11:04:31 +0200 > > Dominick Grift <domg472@xxxxxxxxx> wrote: > > > > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote: > > ... > > > > My logwatch report gives me 20 or 30 lines of : > > > > > > > > NULL security context for user, but SELinux in permissive mode, > > > > continuing () > > > > > > > > in the cron section. Then I looked in /var/log/dmesg and I see > > > > this line: > > > > > > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 > > > > cats > > > > > > > > System->Administration->SELinux Management, select SELinux User, > > > > shows 8 SELinux users: > > ... > > > > > > > > OK, that looks good but when, as root, I run: > > > > > > > > # semanage login -l > > > > > > > > Login Name SELinux User MLS/MCS > > > > Range > > > > > > > > __default__ unconfined_u > > > > s0-s0:c0.c1023 root unconfined_u > > > > s0-s0:c0.c1023 system_u system_u > > > > s0-s0:c0.c1023 > > > > > > > > hmmm... only 3 users. It this a problem or is it telling me that > > > > only 3 SELinuux users are currently in use (ie assign to any > > > > Linux user) because I'm running in permissive mode? > > > > > > This should not be a problem because new users get mapped under > > > __default__ by default, which is mapped to unconfined_u selinux > > > user. > > > > > > > > > > > How can I find out which user has a "NULL security context"? > > > > > > Good question, my gut feeling tells me it unconfined_u but i am > > > not sure. > > > > > > If there is no bug in Fedora 11 selinux policy then you could > > > consider reinstalling the policy. > > > > > > The procedure for reinstalling policy is as follows. > > > > > > 1. setenforce 0 (put selinux in permisive mode) > > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install > > > selinux policy) > > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup > > > (remove -backup- the old selinux policy config) > > > 4. yum install > > > selinux-policy selinux-policy-targeted (-re- install fresh selinux > > > policy) > > > 5. fixfiles restore (restore contexts) > > > 6. reboot > > > > I tried this procedure and at step 2 I also had to remove > > oolicycoreutils-gui and setroubleshoot because of dependencies and > > then reinstall them at step 4. > > Step 5 started and bailed out with these errors: > > > > # fixfiles restore > > ********************/sbin/setfiles: unable to stat > > file /home/steve/.gvfs: Permission denied /sbin/setfiles: > > error while labeling /: Permission denied /sbin/setfiles: > > error while labeling /boot: Permission denied /sbin/setfiles: > > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx: > > Permission denied > > > > The /media/... is an external USB harddrive that I use for backups. > > > > Can I ignore these errors or do they need to be resolved. > > Looks like a couple of things didnt go the way i expected. I do not > understand why policycoreutils or setroubleshoot depends on the > policy. > > Anyways.. > > The errors look like as if selinux was enforcing or as if you were > not running fixfiles restore as root. > > Please try to run fixfiles restore as root in permissive mode. The previous attempt was as root and in permissive mode. I tried again: [root@steve ~]# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@steve ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: disabled Policy version: 24 Policy from config file: targeted [root@steve ~]# fixfiles restore ********************/sbin/setfiles: unable to stat file /home/steve/.gvfs: Permission denied /sbin/setfiles: error while labeling /: Permission denied /sbin/setfiles: error while labeling /boot: Permission denied /sbin/setfiles: error while labeling /media/blah-blah: Permission denied Thanks, Steve -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux