Re: Help with messed up F11 SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 25 Apr 2010 17:44:00 +0200
Dominick Grift <domg472@xxxxxxxxx> wrote:

> On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > On Sun, 25 Apr 2010 11:04:31 +0200
> > Dominick Grift <domg472@xxxxxxxxx> wrote:
> > 
> > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > ...
> > > > My logwatch report gives me 20 or 30 lines of :
> > > > 
> > > > NULL security context for user, but SELinux in permissive mode,
> > > > continuing ()
> > > > 
> > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > this line:
> > > > 
> > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > cats
> > > > 
> > > > System->Administration->SELinux Management, select SELinux User,
> > > > shows 8 SELinux users: 
> > ...
> > > > 
> > > > OK, that looks good but when, as root, I run:
> > > > 
> > > > # semanage login -l
> > > > 
> > > > Login Name             SELinux User           MLS/MCS
> > > > Range            
> > > > 
> > > > __default__            unconfined_u
> > > > s0-s0:c0.c1023 root                   unconfined_u
> > > > s0-s0:c0.c1023 system_u               system_u
> > > > s0-s0:c0.c1023  
> > > > 
> > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > Linux user) because I'm running in permissive mode?
> > > 
> > > This should not be a problem because new users get mapped under
> > > __default__ by default, which is mapped to unconfined_u selinux
> > > user.
> > > 
> > > > 
> > > > How can I find out which user has a "NULL security context"?
> > > 
> > > Good question, my gut feeling tells me it unconfined_u but i am
> > > not sure.
> > > 
> > > If there is no bug in Fedora 11 selinux policy then you could
> > > consider reinstalling the policy. 
> > > 
> > > The procedure for reinstalling policy is as follows.
> > > 
> > > 1. setenforce 0 (put selinux in permisive mode)
> > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > selinux policy) 
> > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > (remove -backup- the old selinux policy config) 
> > > 4. yum install
> > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > policy) 
> > > 5. fixfiles restore (restore contexts) 
> > > 6. reboot
> > 
> > I tried this procedure and at step 2 I also had to remove
> > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > then reinstall them at step 4.
> > Step 5 started and bailed out with these errors:
> > 
> > #  fixfiles restore
> > ********************/sbin/setfiles:  unable to stat
> > file /home/steve/.gvfs: Permission denied /sbin/setfiles:  
> > error while labeling /:  Permission denied /sbin/setfiles:  
> > error while labeling /boot:  Permission denied /sbin/setfiles:  
> > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > Permission denied
> > 
> > The /media/... is an external USB harddrive that I use for backups.
> > 
> > Can I ignore these errors or do they need to be resolved.
> 
> Looks like a couple of things didnt go the way i expected. I do not
> understand why policycoreutils or setroubleshoot depends on the
> policy. 
> 
> Anyways..
> 
> The errors look like as if selinux was enforcing or as if you were
> not running fixfiles restore as root.
> 
> Please try to run fixfiles restore as root in permissive mode.

The previous attempt was as root and in permissive mode. I tried again:

[root@steve ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@steve ~]# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /selinux 
Current mode:                   permissive 
Mode from config file:          disabled 
Policy version:                 24 
Policy from config file:        targeted 

[root@steve ~]# fixfiles
restore ********************/sbin/setfiles:  unable to stat
file /home/steve/.gvfs: Permission denied 
/sbin/setfiles:  error while labeling /:  Permission
denied 
/sbin/setfiles:  error while labeling /boot:  Permission
denied 
/sbin/setfiles:  error while
labeling /media/blah-blah:  Permission denied

Thanks,
Steve
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux