Re: selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Cloaked wrote:

I have just updated some f10 boxes a few minutes ago. On logging on again
after rebooting to the new kernel this evening, the main user directories
have had their contexts changed to usr_t so I presume some kind of
relabelling has been done - but not correctly!  After restorecon -vR
/home/user the contexts have mostly reverted to where they should be - I
initially noticed because ssh suddenly started demanding a passphrase when
it should not need one - and then I noted avc denials..... 
This is for selinux-policy-3.5.13-46.fc10.noarch and the related targeted
policy. I have tested on several systems and so far all is well after doing restorecon -vR /home 
as root to fix all user areas in one go.  Any one user can fix their own
user area by doing restorecon -vR /home/user I presume that this will lose any chcon changes - but any contexts that were 
saved as a rule using semanage fcontext presumably should be restored -
though I have not had time to explore all directories yet. 
This update was pushed to stable today so presumably it will take a while to
sync to all mirrors.

This is very strange, I have no idea why SELinux update would do this,
and suspect that something else might have gone wrong.  Were there other
packages in the update?

I will update my F10 and see what is going on.

Could be someone is doing a chcon -t usr_t in a post install script?

selinux-policy should only be doing the equivalent of a restorecon -vR
in its post install.  Actually executes fixfiles
"fixfiles -C ${FILE_CONTEXT}.pre restore"

Which figures out what was different between the old file context and
the new and runs restorecon on them.


Yes, but if the new context list contains an incorrect setting (usr_t
instead of user_home_dir_t), then restorecon is going to set the usr_t
context.  After all, restorecon doesn't have that stuff compiled in, it
reads it from the control file.

That being said, I've got an "exclude=selinux-policy-targeted*" in my
yum configs until this is fixed.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-  Time: Nature's way of keeping everything from happening at once.  -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux