selinux-policy-targeted

Daniel J Walsh dwalsh at redhat.com
Thu Mar 13 20:34:02 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michal Schmidt wrote:
> On Thu, 13 Mar 2008 11:46:58 -0600
> "Nathanael D. Noblet" <nathanael at gnat.ca> wrote:
> 
>> Hello,
>>    I have a machine with F8, selinux-policy-targeted 
>> enforcing=permissive. Lots of things I do tend to throw this message 
>> into the console. I've tried auto relabeling, restorecon etc. I've 
>> removed the targeted policy and re-installed it. I searched bugzilla
>> but found no one else with this issue. I'm not sure if it is the
>> policy or just me. In any case I get the following in my console
>> often, and while running many programs such as yum.
>>
>> /etc/selinux/targeted/contexts/files/file_contexts: Multiple
>> different specifications for /opt  (system_u:object_r:home_root_t:s0
>> and system_u:object_r:usr_t:s0).
>>
>> Ideas why that is the case?
> 
> /opt is normally usr_t. I don't why you have home_root_t there.
> Have you played with semanage(8) ?
> 
> restorecon used the information in /etc/.../file_contexts. Your
> file_contexts apparently contains contradictory declarations for /opt.
> 
> Michal
> 
grep /opt /etc/selinux/targeted/context/files/files_context

I would guess this is happening for one of two reasons.

One you have a service account in /etc/passwd or NIS which has a homedir
in /opt.  SELinux has mistakenly seen this as a login account, because
the account has a UID > 500 and a valid shell.  If you change the shell
to /sbin/nologin or /bin/false and run genhomedircon, the duplicate file
context will go away.

The second way this could happen is you or some application/rpm added a
file context via semanage  that matches a definition from the base.

You can use semanage fcontext -d FILECONTEXT to remove the file context
mappening.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfZj7oACgkQrlYvE4MpobP9xACfWHai0IOQ4TdPdHahFYu8wpLm
QY8AnAxFZKuzUOU+9Ighcsyrevxjhpze
=OxTK
-----END PGP SIGNATURE-----

More information about the fedora-devel-list mailing list