selinux-policy-targeted
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 13 20:34:02 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michal Schmidt wrote:
> On Thu, 13 Mar 2008 11:46:58 -0600
> "Nathanael D. Noblet" <nathanael at gnat.ca> wrote:
>
>> Hello,
>> I have a machine with F8, selinux-policy-targeted
>> enforcing=permissive. Lots of things I do tend to throw this message
>> into the console. I've tried auto relabeling, restorecon etc. I've
>> removed the targeted policy and re-installed it. I searched bugzilla
>> but found no one else with this issue. I'm not sure if it is the
>> policy or just me. In any case I get the following in my console
>> often, and while running many programs such as yum.
>>
>> /etc/selinux/targeted/contexts/files/file_contexts: Multiple
>> different specifications for /opt (system_u:object_r:home_root_t:s0
>> and system_u:object_r:usr_t:s0).
>>
>> Ideas why that is the case?
>
> /opt is normally usr_t. I don't why you have home_root_t there.
> Have you played with semanage(8) ?
>
> restorecon used the information in /etc/.../file_contexts. Your
> file_contexts apparently contains contradictory declarations for /opt.
>
> Michal
>
grep /opt /etc/selinux/targeted/context/files/files_context
I would guess this is happening for one of two reasons.
One you have a service account in /etc/passwd or NIS which has a homedir
in /opt. SELinux has mistakenly seen this as a login account, because
the account has a UID > 500 and a valid shell. If you change the shell
to /sbin/nologin or /bin/false and run genhomedircon, the duplicate file
context will go away.
The second way this could happen is you or some application/rpm added a
file context via semanage that matches a definition from the base.
You can use semanage fcontext -d FILECONTEXT to remove the file context
mappening.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkfZj7oACgkQrlYvE4MpobP9xACfWHai0IOQ4TdPdHahFYu8wpLm
QY8AnAxFZKuzUOU+9Ighcsyrevxjhpze
=OxTK
-----END PGP SIGNATURE-----
More information about the fedora-devel-list
mailing list