F7: SELinux feature or bug?

Daniel J Walsh dwalsh at redhat.com
Mon Jul 9 11:29:32 UTC 2007 

Mikkel L. Ellertson wrote:
> Jeroen Lankheet wrote:
>   
>> Hi all,
>>
>> I think I've been stupid or framed or both. I wanted to samba share a
>> USB disk on a F7 system but got an SELinux message saying that the
>> directory could not be shared, and that there was a command to get it
>> right (=wrong?).
>> So I typed in
>>
>> chcon -t samba_share_t -R /
>>
>> Yes, that's what was in the SElinux message thingie as suggestion. And
>> being a total SELinux nitwit I did what the almighty Linux system adviced.
>> So it took a while before getting "operation not permitted" on /dev/....
>> Then I cancelled the operation but the damage has apparently already
>> been made.
>> I retyped the command with the proper directory to share and now the
>> share worked.
>> But when I restarted the system all kinds of services were broken
>> including /dev/eth0.
>> The kernel could not find the eth0 device. The X configuration was gone
>> and all kinds of errors were smashed into my face.
>> So it looks like the SELinux (or me myself?) has scrambled my harddisk.
>> I cannot even login anymore. The system is completely dead.
>> Some 'simple' questions:
>> Why did this go wrong?
>> What actually did go wrong?
>> What to do next? Re-install? That would be a bummer.
>>
>> Thanks for the help.
>>
>> Regards,
>> Jeroen.
>>
>>     
> From man selinux:
>
> The  best  way  to  relabel the file system is to create the flag
> file /.autorelabel and reboot. system-config-securitylevel, also has
> this capability.  The restorcon/fixfiles commands are also available
> for relabeling files.
>
> As root, you will want to run something like: (This will reboot the
> system when you enter the command, so make sure you are ready to
> reboot!):
>
> touch /.autorelabel ; reboot
> or
> touch /.autorelabel ; shutdown -r now
>
> You could also just do the "touch /.autorelabel" and then reboot
> using the GUI option to reboot the system.
>
> Mikkel
>   
This is the safest way to relabel since no processes are running when 
this happens. 
This causes the init script to run fixfiles relabel before it starts 
anything.  If processes are
already running, they could be running in the wrong context and creating 
files with the wrong
context until they are restarted.


As far as setroubleshoot telling you to "chcon -R -t sama_share_t /"; 
this should be fixed in the latest
setroubleshoot setroubleshoot-1.9.4-2.fc7

There is a check in there to make sure it does not match any of the 
default paths in the filesystem rpm, including
/. 

If you have this setroubleshoot package installed then this is a bug.

More information about the fedora-list mailing list