[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Cloaked wrote:
> 
> 
> Daniel J Walsh wrote:
>>
>> This is very strange, I have no idea why SELinux update would do this,
>> and suspect that something else might have gone wrong.  Were there other
>> packages in the update?
>>
>> I will update my F10 and see what is going on.
>>
>> Could be someone is doing a chcon -t usr_t in a post install script?
>>
>> selinux-policy should only be doing the equivalent of a restorecon -vR
>> in its post install.  Actually executes fixfiles
>> "fixfiles -C ${FILE_CONTEXT}.pre restore"
>>
>> Which figures out what was different between the old file context and
>> the new and runs restorecon on them.
>>
>>
> 
> Dan, I had a problem this morning on another machine where there is a bind
> mounted /var/spool/mail directory (restorecon -vR /var/spool/mail seems to
> have fixed it). In all the cases where the user contexts had a problem were
> machines with bind mounted /home areas.  I wonder if this could be the
> common factor?
Yes if you bind mount a usr_t directory without telling the system about
it, it could cause labeling problems.

For example, if you store your homedirs in /usr/myhome/dwalsh and bind
mount this over /home/dwalsh.  SELinux will label the directory usr_t
since /usr/myhome/dwalsh defaults to a usr_t label.  If you bind mount
it over /home/dwalsh and run restorecon on /home/dwalsh it will label it
properly.  But depending on which directory have restorecon run on it
you can get different results.  Usually we only have small relabels that
happen on policy upgrades, so it probably never hit this directory.  But
this update seems to have triggered a larger relabel something like

restorecon -R -v /usr


So the problem in SELinux is we do not have an easy way to say
/usr/myhome == /home
or /usr/myhome/dwalsh == /home/dwalsh

THis is on my todo list.

Sorry about the inconvience.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmtQc4ACgkQrlYvE4MpobMcKACdGifRevbSSegtASaYvVrPFAVo
nLQAoKzIyjAtMamo8vTBQYOVCcZVrQhZ
=BNxC
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]