Kernel 2.6.14-1.1653 & selinux 1.27.1.-2.16
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 27 16:51:51 UTC 2006
On Fri, 2006-01-27 at 11:44 -0500, Stephen Smalley wrote:
> On Fri, 2006-01-27 at 17:49 +0200, G Jahchan wrote:
> > ls -Z /sbin/init
> > -rwxr-xr-x root root system_u:object_r:staff_home_t /sbin/init
>
> That's your problem - your filesystem is incorrectly labeled. Don't
> know how your /sbin/init program ended up with the type of a staff home
> directory; it should have init_exec_t.
>
> /sbin/restorecon -nv /sbin/init
Oops, that should just be:
/sbin/restorecon -v /sbin/init
The -n prevents it from actually relabeling, so -nv is useful when you
want to see what it would do without actually applying the change, but
in this case, we do want to make the change as well as see exactly what
it does (hence -v for verbose).
> If that correctly relabels to init_exec_t, then proceed to do a full
> relabel, i.e. touch /.autorelabel and reboot or pass 'autorelabel' on
> the kernel command line. Or shut down to single-user and run 'fixfiles
> relabel'. All variations on the same theme...
Given the extent of labeling errors reported by sestatus, you definitely
want to do a full relabel, after verifying that at least the above
manual restorecon of init is working properly. If that restorecon
doesn't work properly, then possibly your file_contexts.homedirs is not
being correctly generated by genhomedircon. You don't happen to have
users with home directories of /sbin and /bin, do you?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list