Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Help with messed up F11 SELinux (http://www.linux-archive.org/fedora-selinux-support/361534-help-messed-up-f11-selinux.html)

Steve Blackwell 04-24-2010 08:56 PM

Help with messed up F11 SELinux
 
I've always had problems with SELinux but I set it to permissive and
moved on. Now I want to see if I can fix it.

My logwatch report gives me 20 or 30 lines of :

NULL security context for user, but SELinux in permissive mode,
continuing ()

in the cron section. Then I looked in /var/log/dmesg and I see this
line:

SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats

System->Administration->SELinux Management, select SELinux User, shows
8 SELinux users:
guest_u,
root,
staff_u,
sysadm_u,
system_u,
unconfined_u,
user_u
xguest_u

OK, that looks good but when, as root, I run:

# semanage login -l

Login Name SELinux User MLS/MCS Range

__default__ unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023

hmmm... only 3 users. It this a problem or is it telling me that only 3
SELinuux users are currently in use (ie assign to any Linux user)
because I'm running in permissive mode?

How can I find out which user has a "NULL security context"?

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-25-2010 09:04 AM

Help with messed up F11 SELinux
 
On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> I've always had problems with SELinux but I set it to permissive and
> moved on. Now I want to see if I can fix it.
>
> My logwatch report gives me 20 or 30 lines of :
>
> NULL security context for user, but SELinux in permissive mode,
> continuing ()
>
> in the cron section. Then I looked in /var/log/dmesg and I see this
> line:
>
> SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
>
> System->Administration->SELinux Management, select SELinux User, shows
> 8 SELinux users:
> guest_u,
> root,
> staff_u,
> sysadm_u,
> system_u,
> unconfined_u,
> user_u
> xguest_u
>
> OK, that looks good but when, as root, I run:
>
> # semanage login -l
>
> Login Name SELinux User MLS/MCS Range
>
> __default__ unconfined_u s0-s0:c0.c1023
> root unconfined_u s0-s0:c0.c1023
> system_u system_u s0-s0:c0.c1023
>
> hmmm... only 3 users. It this a problem or is it telling me that only 3
> SELinuux users are currently in use (ie assign to any Linux user)
> because I'm running in permissive mode?

This should not be a problem because new users get mapped under __default__ by default, which is mapped to unconfined_u selinux user.

>
> How can I find out which user has a "NULL security context"?

Good question, my gut feeling tells me it unconfined_u but i am not sure.

If there is no bug in Fedora 11 selinux policy then you could consider reinstalling the policy.

The procedure for reinstalling policy is as follows.

1. setenforce 0 (put selinux in permisive mode)
2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux policy)
3. mv /etc/selinux/targeted /etc/selinux/targeted.backup (remove -backup- the old selinux policy config)
4. yum install selinux-policy selinux-policy-targeted (-re- install fresh selinux policy)
5. fixfiles restore (restore contexts)
6. reboot

But try at your own risk.

Also just a file system relabeling *may* fix the issue: fixfiles restore; reboot (but i am not sure there either)

hth

>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Steve Blackwell 04-25-2010 02:39 PM

Help with messed up F11 SELinux
 
On Sun, 25 Apr 2010 11:04:31 +0200
Dominick Grift <domg472@gmail.com> wrote:

> On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
...
> > My logwatch report gives me 20 or 30 lines of :
> >
> > NULL security context for user, but SELinux in permissive mode,
> > continuing ()
> >
> > in the cron section. Then I looked in /var/log/dmesg and I see this
> > line:
> >
> > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
> >
> > System->Administration->SELinux Management, select SELinux User,
> > shows 8 SELinux users:
...
> >
> > OK, that looks good but when, as root, I run:
> >
> > # semanage login -l
> >
> > Login Name SELinux User MLS/MCS
> > Range
> >
> > __default__ unconfined_u
> > s0-s0:c0.c1023 root unconfined_u
> > s0-s0:c0.c1023 system_u system_u
> > s0-s0:c0.c1023
> >
> > hmmm... only 3 users. It this a problem or is it telling me that
> > only 3 SELinuux users are currently in use (ie assign to any Linux
> > user) because I'm running in permissive mode?
>
> This should not be a problem because new users get mapped under
> __default__ by default, which is mapped to unconfined_u selinux user.
>
> >
> > How can I find out which user has a "NULL security context"?
>
> Good question, my gut feeling tells me it unconfined_u but i am not
> sure.
>
> If there is no bug in Fedora 11 selinux policy then you could
> consider reinstalling the policy.
>
> The procedure for reinstalling policy is as follows.
>
> 1. setenforce 0 (put selinux in permisive mode)
> 2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
> policy)
> 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> (remove -backup- the old selinux policy config)
> 4. yum install
> selinux-policy selinux-policy-targeted (-re- install fresh selinux
> policy)
> 5. fixfiles restore (restore contexts)
> 6. reboot

I tried this procedure and at step 2 I also had to remove
oolicycoreutils-gui and setroubleshoot because of dependencies and then
reinstall them at step 4.
Step 5 started and bailed out with these errors:

# fixfiles restore
********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied /sbin/setfiles:
error while labeling /: Permission denied /sbin/setfiles:
error while labeling /boot: Permission denied /sbin/setfiles:
error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
Permission denied

The /media/... is an external USB harddrive that I use for backups.

Can I ignore these errors or do they need to be resolved.

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-25-2010 03:44 PM

Help with messed up F11 SELinux
 
On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 11:04:31 +0200
> Dominick Grift <domg472@gmail.com> wrote:
>
> > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> ...
> > > My logwatch report gives me 20 or 30 lines of :
> > >
> > > NULL security context for user, but SELinux in permissive mode,
> > > continuing ()
> > >
> > > in the cron section. Then I looked in /var/log/dmesg and I see this
> > > line:
> > >
> > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024 cats
> > >
> > > System->Administration->SELinux Management, select SELinux User,
> > > shows 8 SELinux users:
> ...
> > >
> > > OK, that looks good but when, as root, I run:
> > >
> > > # semanage login -l
> > >
> > > Login Name SELinux User MLS/MCS
> > > Range
> > >
> > > __default__ unconfined_u
> > > s0-s0:c0.c1023 root unconfined_u
> > > s0-s0:c0.c1023 system_u system_u
> > > s0-s0:c0.c1023
> > >
> > > hmmm... only 3 users. It this a problem or is it telling me that
> > > only 3 SELinuux users are currently in use (ie assign to any Linux
> > > user) because I'm running in permissive mode?
> >
> > This should not be a problem because new users get mapped under
> > __default__ by default, which is mapped to unconfined_u selinux user.
> >
> > >
> > > How can I find out which user has a "NULL security context"?
> >
> > Good question, my gut feeling tells me it unconfined_u but i am not
> > sure.
> >
> > If there is no bug in Fedora 11 selinux policy then you could
> > consider reinstalling the policy.
> >
> > The procedure for reinstalling policy is as follows.
> >
> > 1. setenforce 0 (put selinux in permisive mode)
> > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install selinux
> > policy)
> > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > (remove -backup- the old selinux policy config)
> > 4. yum install
> > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > policy)
> > 5. fixfiles restore (restore contexts)
> > 6. reboot
>
> I tried this procedure and at step 2 I also had to remove
> oolicycoreutils-gui and setroubleshoot because of dependencies and then
> reinstall them at step 4.
> Step 5 started and bailed out with these errors:
>
> # fixfiles restore
> ********************/sbin/setfiles: unable to stat
> file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> error while labeling /: Permission denied /sbin/setfiles:
> error while labeling /boot: Permission denied /sbin/setfiles:
> error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> Permission denied
>
> The /media/... is an external USB harddrive that I use for backups.
>
> Can I ignore these errors or do they need to be resolved.

Looks like a couple of things didnt go the way i expected. I do not understand why policycoreutils or setroubleshoot depends on the policy.

Anyways..

The errors look like as if selinux was enforcing or as if you were not running fixfiles restore as root.

Please try to run fixfiles restore as root in permissive mode.

>
> Thanks,
> Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Steve Blackwell 04-25-2010 04:19 PM

Help with messed up F11 SELinux
 
On Sun, 25 Apr 2010 17:44:00 +0200
Dominick Grift <domg472@gmail.com> wrote:

> On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > On Sun, 25 Apr 2010 11:04:31 +0200
> > Dominick Grift <domg472@gmail.com> wrote:
> >
> > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > ...
> > > > My logwatch report gives me 20 or 30 lines of :
> > > >
> > > > NULL security context for user, but SELinux in permissive mode,
> > > > continuing ()
> > > >
> > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > this line:
> > > >
> > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > cats
> > > >
> > > > System->Administration->SELinux Management, select SELinux User,
> > > > shows 8 SELinux users:
> > ...
> > > >
> > > > OK, that looks good but when, as root, I run:
> > > >
> > > > # semanage login -l
> > > >
> > > > Login Name SELinux User MLS/MCS
> > > > Range
> > > >
> > > > __default__ unconfined_u
> > > > s0-s0:c0.c1023 root unconfined_u
> > > > s0-s0:c0.c1023 system_u system_u
> > > > s0-s0:c0.c1023
> > > >
> > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > Linux user) because I'm running in permissive mode?
> > >
> > > This should not be a problem because new users get mapped under
> > > __default__ by default, which is mapped to unconfined_u selinux
> > > user.
> > >
> > > >
> > > > How can I find out which user has a "NULL security context"?
> > >
> > > Good question, my gut feeling tells me it unconfined_u but i am
> > > not sure.
> > >
> > > If there is no bug in Fedora 11 selinux policy then you could
> > > consider reinstalling the policy.
> > >
> > > The procedure for reinstalling policy is as follows.
> > >
> > > 1. setenforce 0 (put selinux in permisive mode)
> > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > selinux policy)
> > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > (remove -backup- the old selinux policy config)
> > > 4. yum install
> > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > policy)
> > > 5. fixfiles restore (restore contexts)
> > > 6. reboot
> >
> > I tried this procedure and at step 2 I also had to remove
> > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > then reinstall them at step 4.
> > Step 5 started and bailed out with these errors:
> >
> > # fixfiles restore
> > ********************/sbin/setfiles: unable to stat
> > file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> > error while labeling /: Permission denied /sbin/setfiles:
> > error while labeling /boot: Permission denied /sbin/setfiles:
> > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > Permission denied
> >
> > The /media/... is an external USB harddrive that I use for backups.
> >
> > Can I ignore these errors or do they need to be resolved.
>
> Looks like a couple of things didnt go the way i expected. I do not
> understand why policycoreutils or setroubleshoot depends on the
> policy.
>
> Anyways..
>
> The errors look like as if selinux was enforcing or as if you were
> not running fixfiles restore as root.
>
> Please try to run fixfiles restore as root in permissive mode.

The previous attempt was as root and in permissive mode. I tried again:

[root@steve ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[root@steve ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: disabled
Policy version: 24
Policy from config file: targeted

[root@steve ~]# fixfiles
restore ********************/sbin/setfiles: unable to stat
file /home/steve/.gvfs: Permission denied
/sbin/setfiles: error while labeling /: Permission
denied
/sbin/setfiles: error while labeling /boot: Permission
denied
/sbin/setfiles: error while
labeling /media/blah-blah: Permission denied

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-25-2010 06:32 PM

Help with messed up F11 SELinux
 
On Sun, Apr 25, 2010 at 12:19:04PM -0400, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 17:44:00 +0200
> Dominick Grift <domg472@gmail.com> wrote:
>
> > On Sun, Apr 25, 2010 at 10:39:50AM -0400, Steve Blackwell wrote:
> > > On Sun, 25 Apr 2010 11:04:31 +0200
> > > Dominick Grift <domg472@gmail.com> wrote:
> > >
> > > > On Sat, Apr 24, 2010 at 04:56:00PM -0400, Steve Blackwell wrote:
> > > ...
> > > > > My logwatch report gives me 20 or 30 lines of :
> > > > >
> > > > > NULL security context for user, but SELinux in permissive mode,
> > > > > continuing ()
> > > > >
> > > > > in the cron section. Then I looked in /var/log/dmesg and I see
> > > > > this line:
> > > > >
> > > > > SELinux: 8 users, 12 roles, 2527 types, 119 bools, 1 sens, 1024
> > > > > cats
> > > > >
> > > > > System->Administration->SELinux Management, select SELinux User,
> > > > > shows 8 SELinux users:
> > > ...
> > > > >
> > > > > OK, that looks good but when, as root, I run:
> > > > >
> > > > > # semanage login -l
> > > > >
> > > > > Login Name SELinux User MLS/MCS
> > > > > Range
> > > > >
> > > > > __default__ unconfined_u
> > > > > s0-s0:c0.c1023 root unconfined_u
> > > > > s0-s0:c0.c1023 system_u system_u
> > > > > s0-s0:c0.c1023
> > > > >
> > > > > hmmm... only 3 users. It this a problem or is it telling me that
> > > > > only 3 SELinuux users are currently in use (ie assign to any
> > > > > Linux user) because I'm running in permissive mode?
> > > >
> > > > This should not be a problem because new users get mapped under
> > > > __default__ by default, which is mapped to unconfined_u selinux
> > > > user.
> > > >
> > > > >
> > > > > How can I find out which user has a "NULL security context"?
> > > >
> > > > Good question, my gut feeling tells me it unconfined_u but i am
> > > > not sure.
> > > >
> > > > If there is no bug in Fedora 11 selinux policy then you could
> > > > consider reinstalling the policy.
> > > >
> > > > The procedure for reinstalling policy is as follows.
> > > >
> > > > 1. setenforce 0 (put selinux in permisive mode)
> > > > 2. rpm -ev selinux-policy selinux-policy-targeted (de-install
> > > > selinux policy)
> > > > 3. mv /etc/selinux/targeted /etc/selinux/targeted.backup
> > > > (remove -backup- the old selinux policy config)
> > > > 4. yum install
> > > > selinux-policy selinux-policy-targeted (-re- install fresh selinux
> > > > policy)
> > > > 5. fixfiles restore (restore contexts)
> > > > 6. reboot
> > >
> > > I tried this procedure and at step 2 I also had to remove
> > > oolicycoreutils-gui and setroubleshoot because of dependencies and
> > > then reinstall them at step 4.
> > > Step 5 started and bailed out with these errors:
> > >
> > > # fixfiles restore
> > > ********************/sbin/setfiles: unable to stat
> > > file /home/steve/.gvfs: Permission denied /sbin/setfiles:
> > > error while labeling /: Permission denied /sbin/setfiles:
> > > error while labeling /boot: Permission denied /sbin/setfiles:
> > > error while labeling /media/bbbbbbbb-aaaa-zzzz-yyyy-xxxxxxxx:
> > > Permission denied
> > >
> > > The /media/... is an external USB harddrive that I use for backups.
> > >
> > > Can I ignore these errors or do they need to be resolved.
> >
> > Looks like a couple of things didnt go the way i expected. I do not
> > understand why policycoreutils or setroubleshoot depends on the
> > policy.
> >
> > Anyways..
> >
> > The errors look like as if selinux was enforcing or as if you were
> > not running fixfiles restore as root.
> >
> > Please try to run fixfiles restore as root in permissive mode.
>
> The previous attempt was as root and in permissive mode. I tried again:
>
> [root@steve ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
> context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> [root@steve ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: disabled
> Policy version: 24
> Policy from config file: targeted
>
> [root@steve ~]# fixfiles
> restore ********************/sbin/setfiles: unable to stat
> file /home/steve/.gvfs: Permission denied
> /sbin/setfiles: error while labeling /: Permission
> denied
> /sbin/setfiles: error while labeling /boot: Permission
> denied
> /sbin/setfiles: error while
> labeling /media/blah-blah: Permission denied

in /etc/selinux/config set "SELINUX=permissive"

then do: touch /.autorelabel && reboot

once rebooted change SELINUX=permissive back to SELINUX=enforcing
and setenforce 1

>
> Thanks,
> Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Tom London 04-25-2010 06:40 PM

Help with messed up F11 SELinux
 
On Sun, Apr 25, 2010 at 11:32 AM, Dominick Grift <domg472@gmail.com> wrote:
>
> in /etc/selinux/config set "SELINUX=permissive"
>
> then do: touch /.autorelabel && reboot
>
> once rebooted change SELINUX=permissive back to SELINUX=enforcing
> and setenforce 1
>
> >
> > Thanks,
> > Steve

Isn't it usually simpler just to add "enforcing=0" to the kernel boot
parameters on the reboot? No fiddling with /etc/selinux/config nor
with 'setenforce'....

tom
--
Tom London
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-25-2010 06:49 PM

Help with messed up F11 SELinux
 
On Sun, Apr 25, 2010 at 11:40:34AM -0700, Tom London wrote:
> On Sun, Apr 25, 2010 at 11:32 AM, Dominick Grift <domg472@gmail.com> wrote:
> >
> > in /etc/selinux/config set "SELINUX=permissive"
> >
> > then do: touch /.autorelabel && reboot
> >
> > once rebooted change SELINUX=permissive back to SELINUX=enforcing
> > and setenforce 1
> >
> > >
> > > Thanks,
> > > Steve
>
> Isn't it usually simpler just to add "enforcing=0" to the kernel boot
> parameters on the reboot? No fiddling with /etc/selinux/config nor
> with 'setenforce'....

I guess that depends, but either works.
>
> tom
> --
> Tom London
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Steve Blackwell 04-25-2010 10:35 PM

Help with messed up F11 SELinux
 
On Sun, 25 Apr 2010 20:32:53 +0200
Dominick Grift <domg472@gmail.com> wrote:


> > >
> > > Please try to run fixfiles restore as root in permissive mode.
> >
> > The previous attempt was as root and in permissive mode. I tried
> > again:
> >
> > [root@steve ~]# id
> > uid=0(root) gid=0(root)
> > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
> > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> >
> > [root@steve ~]# sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /selinux
> > Current mode: permissive
> > Mode from config file: disabled
> > Policy version: 24
> > Policy from config file: targeted
> >
> > [root@steve ~]# fixfiles
> > restore ********************/sbin/setfiles: unable to stat
> > file /home/steve/.gvfs: Permission denied
> > /sbin/setfiles: error while labeling /: Permission
> > denied
> > /sbin/setfiles: error while labeling /boot: Permission
> > denied
> > /sbin/setfiles: error while
> > labeling /media/blah-blah: Permission denied
>
> in /etc/selinux/config set "SELINUX=permissive"
>
> then do: touch /.autorelabel && reboot
>

OK, I did that and I still get these messages in /var/log/dmesg:

SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not
valid (left unmapped).
SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid
(left unmapped).
SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is
not valid (left unmapped).


> once rebooted change SELINUX=permissive back to SELINUX=enforcing
> and setenforce 1

I have always been running in permissive mode because of the issues
I've benn experiencing but I'll try it and see how it goes.

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 04-26-2010 07:27 AM

Help with messed up F11 SELinux
 
On Sun, Apr 25, 2010 at 06:35:57PM -0400, Steve Blackwell wrote:
> On Sun, 25 Apr 2010 20:32:53 +0200
> Dominick Grift <domg472@gmail.com> wrote:
>
>
> > > >
> > > > Please try to run fixfiles restore as root in permissive mode.
> > >
> > > The previous attempt was as root and in permissive mode. I tried
> > > again:
> > >
> > > [root@steve ~]# id
> > > uid=0(root) gid=0(root)
> > > groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(di sk),10(wheel)
> > > context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > >
> > > [root@steve ~]# sestatus
> > > SELinux status: enabled
> > > SELinuxfs mount: /selinux
> > > Current mode: permissive
> > > Mode from config file: disabled
> > > Policy version: 24
> > > Policy from config file: targeted
> > >
> > > [root@steve ~]# fixfiles
> > > restore ********************/sbin/setfiles: unable to stat
> > > file /home/steve/.gvfs: Permission denied
> > > /sbin/setfiles: error while labeling /: Permission
> > > denied
> > > /sbin/setfiles: error while labeling /boot: Permission
> > > denied
> > > /sbin/setfiles: error while
> > > labeling /media/blah-blah: Permission denied
> >
> > in /etc/selinux/config set "SELINUX=permissive"
> >
> > then do: touch /.autorelabel && reboot
> >
>
> OK, I did that and I still get these messages in /var/log/dmesg:

If relabeling succeeded these issues should be fixed now.
You can check by listing: "ls -alZ /etc/rc.d/init.d/mysqld"

if the type returned is mysqld_initrc_exec_t, then its fixed
if the type returned is unlabeled_t, then something went wrong.

>
> SELinux: Context system_u:object_r:mysqld_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:fsdaemon_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:nscd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:auditd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:samba_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:rpcbind_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:dnsmasq_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:ntpd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:automount_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:snmp_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:apcupsd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:syslogd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:bluetooth_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:squid_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:soundd_script_exec_t:s0 is not
> valid (left unmapped).
> SELinux: Context system_u:object_r:httpd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:pppd_script_exec_t:s0 is not valid
> (left unmapped).
> SELinux: Context system_u:object_r:NetworkManager_script_exec_t:s0 is
> not valid (left unmapped).
>
>
> > once rebooted change SELINUX=permissive back to SELINUX=enforcing
> > and setenforce 1
>
> I have always been running in permissive mode because of the issues
> I've benn experiencing but I'll try it and see how it goes.
>
> Thanks,
> Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 03:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.