Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   selinux config - no warning during upgrades (http://www.linux-archive.org/fedora-selinux-support/83785-selinux-config-no-warning-during-upgrades.html)

Bruno Wolff III 05-07-2008 03:55 PM

selinux config - no warning during upgrades
 
I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
I eventually noticed that I was getting warnings about a NULL security
context. I then tracked this down to not having a proper selinux user
configuration.

Since I was using the default, I expected things would work or at least that
there would be *.rpmnew files that acted as a hint that something needed
to be looked at. Also, in order to find out what the default was I ended up
looking at some other machines that had more recent installs, because there
didn't seem to be any obvious place to look on the affected machine for
what reasonable default values were.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 05-07-2008 05:31 PM

selinux config - no warning during upgrades
 
On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
> I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
> I eventually noticed that I was getting warnings about a NULL security
> context. I then tracked this down to not having a proper selinux user
> configuration.
>
> Since I was using the default, I expected things would work or at least that
> there would be *.rpmnew files that acted as a hint that something needed
> to be looked at. Also, in order to find out what the default was I ended up
> looking at some other machines that had more recent installs, because there
> didn't seem to be any obvious place to look on the affected machine for
> what reasonable default values were.

Can you provide more details, please?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Bruno Wolff III 05-07-2008 06:47 PM

selinux config - no warning during upgrades
 
On Wed, May 07, 2008 at 13:31:38 -0400,
Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
> > I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
> > I eventually noticed that I was getting warnings about a NULL security
> > context. I then tracked this down to not having a proper selinux user
> > configuration.
> >
> > Since I was using the default, I expected things would work or at least that
> > there would be *.rpmnew files that acted as a hint that something needed
> > to be looked at. Also, in order to find out what the default was I ended up
> > looking at some other machines that had more recent installs, because there
> > didn't seem to be any obvious place to look on the affected machine for
> > what reasonable default values were.
>
> Can you provide more details, please?

Here is a sample log messages:
May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()

I didn't save the original selinux attached to __default__. It might have been
user_u; it definitely wasn't unconfined_u which is what I got with a fresh
install on another machine. Besides fixing up the login user mapping, I also
fixed up the user mapping to prefix, mls level, range and roles. There were
several new selinux users that weren't in the list I got after the upgrade.
Once I have everything matching that of the fresh install, I stopped seeing
the NULL security context messages.

I can't say I expected that the upgrade would work without manual intervention
when going from FC5 to F9. But I would have liked to have gotten some hint
that I should look at things. And if I hadn't had another machine with a fresh
install to compare against, having some way to do that on a machine would be
nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
encourange people to copy it over rather than using semanage to update things,
so that may not be a good solution for selinux.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 05-07-2008 07:36 PM

selinux config - no warning during upgrades
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bruno Wolff III wrote:
> On Wed, May 07, 2008 at 13:31:38 -0400,
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
>>> I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
>>> I eventually noticed that I was getting warnings about a NULL security
>>> context. I then tracked this down to not having a proper selinux user
>>> configuration.
>>>
>>> Since I was using the default, I expected things would work or at least that
>>> there would be *.rpmnew files that acted as a hint that something needed
>>> to be looked at. Also, in order to find out what the default was I ended up
>>> looking at some other machines that had more recent installs, because there
>>> didn't seem to be any obvious place to look on the affected machine for
>>> what reasonable default values were.
>> Can you provide more details, please?
>
> Here is a sample log messages:
> May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
>
> I didn't save the original selinux attached to __default__. It might have been
> user_u; it definitely wasn't unconfined_u which is what I got with a fresh
> install on another machine. Besides fixing up the login user mapping, I also
> fixed up the user mapping to prefix, mls level, range and roles. There were
> several new selinux users that weren't in the list I got after the upgrade.
> Once I have everything matching that of the fresh install, I stopped seeing
> the NULL security context messages.
>
> I can't say I expected that the upgrade would work without manual intervention
> when going from FC5 to F9. But I would have liked to have gotten some hint
> that I should look at things. And if I hadn't had another machine with a fresh
> install to compare against, having some way to do that on a machine would be
> nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
> encourange people to copy it over rather than using semanage to update things,
> so that may not be a good solution for selinux.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I would advise you to do a full relabel. Upgrades are shakey when going
from one release to the next, but going from Fedora 5 to Rawhide, is
really a major change.

touch /.autorelabel
reboot

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgiBMgACgkQrlYvE4MpobNGkwCgsunCL0uIts qFSdEvaubSAmoa
mokAoJFVQgDdoa7xHoFb+OVUGl+L2jL8
=N58L
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Stephen Smalley 05-07-2008 07:46 PM

selinux config - no warning during upgrades
 
On Wed, 2008-05-07 at 13:47 -0500, Bruno Wolff III wrote:
> On Wed, May 07, 2008 at 13:31:38 -0400,
> Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >
> > On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
> > > I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
> > > I eventually noticed that I was getting warnings about a NULL security
> > > context. I then tracked this down to not having a proper selinux user
> > > configuration.
> > >
> > > Since I was using the default, I expected things would work or at least that
> > > there would be *.rpmnew files that acted as a hint that something needed
> > > to be looked at. Also, in order to find out what the default was I ended up
> > > looking at some other machines that had more recent installs, because there
> > > didn't seem to be any obvious place to look on the affected machine for
> > > what reasonable default values were.
> >
> > Can you provide more details, please?
>
> Here is a sample log messages:
> May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
>
> I didn't save the original selinux attached to __default__. It might have been
> user_u; it definitely wasn't unconfined_u which is what I got with a fresh
> install on another machine. Besides fixing up the login user mapping, I also
> fixed up the user mapping to prefix, mls level, range and roles. There were
> several new selinux users that weren't in the list I got after the upgrade.
> Once I have everything matching that of the fresh install, I stopped seeing
> the NULL security context messages.
>
> I can't say I expected that the upgrade would work without manual intervention
> when going from FC5 to F9. But I would have liked to have gotten some hint
> that I should look at things. And if I hadn't had another machine with a fresh
> install to compare against, having some way to do that on a machine would be
> nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
> encourange people to copy it over rather than using semanage to update things,
> so that may not be a good solution for selinux.

Ok, that's a known deficiency of how seusers is managed; it isn't
managed by rpm and there isn't a clean split between base policy
definitions and user customizations there.

The switch to unconfined_u came with the merging of strict and targeted
policies into one policy, and that happened in F8. I suspect that there
was some hackery in the F8 policy package to allow upgrades from F7 to
work, but jumping straight from F5 to F9 wouldn't have done the same.

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Bruno Wolff III 05-07-2008 08:08 PM

selinux config - no warning during upgrades
 
On Wed, May 07, 2008 at 15:46:10 -0400,
Stephen Smalley <sds@tycho.nsa.gov> wrote:
>
> Ok, that's a known deficiency of how seusers is managed; it isn't
> managed by rpm and there isn't a clean split between base policy
> definitions and user customizations there.
>
> The switch to unconfined_u came with the merging of strict and targeted
> policies into one policy, and that happened in F8. I suspect that there
> was some hackery in the F8 policy package to allow upgrades from F7 to
> work, but jumping straight from F5 to F9 wouldn't have done the same.

Thanks for the explanation.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Bruno Wolff III 05-07-2008 08:53 PM

selinux config - no warning during upgrades
 
On Wed, May 07, 2008 at 15:36:40 -0400,
Daniel J Walsh <dwalsh@redhat.com> wrote:
> I would advise you to do a full relabel. Upgrades are shakey when going
> from one release to the next, but going from Fedora 5 to Rawhide, is
> really a major change.
>
> touch /.autorelabel
> reboot

I was aware of that. Because I have several million (tiny) files on that
box I opted for doing a restorecon instead. The vast majority of the
files are on their own file system and I skipped them when doing the
restorecon. In the long run I want to store that data differently and
will do a full relabel then. I also need to check to see how selinux is
interacting with my qmail setup so I can go back to enforcing mode.
Dealing with the NULL security log messages was the first step in that
process.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 05:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.