selinux-policy-3.5.13-46.fc10.noarch - slight hiccup!
Rick Stevens
ricks at nerd.com
Mon Mar 2 22:07:07 UTC 2009
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mike Cloaked wrote:
>> I have just updated some f10 boxes a few minutes ago. On logging on again
>> after rebooting to the new kernel this evening, the main user directories
>> have had their contexts changed to usr_t so I presume some kind of
>> relabelling has been done - but not correctly! After restorecon -vR
>> /home/user the contexts have mostly reverted to where they should be - I
>> initially noticed because ssh suddenly started demanding a passphrase when
>> it should not need one - and then I noted avc denials.....
>>
>> This is for selinux-policy-3.5.13-46.fc10.noarch and the related targeted
>> policy.
>>
>> I have tested on several systems and so far all is well after doing
>> restorecon -vR /home
>> as root to fix all user areas in one go. Any one user can fix their own
>> user area by doing restorecon -vR /home/user
>> I presume that this will lose any chcon changes - but any contexts that were
>> saved as a rule using semanage fcontext presumably should be restored -
>> though I have not had time to explore all directories yet.
>>
>> This update was pushed to stable today so presumably it will take a while to
>> sync to all mirrors.
> This is very strange, I have no idea why SELinux update would do this,
> and suspect that something else might have gone wrong. Were there other
> packages in the update?
>
> I will update my F10 and see what is going on.
>
> Could be someone is doing a chcon -t usr_t in a post install script?
>
> selinux-policy should only be doing the equivalent of a restorecon -vR
> in its post install. Actually executes fixfiles
> "fixfiles -C ${FILE_CONTEXT}.pre restore"
>
> Which figures out what was different between the old file context and
> the new and runs restorecon on them.
Yes, but if the new context list contains an incorrect setting (usr_t
instead of user_home_dir_t), then restorecon is going to set the usr_t
context. After all, restorecon doesn't have that stuff compiled in, it
reads it from the control file.
That being said, I've got an "exclude=selinux-policy-targeted*" in my
yum configs until this is fixed.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Time: Nature's way of keeping everything from happening at once. -
----------------------------------------------------------------------
More information about the fedora-list
mailing list