Finding unlabeled files? (not selinux-enabled?)
Bob Gustafson
bobgus at rcn.com
Sun May 30 20:53:35 UTC 2004
Hmm, what means this?
[root at hoho2 root]# find / -context 'null' -print
find: Error: invalid predicate -context: the kernel is not selinux-enabled.
[root at hoho2 root]# od -c /selinux/enforce
0000000 0
0000001
[root at hoho2 root]#
The boot param was set to 'selinux=1 enforcing=0' and I have lots of good
looking SELinux lines in the /var/log/messages.1 file:
[root at hoho2 log]# grep SELinux messages.1
...
May 30 00:09:17 hoho2 kernel: SELinux: Initializing.
May 30 00:09:17 hoho2 kernel: SELinux: Starting in permissive mode
May 30 00:09:18 hoho2 kernel: SELinux: Registering netfilter hooks
[root at hoho2 log]# date
Sun May 30 15:46:43 CDT 2004
[root at hoho2 log]# uptime
15:46:45 up 15:38, 3 users, load average: 0.00, 0.00, 0.00
[root at hoho2 log]#
[root at hoho2 root]# cat /proc/version
Linux version 2.6.6-1.397smp (bhcompile at tweety.build.redhat.com) (gcc
version 3.
3.3 20040412 (Red Hat Linux 3.3.3-7)) #1 SMP Fri May 28 11:34:11 EDT 2004
[root at hoho2 root]#
BobG
On Sun, 30 May 2004 11:11:52 -0700, Tom London wrote:
>I used the following to find files that are not labeled:
>
> find / -context 'null' -print 2>&1 | grep 'No data available'
>
>This prints out error messages of the form:
> getfilecon(/var/spool/cron/mailman): No data available
> getfilecon(/var/spool/at/.SEQ): No data available
> getfilecon(/initrd): No data available
> getfilecon(/initrd/sys): No data available
> getfilecon(/initrd/sbin): No data available
> getfilecon(/initrd/linuxrc): No data available
>etc.
>
>Is there a better/proper way of doing this? (If not, perhaps I'll write
>one...)
>
>The situation comes up when converting a system to SELinux, or if you
>accidently boot up an SELinux system in 'disabled' mode.
>
>I understand its 'safer' to run 'fixfiles relabel', but some vestigial
>unlabeled files seem to remain...
>
>Thanks,
> tom
More information about the fedora-selinux-list
mailing list