sharing a partition betweed FC3 and FC5

Stephen Smalley sds at tycho.nsa.gov
Mon Aug 7 15:29:55 UTC 2006


On Mon, 2006-08-07 at 11:15 -0400, D. Hugh Redelmeier wrote:
> Thanks, Paul and Stepen, for your help.
> 
> | From: Stephen Smalley <sds at tycho.nsa.gov>
> 
> | Unfortunately, aside from patching your FC3 kernel and rebuilding it, I
> | think your only option is to disable SELinux for FC3 altogether, i.e.
> | boot it with selinux=0 or set SELINUX=disabled in /etc/selinux/config.  
> 
> Am I correct in my guess that after doing this, the next time FC5 is
> booted, I will have to relabel /home?  What is the right way of doing
> this?  (Of course I could disable SELinux in FC5 too.)

Yes, if you keep them sharing /home.

> Is "fixfiles relabel /home" the best choice?

/sbin/restorecon -R /home should work.

> In my first message, I mentioned that I got the following messages on
> the console:
> 
>     inode_doinit_with_dentry:  context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2
>     inode_doinit_with_dentry:  context_to_sid(system_u:object_r:home_root_t:s0) returned 22 for dev=hda5 ino=2
> 
> ==> What does the error message mean?
>     inode 2 is the root of the filesystem.
>     It appears that kernel routine inode_doinit_with_dentry is calling context_to_sid
>     and context_to_sid is returning EINVAL (because the context was invalid).
>     But even knowing that, I don't know what it actually means or is caused by.

Your description is correct; while running FC5, the directory was
labeled with the MLS/MCS field (:s0), and the FC3 kernel doesn't
understand it.  At the time when FC3 was released, the MLS support in
SELinux was a compile-time option only and not enabled.  By FC5, it had
become mainstreamed and turned into a runtime enable based on the policy
loaded at boot time.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list