audit log for "setenforce" changes?
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 14 19:36:45 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck Anderson wrote:
> On Mon, Jan 14, 2008 at 01:46:17PM -0500, Stephen Smalley wrote:
>> load_policy doesn't touch the enforcing status.
>>
>>> Anyway, you have some serious labeling issue there in /var...
>>>
>>> try restorecon -R /var
>
> The labelleing issues I would (perhaps incorrectly) expect from
> running SELinux in permissive mode. I decided to relabel and reboot
> into enforcing mode. What a disaster. The system couldn't boot
> enough to run the "fixfiles restore" from /etc/rc.sysinit, not even in
> single user mode. I had to eventually boot into single user mode with
> the selinux=0 kernel parameter and run "fixfiles restore" manully.
> Then I discovered that somehow a bunch of bogus "unconfined" entries
> had appeared in
> /etc/selinux/targeted/contexts/files/file_contexts.homedirs:
>
> #
> #
> # User-specific file contexts, generated via libsemanage
> # use semanage command to manage system users to change the file_context
> #
> #
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /etc/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
> /etc/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
> /etc/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /etc/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /etc/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
> /etc/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /etc/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /etc/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /etc/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
> /etc/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
> /etc/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
> /etc/lost\+found/.* <<none>>
> /etc -d system_u:object_r:home_root_t:s0
> /etc/\.journal <<none>>
> /etc/lost\+found -d system_u:object_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /home/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
> /home/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
> /home/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /home/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /home/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
> /home/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /home/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /home/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /home/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
> /home/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
> /home/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
> /home/lost\+found/.* <<none>>
> /home -d system_u:object_r:home_root_t:s0
> /home/\.journal <<none>>
> /home/lost\+found -d system_u:object_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /opt/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
> /opt/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
> /opt/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /opt/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /opt/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
> /opt/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /opt/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /opt/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /opt/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
> /opt/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
> /opt/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
> /opt/lost\+found/.* <<none>>
> /opt -d system_u:object_r:home_root_t:s0
> /opt/\.journal <<none>>
> /opt/lost\+found -d system_u:object_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /usr/libexec/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
> /usr/libexec/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
> /usr/libexec/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
> /usr/libexec/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /usr/libexec/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /usr/libexec/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
> /usr/libexec/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
> /usr/libexec/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
> /usr/libexec/lost\+found/.* <<none>>
> /usr/libexec -d system_u:object_r:home_root_t:s0
> /usr/libexec/\.journal <<none>>
> /usr/libexec/lost\+found -d system_u:object_r:lost_found_t:s0
>
>
> #
> # Home Context for user unconfined_u
> #
>
> /var/log/[^/]*/.+ unconfined_u:object_r:unconfined_home_t:s0
> /var/log/[^/]*/.gnome2(/.*)? unconfined_u:object_r:unconfined_gnome_home_t:s0
> /var/log/[^/]*/.*/plugins/nprhapengine\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /var/log/[^/]*/.*/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /var/log/[^/]*/((www)|(web)|(public_html))(/.+)? unconfined_u:object_r:httpd_unconfined_content_t:s0
> /var/log/[^/]*/\.java(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/\.galeon(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/\.mozilla(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/\.phoenix(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /var/log/[^/]*/\.netscape(/.*)? unconfined_u:object_r:unconfined_mozilla_home_t:s0
> /var/log/[^/]*/\.gstreamer-.*/[^/]*\.so.* -- unconfined_u:object_r:textrel_shlib_t:s0
> /var/log/[^/]*/\.config/gtk-.* unconfined_u:object_r:unconfined_gnome_home_t:s0
> /var/log/[^/]* -d unconfined_u:object_r:unconfined_home_dir_t:s0
> /var/log/[^/]* -l unconfined_u:object_r:unconfined_home_dir_t:s0
> /var/log/lost\+found/.* <<none>>
> /var/log -d system_u:object_r:home_root_t:s0
> /var/log/\.journal <<none>>
> /var/log/lost\+found -d system_u:object_r:lost_found_t:s0
> /tmp/gconfd-.* -d unconfined_u:object_r:unconfined_tmp_t:s0
>
>
> #
> # Home Context for user root
> #
>
> /root/.+ root:object_r:sysadm_home_t:s0
> /root/.gnome2(/.*)? root:object_r:sysadm_gnome_home_t:s0
> /root/.*/plugins/nprhapengine\.so.* -- root:object_r:textrel_shlib_t:s0
> /root/.*/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
> /root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_sysadm_content_t:s0
> /root/\.ssh(/.*)? root:object_r:sysadm_home_ssh_t:s0
> /root/\.uml(/.*)? root:object_r:sysadm_uml_rw_t:s0
> /root/\.java(/.*)? root:object_r:sysadm_mozilla_home_t:s0
> /root/\.xauth.* -- root:object_r:sysadm_xauth_home_t:s0
> /root/\.fonts(/.*)? root:object_r:sysadm_fonts_t:s0
> /root/\.pyzor(/.*)? root:object_r:sysadm_pyzor_home_t:s0
> /root/\.razor(/.*)? root:object_r:sysadm_razor_home_t:s0
> /root/vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0
> /root/\.galeon(/.*)? root:object_r:sysadm_mozilla_home_t:s0
> /root/\.vmware(/.*)? root:object_r:sysadm_vmware_file_t:s0
> /root/\.vmware[^/]*/.*\.cfg -- root:object_r:sysadm_vmware_conf_t:s0
> /root/\.mozilla(/.*)? root:object_r:sysadm_mozilla_home_t:s0
> /root/\.phoenix(/.*)? root:object_r:sysadm_mozilla_home_t:s0
> /root/\.mplayer(/.*)? root:object_r:sysadm_mplayer_home_t:s0
> /root/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- root:object_r:textrel_shlib_t:s0
> /root/\.ethereal(/.*)? root:object_r:sysadm_ethereal_home_t:s0
> /root/\.netscape(/.*)? root:object_r:sysadm_mozilla_home_t:s0
> /root/\.Xauthority.* -- root:object_r:sysadm_xauth_home_t:s0
> /root/\.fonts/auto(/.*)? root:object_r:sysadm_fonts_cache_t:s0
> /root/\.gstreamer-.*/[^/]*\.so.* -- root:object_r:textrel_shlib_t:s0
> /root/\.config/gtk-.* root:object_r:sysadm_gnome_home_t:s0
> /root/\.fonts\.cache-.* -- root:object_r:sysadm_fonts_cache_t:s0
> /root/\.ICEauthority.* -- root:object_r:sysadm_iceauth_home_t:s0
> /root/\.spamassassin(/.*)? root:object_r:sysadm_spamassassin_home_t:s0
> /root -d root:object_r:sysadm_home_dir_t:s0
> /root -l root:object_r:sysadm_home_dir_t:s0
> /root/\.ircmotd -- root:object_r:sysadm_irc_home_t:s0
> /root/\.screenrc -- root:object_r:sysadm_screen_ro_home_t:s0
> /root/\.fonts\.conf -- root:object_r:sysadm_fonts_config_t:s0
> /tmp/gconfd-root -d root:object_r:sysadm_tmp_t:s0
>
>
> I deleted all the sections head up with "Home Context for user
> unconfined_u" then re-ran "fixfiles restore".
>
> The conclusion I draw is that running SELinux in permissive mode for
> an extended period of time isn't well supported at all, and shouldn't
> be recommended ever. Perhaps more testing should go into running a
> system in permissive mode while yum updates apply selinux packages,
> etc. to find these types of issues.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Do you have user accounts setup in /var/log? /lib/libexec?
If you have system accounts with homedirs and real shells, you can
confuse SELinux. Any system account should have a UID < 500 or a shell
of /bin/false or /sbin/nologin.
You also look like you have root account setup to login as system_u.
You probably want to execute
semanage login -m -s unconfined_u root
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeLucwACgkQrlYvE4MpobMbWQCgjv+H0sqo1AwqbozQuXxQ6gfw
WpwAnj7rx4yavBgSPaAIEphpyUiZr/Ud
=QQOb
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list