selinux config - no warning during upgrades

Stephen Smalley sds at tycho.nsa.gov
Wed May 7 19:46:10 UTC 2008 

On Wed, 2008-05-07 at 13:47 -0500, Bruno Wolff III wrote:
> On Wed, May 07, 2008 at 13:31:38 -0400,
>   Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > 
> > On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
> > > I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
> > > I eventually noticed that I was getting warnings about a NULL security
> > > context. I then tracked this down to not having a proper selinux user
> > > configuration.
> > > 
> > > Since I was using the default, I expected things would work or at least that
> > > there would be *.rpmnew files that acted as a hint that something needed
> > > to be looked at. Also, in order to find out what the default was I ended up
> > > looking at some other machines that had more recent installs, because there
> > > didn't seem to be any obvious place to look on the affected machine for
> > > what reasonable default values were.
> > 
> > Can you provide more details, please?
> 
> Here is a sample log messages:
> May  4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
> 
> I didn't save the original selinux attached to __default__. It might have been
> user_u; it definitely wasn't unconfined_u which is what I got with a fresh
> install on another machine. Besides fixing up the login user mapping, I also
> fixed up the user mapping to prefix, mls level, range and roles. There were
> several new selinux users that weren't in the list I got after the upgrade.
> Once I have everything matching that of the fresh install, I stopped seeing
> the NULL security context messages.
> 
> I can't say I expected that the upgrade would work without manual intervention
> when going from FC5 to F9. But I would have liked to have gotten some hint
> that I should look at things. And if I hadn't had another machine with a fresh
> install to compare against, having some way to do that on a machine would be
> nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
> encourange people to copy it over rather than using semanage to update things,
> so that may not be a good solution for selinux.

Ok, that's a known deficiency of how seusers is managed; it isn't
managed by rpm and there isn't a clean split between base policy
definitions and user customizations there.

The switch to unconfined_u came with the merging of strict and targeted
policies into one policy, and that happened in F8.  I suspect that there
was some hackery in the F8 policy package to allow upgrades from F7 to
work, but jumping straight from F5 to F9 wouldn't have done the same.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list