selinux config - no warning during upgrades
sds at tycho.nsa.gov
Wed May 7 19:46:10 UTC 2008
On Wed, 2008-05-07 at 13:47 -0500, Bruno Wolff III wrote:
> On Wed, May 07, 2008 at 13:31:38 -0400,
> Stephen Smalley <sds at tycho.nsa.gov> wrote:
> > On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
> > > I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards
> > > I eventually noticed that I was getting warnings about a NULL security
> > > context. I then tracked this down to not having a proper selinux user
> > > configuration.
> > >
> > > Since I was using the default, I expected things would work or at least that
> > > there would be *.rpmnew files that acted as a hint that something needed
> > > to be looked at. Also, in order to find out what the default was I ended up
> > > looking at some other machines that had more recent installs, because there
> > > didn't seem to be any obvious place to look on the affected machine for
> > > what reasonable default values were.
> > Can you provide more details, please?
> Here is a sample log messages:
> May 4 05:00:01 wolff crond: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
> I didn't save the original selinux attached to __default__. It might have been
> user_u; it definitely wasn't unconfined_u which is what I got with a fresh
> install on another machine. Besides fixing up the login user mapping, I also
> fixed up the user mapping to prefix, mls level, range and roles. There were
> several new selinux users that weren't in the list I got after the upgrade.
> Once I have everything matching that of the fresh install, I stopped seeing
> the NULL security context messages.
> I can't say I expected that the upgrade would work without manual intervention
> when going from FC5 to F9. But I would have liked to have gotten some hint
> that I should look at things. And if I hadn't had another machine with a fresh
> install to compare against, having some way to do that on a machine would be
> nice. Normally things stick *.rpmnew files in /etc, but I suspect that would
> encourange people to copy it over rather than using semanage to update things,
> so that may not be a good solution for selinux.
Ok, that's a known deficiency of how seusers is managed; it isn't
managed by rpm and there isn't a clean split between base policy
definitions and user customizations there.
The switch to unconfined_u came with the merging of strict and targeted
policies into one policy, and that happened in F8. I suspect that there
was some hackery in the F8 policy package to allow upgrades from F7 to
work, but jumping straight from F5 to F9 wouldn't have done the same.
National Security Agency
More information about the fedora-selinux-list