Beware today's updates - selinux is changing home user contexts
Rick Stevens
ricks at nerd.com
Mon Mar 2 22:25:58 UTC 2009
Jerry Amundson wrote:
> On Mon, Mar 2, 2009 at 3:25 PM, Mike Cloaked <mike.cloaked at gmail.com> wrote:
>> Joshua Armstrong-2 wrote:
>>> Mike Cloaked wrote:
>>>> I have just updated some f10 boxes a few minutes ago. On logging on again
>>>> after rebooting to the new kernel this evening, the main user directories
>>>> have had their contexts changed to usr_t so I presume some kind of
>>>> relabelling has been done - but not correctly! After restorecon -vR
>>>> /home/user the contexts have mostly reverted to where they should be - I
>>>> initially noticed because ssh suddenly started demanding a passphrase
>>>> when
>>>> it should not need one - and then I noted avc denials.....
>>>>
>>>> I hope not too many users are going to have their home directories messed
>>>> up
>>>> as a result! The relevant update is
>>>> selinux-policy-targeted-3.5.13-46.fc10.noarch.rpm
>>>>
>>>> This is not good - especially for a stable release!
>>>>
>>> I second this - I just verified this on my f10 webserver. Thankfully,
>>> all the important files are set to httpd_sys_content_t and in read-only
>>> directories. But it did break being able to read home directories over
>>> CIFS share.
>>>
>>>
>> I guess these lines in the /var/log/messages are relevant:
>> Mar 2 19:49:25 home1 yum: Updated: selinux-policy-3.5.13-46.fc10.noarch
>> Mar 2 19:49:49 home1 dbus: avc: received policyload notice (seqno=2)
>> Mar 2 19:49:49 home1 dbus: avc: received policyload notice (seqno=2)
>>
>> I guess it will be in BZ before too long - and I notice that -47 is in
>> updates testing - hopefully this problem will be fixed before -48 is
>> released!
>
> Works for me. My f10 updates-testing laptop installed
> selinux-policy-targeted-3.5.13-46.fc10.noarch last Thursday, Feb 26. I
> see one "dbus: avc: received policyload notice (seqno=2)" from then,
> but user_home_dir_t is still set as expected.
Have you rebooted since you installed it? I believe the RPM touches
/.autorelabel and that triggers the relabel on a reboot.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- A day for firm decisions!!! Well, then again, maybe not! -
----------------------------------------------------------------------
More information about the fedora-test-list
mailing list