Beware today's updates - selinux is changing home user contexts

Rick Stevens ricks at nerd.com
Mon Mar 2 22:25:58 UTC 2009 

Jerry Amundson wrote:
> On Mon, Mar 2, 2009 at 3:25 PM, Mike Cloaked <mike.cloaked at gmail.com> wrote:
>> Joshua Armstrong-2 wrote:
>>> Mike Cloaked wrote:
>>>> I have just updated some f10 boxes a few minutes ago. On logging on again
>>>> after rebooting to the new kernel this evening, the main user directories
>>>> have had their contexts changed to usr_t so I presume some kind of
>>>> relabelling has been done - but not correctly!  After restorecon -vR
>>>> /home/user the contexts have mostly reverted to where they should be - I
>>>> initially noticed because ssh suddenly started demanding a passphrase
>>>> when
>>>> it should not need one - and then I noted avc denials.....
>>>>
>>>> I hope not too many users are going to have their home directories messed
>>>> up
>>>> as a result! The relevant update is
>>>> selinux-policy-targeted-3.5.13-46.fc10.noarch.rpm
>>>>
>>>> This is not good - especially for a stable release!
>>>>
>>> I second this - I just verified this on my f10 webserver. Thankfully,
>>> all the important files are set to httpd_sys_content_t and in read-only
>>> directories. But it did break being able to read home directories over
>>> CIFS share.
>>>
>>>
>> I guess these lines in the /var/log/messages are relevant:
>> Mar  2 19:49:25 home1 yum: Updated: selinux-policy-3.5.13-46.fc10.noarch
>> Mar  2 19:49:49 home1 dbus: avc:  received policyload notice (seqno=2)
>> Mar  2 19:49:49 home1 dbus: avc:  received policyload notice (seqno=2)
>>
>> I guess it will be in BZ before too long - and I notice that -47 is in
>> updates testing - hopefully this problem will be fixed before -48 is
>> released!
> 
> Works for me. My f10 updates-testing laptop installed
> selinux-policy-targeted-3.5.13-46.fc10.noarch last Thursday, Feb 26. I
> see one "dbus: avc:  received policyload notice (seqno=2)" from then,
> but user_home_dir_t is still set as expected.

Have you rebooted since you installed it?  I believe the RPM touches
/.autorelabel and that triggers the relabel on a reboot.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-      A day for firm decisions!!!   Well, then again, maybe not!    -
----------------------------------------------------------------------

More information about the fedora-test-list mailing list