Beware today's updates - selinux is changing home user contexts

Daniel J Walsh dwalsh at redhat.com
Tue Mar 3 14:29:29 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rick Stevens wrote:
> Jerry Amundson wrote:
>> On Mon, Mar 2, 2009 at 3:25 PM, Mike Cloaked <mike.cloaked at gmail.com>
>> wrote:
>>> Joshua Armstrong-2 wrote:
>>>> Mike Cloaked wrote:
>>>>> I have just updated some f10 boxes a few minutes ago. On logging on
>>>>> again
>>>>> after rebooting to the new kernel this evening, the main user
>>>>> directories
>>>>> have had their contexts changed to usr_t so I presume some kind of
>>>>> relabelling has been done - but not correctly!  After restorecon -vR
>>>>> /home/user the contexts have mostly reverted to where they should
>>>>> be - I
>>>>> initially noticed because ssh suddenly started demanding a passphrase
>>>>> when
>>>>> it should not need one - and then I noted avc denials.....
>>>>>
>>>>> I hope not too many users are going to have their home directories
>>>>> messed
>>>>> up
>>>>> as a result! The relevant update is
>>>>> selinux-policy-targeted-3.5.13-46.fc10.noarch.rpm
>>>>>
>>>>> This is not good - especially for a stable release!
>>>>>
>>>> I second this - I just verified this on my f10 webserver. Thankfully,
>>>> all the important files are set to httpd_sys_content_t and in read-only
>>>> directories. But it did break being able to read home directories over
>>>> CIFS share.
>>>>
>>>>
>>> I guess these lines in the /var/log/messages are relevant:
>>> Mar  2 19:49:25 home1 yum: Updated: selinux-policy-3.5.13-46.fc10.noarch
>>> Mar  2 19:49:49 home1 dbus: avc:  received policyload notice (seqno=2)
>>> Mar  2 19:49:49 home1 dbus: avc:  received policyload notice (seqno=2)
>>>
>>> I guess it will be in BZ before too long - and I notice that -47 is in
>>> updates testing - hopefully this problem will be fixed before -48 is
>>> released!
>>
>> Works for me. My f10 updates-testing laptop installed
>> selinux-policy-targeted-3.5.13-46.fc10.noarch last Thursday, Feb 26. I
>> see one "dbus: avc:  received policyload notice (seqno=2)" from then,
>> but user_home_dir_t is still set as expected.
> 
> Have you rebooted since you installed it?  I believe the RPM touches
> /.autorelabel and that triggers the relabel on a reboot.
No it does not.  Limited relabeling happens in the post install of the
policy package.  Touching /.autorelabel should almost never be required.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                      ricks at nerd.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -      A day for firm decisions!!!   Well, then again, maybe not!    -
> ----------------------------------------------------------------------
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmtPskACgkQrlYvE4MpobPNVQCgkYH+XGADlUQfS7Jzz0Y3sYR1
xG8AniS0U27wxl5pPLfJEELJKZPECdtl
=UX9P
-----END PGP SIGNATURE-----

More information about the fedora-test-list mailing list