-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bruno Wolff III wrote:
On Wed, May 07, 2008 at 13:31:38 -0400, Stephen Smalley sds@tycho.nsa.gov wrote:
On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards I eventually noticed that I was getting warnings about a NULL security context. I then tracked this down to not having a proper selinux user configuration.
Since I was using the default, I expected things would work or at least that there would be *.rpmnew files that acted as a hint that something needed to be looked at. Also, in order to find out what the default was I ended up looking at some other machines that had more recent installs, because there didn't seem to be any obvious place to look on the affected machine for what reasonable default values were.
Can you provide more details, please?
Here is a sample log messages: May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
I didn't save the original selinux attached to __default__. It might have been user_u; it definitely wasn't unconfined_u which is what I got with a fresh install on another machine. Besides fixing up the login user mapping, I also fixed up the user mapping to prefix, mls level, range and roles. There were several new selinux users that weren't in the list I got after the upgrade. Once I have everything matching that of the fresh install, I stopped seeing the NULL security context messages.
I can't say I expected that the upgrade would work without manual intervention when going from FC5 to F9. But I would have liked to have gotten some hint that I should look at things. And if I hadn't had another machine with a fresh install to compare against, having some way to do that on a machine would be nice. Normally things stick *.rpmnew files in /etc, but I suspect that would encourange people to copy it over rather than using semanage to update things, so that may not be a good solution for selinux.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I would advise you to do a full relabel. Upgrades are shakey when going from one release to the next, but going from Fedora 5 to Rawhide, is really a major change.
touch /.autorelabel reboot