I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards I eventually noticed that I was getting warnings about a NULL security context. I then tracked this down to not having a proper selinux user configuration.
Since I was using the default, I expected things would work or at least that there would be *.rpmnew files that acted as a hint that something needed to be looked at. Also, in order to find out what the default was I ended up looking at some other machines that had more recent installs, because there didn't seem to be any obvious place to look on the affected machine for what reasonable default values were.
On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards I eventually noticed that I was getting warnings about a NULL security context. I then tracked this down to not having a proper selinux user configuration.
Since I was using the default, I expected things would work or at least that there would be *.rpmnew files that acted as a hint that something needed to be looked at. Also, in order to find out what the default was I ended up looking at some other machines that had more recent installs, because there didn't seem to be any obvious place to look on the affected machine for what reasonable default values were.
Can you provide more details, please?
On Wed, May 07, 2008 at 13:31:38 -0400, Stephen Smalley sds@tycho.nsa.gov wrote:
On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards I eventually noticed that I was getting warnings about a NULL security context. I then tracked this down to not having a proper selinux user configuration.
Since I was using the default, I expected things would work or at least that there would be *.rpmnew files that acted as a hint that something needed to be looked at. Also, in order to find out what the default was I ended up looking at some other machines that had more recent installs, because there didn't seem to be any obvious place to look on the affected machine for what reasonable default values were.
Can you provide more details, please?
Here is a sample log messages: May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
I didn't save the original selinux attached to __default__. It might have been user_u; it definitely wasn't unconfined_u which is what I got with a fresh install on another machine. Besides fixing up the login user mapping, I also fixed up the user mapping to prefix, mls level, range and roles. There were several new selinux users that weren't in the list I got after the upgrade. Once I have everything matching that of the fresh install, I stopped seeing the NULL security context messages.
I can't say I expected that the upgrade would work without manual intervention when going from FC5 to F9. But I would have liked to have gotten some hint that I should look at things. And if I hadn't had another machine with a fresh install to compare against, having some way to do that on a machine would be nice. Normally things stick *.rpmnew files in /etc, but I suspect that would encourange people to copy it over rather than using semanage to update things, so that may not be a good solution for selinux.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bruno Wolff III wrote:
On Wed, May 07, 2008 at 13:31:38 -0400, Stephen Smalley sds@tycho.nsa.gov wrote:
On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards I eventually noticed that I was getting warnings about a NULL security context. I then tracked this down to not having a proper selinux user configuration.
Since I was using the default, I expected things would work or at least that there would be *.rpmnew files that acted as a hint that something needed to be looked at. Also, in order to find out what the default was I ended up looking at some other machines that had more recent installs, because there didn't seem to be any obvious place to look on the affected machine for what reasonable default values were.
Can you provide more details, please?
Here is a sample log messages: May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
I didn't save the original selinux attached to __default__. It might have been user_u; it definitely wasn't unconfined_u which is what I got with a fresh install on another machine. Besides fixing up the login user mapping, I also fixed up the user mapping to prefix, mls level, range and roles. There were several new selinux users that weren't in the list I got after the upgrade. Once I have everything matching that of the fresh install, I stopped seeing the NULL security context messages.
I can't say I expected that the upgrade would work without manual intervention when going from FC5 to F9. But I would have liked to have gotten some hint that I should look at things. And if I hadn't had another machine with a fresh install to compare against, having some way to do that on a machine would be nice. Normally things stick *.rpmnew files in /etc, but I suspect that would encourange people to copy it over rather than using semanage to update things, so that may not be a good solution for selinux.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I would advise you to do a full relabel. Upgrades are shakey when going from one release to the next, but going from Fedora 5 to Rawhide, is really a major change.
touch /.autorelabel reboot
On Wed, May 07, 2008 at 15:36:40 -0400, Daniel J Walsh dwalsh@redhat.com wrote:
I would advise you to do a full relabel. Upgrades are shakey when going from one release to the next, but going from Fedora 5 to Rawhide, is really a major change.
touch /.autorelabel reboot
I was aware of that. Because I have several million (tiny) files on that box I opted for doing a restorecon instead. The vast majority of the files are on their own file system and I skipped them when doing the restorecon. In the long run I want to store that data differently and will do a full relabel then. I also need to check to see how selinux is interacting with my qmail setup so I can go back to enforcing mode. Dealing with the NULL security log messages was the first step in that process.
On Wed, 2008-05-07 at 13:47 -0500, Bruno Wolff III wrote:
On Wed, May 07, 2008 at 13:31:38 -0400, Stephen Smalley sds@tycho.nsa.gov wrote:
On Wed, 2008-05-07 at 10:55 -0500, Bruno Wolff III wrote:
I recently did a yum upgrade from Fedora Core 5 to Rawhide and afterwards I eventually noticed that I was getting warnings about a NULL security context. I then tracked this down to not having a proper selinux user configuration.
Since I was using the default, I expected things would work or at least that there would be *.rpmnew files that acted as a hint that something needed to be looked at. Also, in order to find out what the default was I ended up looking at some other machines that had more recent installs, because there didn't seem to be any obvious place to look on the affected machine for what reasonable default values were.
Can you provide more details, please?
Here is a sample log messages: May 4 05:00:01 wolff crond[16709]: (bruno) NULL security context for user, but SELinux in permissive mode, continuing ()
I didn't save the original selinux attached to __default__. It might have been user_u; it definitely wasn't unconfined_u which is what I got with a fresh install on another machine. Besides fixing up the login user mapping, I also fixed up the user mapping to prefix, mls level, range and roles. There were several new selinux users that weren't in the list I got after the upgrade. Once I have everything matching that of the fresh install, I stopped seeing the NULL security context messages.
I can't say I expected that the upgrade would work without manual intervention when going from FC5 to F9. But I would have liked to have gotten some hint that I should look at things. And if I hadn't had another machine with a fresh install to compare against, having some way to do that on a machine would be nice. Normally things stick *.rpmnew files in /etc, but I suspect that would encourange people to copy it over rather than using semanage to update things, so that may not be a good solution for selinux.
Ok, that's a known deficiency of how seusers is managed; it isn't managed by rpm and there isn't a clean split between base policy definitions and user customizations there.
The switch to unconfined_u came with the merging of strict and targeted policies into one policy, and that happened in F8. I suspect that there was some hackery in the F8 policy package to allow upgrades from F7 to work, but jumping straight from F5 to F9 wouldn't have done the same.
On Wed, May 07, 2008 at 15:46:10 -0400, Stephen Smalley sds@tycho.nsa.gov wrote:
Ok, that's a known deficiency of how seusers is managed; it isn't managed by rpm and there isn't a clean split between base policy definitions and user customizations there.
The switch to unconfined_u came with the merging of strict and targeted policies into one policy, and that happened in F8. I suspect that there was some hackery in the F8 policy package to allow upgrades from F7 to work, but jumping straight from F5 to F9 wouldn't have done the same.
Thanks for the explanation.
selinux@lists.fedoraproject.org
-
Bruno Wolff III -
Daniel J Walsh -
Stephen Smalley