Bug 222669
Summary: | Kernel upgrade/selinux-policy upgrade requires reboot->fixfiles relabel->reboot | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gwyn Ciesla <gwync> | ||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 6 | CC: | dwalsh | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2007-01-15 18:57:02 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Gwyn Ciesla
2007-01-15 16:45:57 UTC
Do you have the log files? From what you have written, I would have no idea what happened. The only time we usually need to relabel if if you jump major versionf of the OS FC5-FC6 for example. Which log files would be most helpful? /var/log/messages? /var/log/audit/audit.log and/or /var/log/messages Created attachment 145592 [details]
/var/log/audit/audit.log
Created attachment 145593 [details]
/var/log/messages
From the log files it looks like you added a new file system mounted under /var. This was not labeled so it caused all of your problems. file_t indicates that a file system does not have any labeling on it. So how to I prevent this sort of thing in the future? I assume some relabeling of / occurs with policy changes, but am I to assume that my /var will not be labeled? Is there a place where I can configure this behavior, or am I stuck? I would have expected it to relabel all mounted filesystems in fstab (avoiding cdroms, floppies, usbkeys, etc). I'm lucky to have this server on a networked KVM, but I may not always be so lucky. It does not relabel on its own. (for the most part). / does not get relabeled on change of policy. The rpm tries to figure out what labeling changed between the currently installed policy and the new one. If it finds a change, it relabels only those files/directories. If you add a disk though, you need to label it properly. How this disk got unlabled I do not know. So now that everything is labeled correctly you should be all set. We have thousands of machines installed with SELinux and this is the first time I have heard of any problems, in a couple of years. I believe a disk/partition got added to this machine and was never labeled. Even though this disk/partition has been in place since install time, in March of 2005? All I can say, is I have no idea how it happened, and see if it happens again. The only ways that I know of this happening is the addition of a new disk/partition, or booting with selinux=0/disabled. If it happens again, we might have a kernel problem or there could be a disk problem. The xattrs should not dissappear from the disk. |