Bug 239079
| Summary: | [LSPP] After running useradd -Z seusers and the policy is labeled incorrectly | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Matt Anderson <mra> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.0 | CC: | dwalsh, ebenes, iboverma, krisw, kweidner, linda.knippers, sgrubb |
| Target Milestone: | --- | Keywords: | OtherQA |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | RHBA-2007-0544 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-07 16:39:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 224041 | ||
|
Description
Matt Anderson
2007-05-04 19:21:11 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Fixed in selinux-policy-2.4.6-69 This bug is not critical as far as LSPP compliance is concerned - the seusers and policy files do not contain any information that specifically needs to be at SystemHigh. As long as the changed level doesn't actually break applications it's not urgent to fix. The changed level does break applications. Once the files are relabeled SystemHigh subsequent operations on them fail, useradd -Z, semanage, anything else that needs access to that database. This can be worked around by running `fixfiles restore /etc/selinux` after each time the database gets relabel to the wrong level, but otherwise the second time you run anything it will fail due to the MLS level being incorrect. What was the policy change? Was it to make seusers SystemLow by default? If the passwd file is SystemLow then it seems seusers could be as well. Any idea why running semanage to update seusers doesn't have the same issue? Turns out this is a problem with semanage also. When updating the system. semanage will lower the sensitivity of the seusers and policy.21 file So this is really a libsemanage problem. Reassiging We agreed to change the sensitivity level of seusers and policy.21 to SystemLow on the phone. Fixed in selinux-policy-2.4.6-71 A fix for this issue has been included in the packages contained in the beta (RHN channel) or most recent snapshot (partners.redhat.com) for RHEL5.1. Please verify that your issue is fixed. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to ASSIGNED. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html |