Bug 443852

Summary: After upgrade from F7->F9, users have user_u instead of unconfined_u (su "missing")
Product: [Fedora] Fedora Reporter: Will Woods <wwoods>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: jkubin, mschmidt, redhat-bugzilla, splewako
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-29 18:30:12 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235706    

Description Will Woods 2008-04-23 13:55:04 EDT
I used preupgrade to upgrade two systems from F7 (with updates) to rawhide.

On both systems, my normal user (wwoods) unexpectedly ended up with the user_u
SELinux context, rather than unconfined_u. 

I only noticed it because su appeared to be missing.
Comment 1 Will Woods 2008-04-23 14:31:18 EDT
F7 users (as in RHEL5) have a default context of user_u:system_r:unconfined_t.

F8 has unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023.

So I guess the problem is that we've redefined the meaning of user_u.
Comment 2 Will Woods 2008-04-23 16:38:11 EDT
A workaround for affected systems: 

  semanage login -m -s unconfined_u -r SystemLow-SystemHigh __default__

should give users the default SELinux context used for new F9 installs.
Comment 3 Daniel Walsh 2008-04-23 16:41:12 EDT
Yes we need to convert user_u to unconfined_u.  This is a blocker bug.

Needs to be fixed.

Will could you verify that
selinux-policy-3.3.1-39.fc9 fixes the problem.
Comment 4 Will Woods 2008-04-23 17:38:42 EDT
Does it need to be installed as part of the upgrade from F7? (That is, do I need
to wait for it to land in rawhide to test the fix?)
Comment 5 Daniel Walsh 2008-04-24 17:07:47 EDT
You can test it by executing 

rm -rf /etc/selinux
rpm -Uhv --oldpackage selinux-policy*f7  /* Whatever F7 policy was*/

Then update to F9 policy and check to see if you login in as unconfined_u

semanage login -l | grep __default__
Comment 6 Will Woods 2008-04-24 19:49:20 EDT
I think the fix is confirmed.

I upgraded from F7 to F9 (where my user had user_u). Next I installed the old f7
policy packages and rebooted into rescue mode (to simulate the installer). 

I then upgraded the system to selinux-policy-3.3.1-40.fc9. It took a *long* time
for %post to run, but now everything works fine.
Comment 7 Will Woods 2008-04-29 18:30:12 EDT
Yep, confirmed the fix with an upgrade to today's rawhide.