Red Hat Bugzilla – Full Text Bug Listing
|Summary:||After upgrade from F7->F9, users have user_u instead of unconfined_u (su "missing")|
|Product:||[Fedora] Fedora||Reporter:||Will Woods <wwoods>|
|Component:||selinux-policy||Assignee:||Daniel Walsh <dwalsh>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||jkubin, mschmidt, redhat-bugzilla, splewako|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-04-29 18:30:12 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Will Woods 2008-04-23 13:55:04 EDT
I used preupgrade to upgrade two systems from F7 (with updates) to rawhide. On both systems, my normal user (wwoods) unexpectedly ended up with the user_u SELinux context, rather than unconfined_u. I only noticed it because su appeared to be missing.
Comment 1 Will Woods 2008-04-23 14:31:18 EDT
F7 users (as in RHEL5) have a default context of user_u:system_r:unconfined_t. F8 has unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023. So I guess the problem is that we've redefined the meaning of user_u.
Comment 2 Will Woods 2008-04-23 16:38:11 EDT
A workaround for affected systems: semanage login -m -s unconfined_u -r SystemLow-SystemHigh __default__ should give users the default SELinux context used for new F9 installs.
Comment 3 Daniel Walsh 2008-04-23 16:41:12 EDT
Yes we need to convert user_u to unconfined_u. This is a blocker bug. Needs to be fixed. Will could you verify that selinux-policy-3.3.1-39.fc9 fixes the problem.
Comment 4 Will Woods 2008-04-23 17:38:42 EDT
Does it need to be installed as part of the upgrade from F7? (That is, do I need to wait for it to land in rawhide to test the fix?)
Comment 5 Daniel Walsh 2008-04-24 17:07:47 EDT
You can test it by executing rm -rf /etc/selinux rpm -Uhv --oldpackage selinux-policy*f7 /* Whatever F7 policy was*/ Then update to F9 policy and check to see if you login in as unconfined_u semanage login -l | grep __default__
Comment 6 Will Woods 2008-04-24 19:49:20 EDT
I think the fix is confirmed. I upgraded from F7 to F9 (where my user had user_u). Next I installed the old f7 policy packages and rebooted into rescue mode (to simulate the installer). I then upgraded the system to selinux-policy-3.3.1-40.fc9. It took a *long* time for %post to run, but now everything works fine.
Comment 7 Will Woods 2008-04-29 18:30:12 EDT
Yep, confirmed the fix with an upgrade to today's rawhide.