Bug 449420

Summary: [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2
Product: Red Hat Enterprise Linux 5 Reporter: Jeff Burke <jburke>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: 5.4CC: kwirth, mkoci, notting
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:32:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jeff Burke 2008-06-02 16:40:47 UTC 
Description of problem:
 Upgrading from Red Hat Enterprise Linux Server release 5.1 to Red Hat
Enterprise Linux Server release 5.2 With selinux disabled during upgrade causes
AVC messages when it is set back to enforcing mode.

Version-Release number of selected component (if applicable):
 libselinux-1.33.4-5.el5
 selinux-policy-2.4.6-137.el5

How reproducible:
 Always

Steps to Reproduce:
1. Install a system with 5.1
2. Disable selinux (/etc/sysconfig/selinux, SELINUX=disable)
3. Reboot
4. Add repos for 5.2 yum upgrade
5. Set SELinux back to enforcing mode, Reboot
6. See dmesg for AVC failure
  
Actual results:
audit(1212421548.734:6): avc:  denied  { execute } for  pid=5219
comm="readahead" path="/lib/libext2fs.so.2.4" dev=dm-0 ino=6226130
scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file

Expected results:
 Should work

Additional info:

- fixfiles restore 
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 43 has
invalid context root:object_r:user_mozilla_home_t:s0
Comment 1 Daniel Walsh 2008-06-02 17:56:31 UTC 
We can fix this with a simple fix to the init scripts?  If QA wants to put it in
Fast Track.

This has ramifications in that a person moving from SELinux Disabled to SELinux
ENabled is going to fail
Comment 2 Daniel Walsh 2008-06-02 18:04:13 UTC 
Adding genhomedircon to init scripts in relabel sequence before fixfiles restore
will fix this problem.
Comment 3 Bill Nottingham 2008-06-02 18:07:15 UTC 
What exactly does genhomedircon do (it has no docs) and why is it not part of a
normal relabel?
Comment 5 Daniel Walsh 2008-06-02 18:34:45 UTC 
genhomedircon queries the system to see where the homedirs are and then setup
the file context correctly.  In this case selinux policy was updated but
genhomedircon quits because selinux is disabled.  So we could add a
genhomedircon to the init scripts to clean up the error.

The other options involve releasing an updated selinux-policy package, which is
not allowed to be updated until 5.3
Comment 8 Bill Nottingham 2008-06-02 19:06:13 UTC 
This is somewhat reasonable kbase fodder, isn't it - it's just a one-time fix
for someone who upgrades in this manner? How common is upgrading with SELinux
off and then turning it back on?
Comment 9 Daniel Walsh 2008-06-02 19:37:58 UTC 
Well the problem is we convince someone to turn on SELInux for the first time or
the first time since they were convinced SELinux was broken,  And when they boot
up, it is broken...

So yes run 

- Turn SELinux on
- reboot
- SElinux Broken
# genhomedircon
# touch /.autorelabel
# reboot

will clean it up.
Comment 10 RHEL Program Management 2008-06-02 19:55:56 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 Daniel Walsh 2008-07-16 18:27:52 UTC 
Fixed in selinux-policy-2.4.6-141.el5
Comment 15 errata-xmlrpc 2009-01-20 21:32:00 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html