Description of problem: What wrong with rpm -e selinux-policy; rpm -Uvh selinux-policy? It is a recipe for disaster!!! Somehow with selinux enforcing I can no longer check filesystems on boot. It hapens with both -88.fc6 and -94.fc6 At least, -94.fc6 installs cleanly, but I guess -88.fc6 did the damage already. How do I fix it now? Version-Release number of selected component (if applicable): How reproducible: 100%, go ahead try it Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: I guess I will go ahead and start living without selinux now.
What avc's are you seeing? Have you tried to relabel? No privs should have dissapeared in this release.
Ok. I managed to recover after selinux went into relabeling under permissive config. So how do I force relabeling on demand? Here is avc's from the yesterday's log file showing fsck being denied. audit(1190677392.136:5): avc: denied { read } for pid=1713 comm="dmsetup" name="config" dev=dm-0 ino=2852 671 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file Sep 24 19:43:26 somehost kernel: audit(1190677392.136:6): avc: denied { getattr } for pid=1713 comm="dmsetup" name="config" dev=dm-0 ino=2 852671 scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file Sep 24 19:43:26 somehost kernel: audit(1190677392.739:7): avc: denied { read } for pid=1722 comm="fsck" name="config" dev=dm-0 ino=2852671 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file Sep 24 19:43:26 somehost kernel: audit(1190677392.739:8): avc: denied { getattr } for pid=1722 comm="fsck" name="config" dev=dm-0 ino=2852 671 scontext=system_u:system_r:fsadm_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file Sep 24 19:43:26 somehost kernel: EXT3 FS on dm-0, internal journal Sep 24 19:43:26 somehost kernel: audit(1190677392.939:9): avc: denied { read } for pid=1728 comm="restorecon" name="config" dev=dm-0 ino=2 852671 scontext=system_u:system_r:restorecon_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
Looks like the file "config" was created somehow without labeling (file_t). Did you mv this file off of another machine or a device that had no labeling? Did you boot with selinux=0?
Yes. More precisely I removed (rpm -e) selinux-policy and selinux-policy-targeted, then I removed (rm -rf) /etc/selinux, then I re-installed (rpm -Uvh) selinux-policy and selinux-policy-targeted. Upon reboot I couldn't move past fsck, so I rebooted with selinux=0, then I changed to "permissive", then next reboot triggered relabeling. Anyhow it works now with "enforcing". I understand that I created a crazy scenario, but I suspect that rpm -Uvh should permit booting past fsck to relabeling.
Well the problem here is you have lvm trying to read /etc/selinux/config which is unlabeled and the kernel is in enforcing mode. So lvm is blowing up before relabeling commences.
selinux-policy-2.6.4-45.fc7 has fixes to allow new version of setroubleshoot to run.