Bug 443852 - After upgrade from F7->F9, users have user_u instead of unconfined_u (su "missing")
After upgrade from F7->F9, users have user_u instead of unconfined_u (su "mis...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
Blocks: F9Blocker
  Show dependency treegraph
Reported: 2008-04-23 13:55 EDT by Will Woods
Modified: 2008-04-29 18:30 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-29 18:30:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Will Woods 2008-04-23 13:55:04 EDT
I used preupgrade to upgrade two systems from F7 (with updates) to rawhide.

On both systems, my normal user (wwoods) unexpectedly ended up with the user_u
SELinux context, rather than unconfined_u. 

I only noticed it because su appeared to be missing.
Comment 1 Will Woods 2008-04-23 14:31:18 EDT
F7 users (as in RHEL5) have a default context of user_u:system_r:unconfined_t.

F8 has unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023.

So I guess the problem is that we've redefined the meaning of user_u.
Comment 2 Will Woods 2008-04-23 16:38:11 EDT
A workaround for affected systems: 

  semanage login -m -s unconfined_u -r SystemLow-SystemHigh __default__

should give users the default SELinux context used for new F9 installs.
Comment 3 Daniel Walsh 2008-04-23 16:41:12 EDT
Yes we need to convert user_u to unconfined_u.  This is a blocker bug.

Needs to be fixed.

Will could you verify that
selinux-policy-3.3.1-39.fc9 fixes the problem.
Comment 4 Will Woods 2008-04-23 17:38:42 EDT
Does it need to be installed as part of the upgrade from F7? (That is, do I need
to wait for it to land in rawhide to test the fix?)
Comment 5 Daniel Walsh 2008-04-24 17:07:47 EDT
You can test it by executing 

rm -rf /etc/selinux
rpm -Uhv --oldpackage selinux-policy*f7  /* Whatever F7 policy was*/

Then update to F9 policy and check to see if you login in as unconfined_u

semanage login -l | grep __default__
Comment 6 Will Woods 2008-04-24 19:49:20 EDT
I think the fix is confirmed.

I upgraded from F7 to F9 (where my user had user_u). Next I installed the old f7
policy packages and rebooted into rescue mode (to simulate the installer). 

I then upgraded the system to selinux-policy-3.3.1-40.fc9. It took a *long* time
for %post to run, but now everything works fine.
Comment 7 Will Woods 2008-04-29 18:30:12 EDT
Yep, confirmed the fix with an upgrade to today's rawhide.

Note You need to log in before you can comment on or make changes to this bug.