449420 – [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2

Bug 449420 - [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2

Summary: [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-02 16:40 UTC by Jeff Burke
Modified:	2009-01-20 21:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-20 21:32:00 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:0163	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2009-01-20 16:05:21 UTC

Description Jeff Burke 2008-06-02 16:40:47 UTC

Description of problem:
 Upgrading from Red Hat Enterprise Linux Server release 5.1 to Red Hat
Enterprise Linux Server release 5.2 With selinux disabled during upgrade causes
AVC messages when it is set back to enforcing mode.

Version-Release number of selected component (if applicable):
 libselinux-1.33.4-5.el5
 selinux-policy-2.4.6-137.el5

How reproducible:
 Always

Steps to Reproduce:
1. Install a system with 5.1
2. Disable selinux (/etc/sysconfig/selinux, SELINUX=disable)
3. Reboot
4. Add repos for 5.2 yum upgrade
5. Set SELinux back to enforcing mode, Reboot
6. See dmesg for AVC failure
  
Actual results:
audit(1212421548.734:6): avc:  denied  { execute } for  pid=5219
comm="readahead" path="/lib/libext2fs.so.2.4" dev=dm-0 ino=6226130
scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file

Expected results:
 Should work

Additional info:

- fixfiles restore 
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 43 has
invalid context root:object_r:user_mozilla_home_t:s0

Comment 1 Daniel Walsh 2008-06-02 17:56:31 UTC

We can fix this with a simple fix to the init scripts?  If QA wants to put it in
Fast Track.

This has ramifications in that a person moving from SELinux Disabled to SELinux
ENabled is going to fail

Comment 2 Daniel Walsh 2008-06-02 18:04:13 UTC

Adding genhomedircon to init scripts in relabel sequence before fixfiles restore
will fix this problem.

Comment 3 Bill Nottingham 2008-06-02 18:07:15 UTC

What exactly does genhomedircon do (it has no docs) and why is it not part of a
normal relabel?

Comment 5 Daniel Walsh 2008-06-02 18:34:45 UTC

genhomedircon queries the system to see where the homedirs are and then setup
the file context correctly.  In this case selinux policy was updated but
genhomedircon quits because selinux is disabled.  So we could add a
genhomedircon to the init scripts to clean up the error.

The other options involve releasing an updated selinux-policy package, which is
not allowed to be updated until 5.3

Comment 8 Bill Nottingham 2008-06-02 19:06:13 UTC

This is somewhat reasonable kbase fodder, isn't it - it's just a one-time fix
for someone who upgrades in this manner? How common is upgrading with SELinux
off and then turning it back on?

Comment 9 Daniel Walsh 2008-06-02 19:37:58 UTC

Well the problem is we convince someone to turn on SELInux for the first time or
the first time since they were convinced SELinux was broken,  And when they boot
up, it is broken...

So yes run 

- Turn SELinux on
- reboot
- SElinux Broken
# genhomedircon
# touch /.autorelabel
# reboot

will clean it up.

Comment 10 RHEL Program Management 2008-06-02 19:55:56 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 11 Daniel Walsh 2008-07-16 18:27:52 UTC

Fixed in selinux-policy-2.4.6-141.el5

Comment 15 errata-xmlrpc 2009-01-20 21:32:00 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.