Bug 449420 - [RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2
[RHEL5.2][SELinux] AVC denied messages after upgrading from 5.1 to 5.2
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity high
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-02 12:40 EDT by Jeff Burke
Modified: 2009-01-20 16:32 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:32:00 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jeff Burke 2008-06-02 12:40:47 EDT
Description of problem:
 Upgrading from Red Hat Enterprise Linux Server release 5.1 to Red Hat
Enterprise Linux Server release 5.2 With selinux disabled during upgrade causes
AVC messages when it is set back to enforcing mode.

Version-Release number of selected component (if applicable):
 libselinux-1.33.4-5.el5
 selinux-policy-2.4.6-137.el5

How reproducible:
 Always

Steps to Reproduce:
1. Install a system with 5.1
2. Disable selinux (/etc/sysconfig/selinux, SELINUX=disable)
3. Reboot
4. Add repos for 5.2 yum upgrade
5. Set SELinux back to enforcing mode, Reboot
6. See dmesg for AVC failure
  
Actual results:
audit(1212421548.734:6): avc:  denied  { execute } for  pid=5219
comm="readahead" path="/lib/libext2fs.so.2.4" dev=dm-0 ino=6226130
scontext=system_u:system_r:readahead_t:s0 tcontext=system_u:object_r:file_t:s0
tclass=file

Expected results:
 Should work

Additional info:

- fixfiles restore 
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 18 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 19 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 20 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 21 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 23 has
invalid context user_u:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 40 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 41 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 42 has
invalid context root:object_r:user_mozilla_home_t:s0
/etc/selinux/targeted/contexts/files/file_contexts.homedirs:  line 43 has
invalid context root:object_r:user_mozilla_home_t:s0
Comment 1 Daniel Walsh 2008-06-02 13:56:31 EDT
We can fix this with a simple fix to the init scripts?  If QA wants to put it in
Fast Track.

This has ramifications in that a person moving from SELinux Disabled to SELinux
ENabled is going to fail
Comment 2 Daniel Walsh 2008-06-02 14:04:13 EDT
Adding genhomedircon to init scripts in relabel sequence before fixfiles restore
will fix this problem.
Comment 3 Bill Nottingham 2008-06-02 14:07:15 EDT
What exactly does genhomedircon do (it has no docs) and why is it not part of a
normal relabel?
Comment 5 Daniel Walsh 2008-06-02 14:34:45 EDT
genhomedircon queries the system to see where the homedirs are and then setup
the file context correctly.  In this case selinux policy was updated but
genhomedircon quits because selinux is disabled.  So we could add a
genhomedircon to the init scripts to clean up the error.

The other options involve releasing an updated selinux-policy package, which is
not allowed to be updated until 5.3
Comment 8 Bill Nottingham 2008-06-02 15:06:13 EDT
This is somewhat reasonable kbase fodder, isn't it - it's just a one-time fix
for someone who upgrades in this manner? How common is upgrading with SELinux
off and then turning it back on?
Comment 9 Daniel Walsh 2008-06-02 15:37:58 EDT
Well the problem is we convince someone to turn on SELInux for the first time or
the first time since they were convinced SELinux was broken,  And when they boot
up, it is broken...

So yes run 

- Turn SELinux on
- reboot
- SElinux Broken
# genhomedircon
# touch /.autorelabel
# reboot

will clean it up.
Comment 10 RHEL Product and Program Management 2008-06-02 15:55:56 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 11 Daniel Walsh 2008-07-16 14:27:52 EDT
Fixed in selinux-policy-2.4.6-141.el5 
Comment 15 errata-xmlrpc 2009-01-20 16:32:00 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.