Hide Forgot
Description of problem: Trying to figure out why multiple runs of restorecon and fixfiles kept repeating: restorecon reset /etc/selinux/mls/modules/active/base.pp context user_u:object_r:selinux_config_t:s0->system_u:object_r:semanage_store_t:s0 (For example only - it tossed 334 basically identical complaints.) Finally tracked it down to genhomedircon as called by fixfiles: # restorecon -R /etc/selinux # ls -lZ /etc/selinux/mls/modules/active/base.pp -rw-------. root root system_u:object_r:semanage_store_t:s0 /etc/selinux/mls/modules/active/base.pp # /usr/sbin/genhomedircon # ls -lZ /etc/selinux/mls/modules/active/base.pp -rw-------. root root user_u:object_r:selinux_config_t:s0 /etc/selinux/mls/modules/active/base.pp at which point 334 files have had their contexts changed, and fixfiles continues on and flags them all as needing fixing. Probably needs to add a call to 'restorecon -R /etc/selinux' in the genhomedircon script - that seems to fix the issue here.. Version-Release number of selected component (if applicable): policycoreutils-2.0.86-7.fc16.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
You are running in permissive mode on a system logged in as user_u and modifying policy, that is why things are getting mislabeled. You are only supposed to be running semanage on an MLS box as the user sysadm_t. You need to setup your login as staff_t and then newrole to sysadm_t when you run as root. Or setup sudo with TYPE=sysadm_t ROLE=sysadm_r which will change your staff_t user to a sysadm_t admin.