Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-2.4.6-311.el5 selinux-policy-targeted-2.4.6-311.el5 selinux-policy-mls-2.4.6-311.el5 How reproducible: always Steps to Reproduce: 1. get a fresh RHEL-5.7 machine with targeted policy installed 2. log in via console as root 3. yum -y install selinux-policy\* policycoreutils\* 4. replace "SELINUXTYPE=targeted" with "SELINUXTYPE=mls" in /etc/selinux/config 5. add "single enforcing=0" to /boot/grub/grub.conf 6. touch /.autorelabel 7. reboot 8. wait until the machine boots to single-user mode # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: enforcing Policy version: 21 Policy from config file: mls # matchpathcon /root /root system_u:object_r:default_t:s0 # restorecon -Rv /root # ls -dZ /root drwxr-x--- root root system_u:object_r:default_t:s0 root # Actual results: /root is labelled default_t Expected results: /root is labelled sysadm_home_dir_t Additional information: The problem is not tied to single-user mode, you can boot directly to runlevel 3 or 5 and you will see the same picture. Everything gets fine as soon as I run "genhomedircon ; restorecon -Rv /root" manually.
I think we have to add this to the docs for MLS. Not sure how we can fix it other then the user running genhomedircon after switching to mls policy. I would state it as After relabeling run #genhomedircon # restorecon -R -v /root /home ANYOTHERHOMEDIRS
Sorry, I meant to shout if I shoutn't...
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Moving to ON_QA. Added an "Enabling MLS in SELinux" which includes an extra step (#6) that was requested do be documented in this bug.