Just got burnt by this one this morning.
If you are upgrading from 6.3 to 6.4 and you use shorewall, you will want to run
restorecon -Rv /sbin
before rebooting. Original solution from:
http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg14885.h...
Cheers,
kal
On 03/12/2013 04:07 PM, Kahlil Hodgson wrote:
If you are upgrading from 6.3 to 6.4 and you use shorewall, you will want to run
restorecon -Rv /sbin
That's odd. Part of the selinux postinstall script involves running "fixfiles" on any files whose context has changed. I confirmed that the iptables contexts changed when I ran restorecon on one system, but I can't understand why they weren't fixed by the postinstall script.
On 14/03/13 06:23, Gordon Messmer wrote:
On 03/12/2013 04:07 PM, Kahlil Hodgson wrote:
If you are upgrading from 6.3 to 6.4 and you use shorewall, you will want to run
restorecon -Rv /sbin
That's odd. Part of the selinux postinstall script involves running "fixfiles" on any files whose context has changed. I confirmed that the iptables contexts changed when I ran restorecon on one system, but I can't understand why they weren't fixed by the postinstall script.
My thoughts exactly. Just doubled checked the postinstall script and can't see any obvious bugs. Hmmm ...
If I compare the old and new file_context files ...
rizo:~ diff file_contexts.new file_contexts.old | grep ip6?tables-multi
/sbin/ip6?tables-multi -- system_u:object_r:iptables_exec_t:s0
< /sbin/ip6?tables-multi.* -- system_u:object_r:iptables_exec_t:s0
so the postinstall script runs (esentially)
fixfiles -C file_contexts.old restore
which tries to fix the context for a /sbin/ip6?tables-multi which does not exist on the updated system (which now uses alternatives trickery to version these).
K
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 03/14/2013 01:03 AM, Kahlil Hodgson wrote:
On 14/03/13 06:23, Gordon Messmer wrote:
On 03/12/2013 04:07 PM, Kahlil Hodgson wrote:
If you are upgrading from 6.3 to 6.4 and you use shorewall, you will want to run
restorecon -Rv /sbin
That's odd. Part of the selinux postinstall script involves running "fixfiles" on any files whose context has changed. I confirmed that the iptables contexts changed when I ran restorecon on one system, but I can't understand why they weren't fixed by the postinstall script.
My thoughts exactly. Just doubled checked the postinstall script and can't see any obvious bugs. Hmmm ...
If I compare the old and new file_context files ...
rizo:~ diff file_contexts.new file_contexts.old | grep ip6?tables-multi
/sbin/ip6?tables-multi -- system_u:object_r:iptables_exec_t:s0
< /sbin/ip6?tables-multi.* -- system_u:object_r:iptables_exec_t:s0
so the postinstall script runs (esentially)
fixfiles -C file_contexts.old restore
which tries to fix the context for a /sbin/ip6?tables-multi which does not exist on the updated system (which now uses alternatives trickery to version these).
K
There is a bug in the fixfiles script which was causing triggered by the weird regex, so the change was not being caught.
-
Daniel J Walsh -
Gordon Messmer -
Kahlil Hodgson