Tried just the selinux list yesterday, no answers, so I'm trying again.
I partitioned GPT, and formatted, as xfs, a large (3TB) drive on a CentOS 6 system, which has selinux in permissive mode. I then moved the drive to a CentOS 5 system. When we run a copy (it mirror-copies from another system), we get a ton of errors. I discovered that the CentOS 5 system was enforcing. I changed it to permissive, I labelled the directories and files w/ semanage, did a restorecon, and even did a fixfiles, and *then* I tried /.autorelabel and rebooted, and we still get a ton of errors: Jun 1 17:01:32 <server> kernel: inode_doinit_with_dentry: context_to_sid(unconfined_u:object_r:file_t:s0) returned 22 for dev=sdd1 ino=2151541032
I had to reboot to disabled to get it to shut up.
So: is there something that selinux does in CentOS 6 that is in the labelling on the xfs filesystem that I can do something about on the CentOS 5 system, or do I just have to leave selinux disabled (until, maybe in the next year, we can rebuild to 7....)?
mark
On 06/02/2015 11:30 AM, m.roth@5-cent.us wrote:
Tried just the selinux list yesterday, no answers, so I'm trying again.
I partitioned GPT, and formatted, as xfs, a large (3TB) drive on a CentOS 6 system, which has selinux in permissive mode. I then moved the drive to a CentOS 5 system. When we run a copy (it mirror-copies from another system), we get a ton of errors. I discovered that the CentOS 5 system was enforcing. I changed it to permissive, I labelled the directories and files w/ semanage, did a restorecon, and even did a fixfiles, and *then* I tried /.autorelabel and rebooted, and we still get a ton of errors: Jun 1 17:01:32 <server> kernel: inode_doinit_with_dentry: context_to_sid(unconfined_u:object_r:file_t:s0) returned 22 for dev=sdd1 ino=2151541032
I had to reboot to disabled to get it to shut up.
So: is there something that selinux does in CentOS 6 that is in the labelling on the xfs filesystem that I can do something about on the CentOS 5 system, or do I just have to leave selinux disabled (until, maybe in the next year, we can rebuild to 7....)?
mark-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux on RHEL5 did not have a MLS field in the label, so the directory can not be used by both rhel5 and RHEL6 easily.
If all of the content on the device is going to be labeled the same, then just use a context mount option
context="system_u:object_r:usr_t:s0" for example.
On 06/02/2015 10:20 AM, Daniel J Walsh wrote:
If all of the content on the device is going to be labeled the same, then just use a context mount option
Thanks, Dan. I'd misread the man page for mount, and thought that the context= option was "only" useful when mounting filesystems that didn't support SELinux attributes.
On 06/02/2015 08:30 AM, m.roth@5-cent.us wrote:
I partitioned GPT, and formatted, as xfs, a large (3TB) drive on a CentOS 6 system, which has selinux in permissive mode. I then moved the drive to a CentOS 5 system. When we run a copy ... we still get a ton of errors: Jun 1 17:01:32 <server> kernel: inode_doinit_with_dentry: context_to_sid(unconfined_u:object_r:file_t:s0) returned 22 for dev=sdd1 ino=2151541032
Maybe: https://www.redhat.com/archives/fedora-selinux-list/2005-October/msg00135.ht...
It sounds like the new system is writing data into the filesystem that the older libraries cannot read, or cannot meaningfully interpret.
The SELinux contexts don't mean anything to the old system/libraries/policy, so disabling SELinux is probably the best option. (I did not expect to ever advise disabling SELinux).
-
Daniel J Walsh -
Gordon Messmer -
m.roth@5-cent.us