-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 07:06:23PM -0700, Craig White wrote:
SELinux has not been a problem for me on CentOS 4, RHEL 4 or FC-3 or FC-4. There have been some changes with respect to SELinux in FC-5 including new tools and new policies and I haven't grappled with them yet but so far, SELinux hasn't created any obstacles that weren't relatively easy to solve, and yes, there were times I needed some help.
So, here is a interesting one for you :)
In one of my CentOS machines (originally installed with 4.0, not 4.3), several of my files lost their selinux context information. Several others are with wrong values.
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
Of course, reinstalling the machine is always an option, but since it is located on a datacenter (on another country), that might be a bit of a PITA.
TIA,
PS.: Another one for the "Good Thing(TM)": Never hijack threads. If you want to use the content of one e-mail to start a new thread, always remove the "In-Reply-To:" header line. :)
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
In one of my CentOS machines (originally installed with 4.0, not 4.3), several of my files lost their selinux context information. Several others are with wrong values.
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
fixfiles relabel
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
In one of my CentOS machines (originally installed with 4.0, not 4.3), several of my files lost their selinux context information. Several others are with wrong values.
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
fixfiles relabel
---- that might be the mallet when all it needs is a little tap.
that also requires a reboot doesn't it?
Craig
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 08:47:16PM -0700, Craig White wrote:
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
In one of my CentOS machines (originally installed with 4.0, not 4.3), several of my files lost their selinux context information. Several others are with wrong values.
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
fixfiles relabel
that might be the mallet when all it needs is a little tap.
Not in my case. I mean, even /bin/bash was with wrong contexts until a few days ago. And /etc/passwd :)
that also requires a reboot doesn't it?
Not likely. I mean, yes, it would be recomended, but I'm pretty good as changing things without needing to reboot, and I'm daring enough to do it :) After all, it is not like this is an important machine. It is just my company main internet server :)
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Thu, 2006-03-30 at 01:00 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 08:47:16PM -0700, Craig White wrote:
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
In one of my CentOS machines (originally installed with 4.0, not 4.3), several of my files lost their selinux context information. Several others are with wrong values.
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
fixfiles relabel
that might be the mallet when all it needs is a little tap.
Not in my case. I mean, even /bin/bash was with wrong contexts until a few days ago. And /etc/passwd :)
that also requires a reboot doesn't it?
Not likely. I mean, yes, it would be recomended, but I'm pretty good as changing things without needing to reboot, and I'm daring enough to do it :) After all, it is not like this is an important machine. It is just my company main internet server :)
---- It sort of occurs to me that breaking the security contexts of things like /etc/passwd and /bin/bash (/bin/sh) suggests to me that a much larger problem exists.
fixfiles relabel is a time consuming process (perhaps not a big deal) but can change things that were specifically labeled other than the default setting, creating new issues.
# rpm -q --whatprovides /etc/passwd setup-2.5.44-1.1 (my FC-4 system) # fixfiles -R setup restore
[root@lin-workstation activeldap]# rpm -q --whatprovides /bin/bash bash-3.0-31 (again my FC-4 system) # fixfiles -R bash restore
Craig
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 10:34:56PM -0700, Craig White wrote:
Not likely. I mean, yes, it would be recomended, but I'm pretty good as changing things without needing to reboot, and I'm daring enough to do it :) After all, it is not like this is an important machine. It is just my company main internet server :)
It sort of occurs to me that breaking the security contexts of things like /etc/passwd and /bin/bash (/bin/sh) suggests to me that a much larger problem exists.
Yeah, it existed. I played a lot with SELinux on this machine before going into production, and also with the policies. It was, after all, my first CentOS machine :)
fixfiles relabel is a time consuming process (perhaps not a big deal) but can change things that were specifically labeled other than the default setting, creating new issues.
That is not a problem. The only context change I did intentionaly was documented, so I just did it again after the relabel.
And it was kind of fast, come to think of it. About 5 minutes or so.
# rpm -q --whatprovides /etc/passwd setup-2.5.44-1.1 (my FC-4 system) # fixfiles -R setup restore
[root@lin-workstation activeldap]# rpm -q --whatprovides /bin/bash bash-3.0-31 (again my FC-4 system) # fixfiles -R bash restore
Tkx, but I had fixes those 2 manually some time ago, with chcon. But it was a cat and mouse game, since I was pretty sure there were other files with wrong contexts I was not aware of.
After the relabel, all errors stopped (checking on dmesg), and everything I tried worked flawlessly.
I'm a very happy kitten right now :)
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
fixfiles relabel
that might be the mallet when all it needs is a little tap.
that also requires a reboot doesn't it?
Only if you insist on wiping /tmp.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 11:16:17PM -0500, Ignacio Vazquez-Abrams wrote:
On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
fixfiles relabel
that might be the mallet when all it needs is a little tap.
that also requires a reboot doesn't it?
Only if you insist on wiping /tmp.
I wonder why. Any idea ?
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Thu, 2006-03-30 at 01:22 -0300, Rodrigo Barbosa wrote:
On Wed, Mar 29, 2006 at 11:16:17PM -0500, Ignacio Vazquez-Abrams wrote:
On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
fixfiles relabel
that might be the mallet when all it needs is a little tap.
that also requires a reboot doesn't it?
Only if you insist on wiping /tmp.
I wonder why. Any idea ?
Lots of daemons put files in /tmp. If you wipe them then you remove the mechanism used to connect to the daemons. The only reliable way to restore access is to restart the daemons. The easiest way to do so is usually to reboot.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 11:45:10PM -0500, Ignacio Vazquez-Abrams wrote:
On Thu, 2006-03-30 at 01:22 -0300, Rodrigo Barbosa wrote:
On Wed, Mar 29, 2006 at 11:16:17PM -0500, Ignacio Vazquez-Abrams wrote:
On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
fixfiles relabel
that might be the mallet when all it needs is a little tap.
that also requires a reboot doesn't it?
Only if you insist on wiping /tmp.
I wonder why. Any idea ?
Lots of daemons put files in /tmp. If you wipe them then you remove the mechanism used to connect to the daemons. The only reliable way to restore access is to restart the daemons. The easiest way to do so is usually to reboot.
I sure hope that doesn't happen. Using /tmp for that kind of thing is, to say the least, a liability.
Anyway, if thats the case, I really don't think rebooting is necessary. Maybe easier, as you said.
[]s
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 10:43:29PM -0500, Ignacio Vazquez-Abrams wrote:
On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
fixfiles relabel
That did the trick. Thank you tons.
- -- Rodrigo Barbosa rodrigob@suespammers.org "Quid quid Latine dictum sit, altum viditur" "Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)
On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, Mar 29, 2006 at 07:06:23PM -0700, Craig White wrote:
SELinux has not been a problem for me on CentOS 4, RHEL 4 or FC-3 or FC-4. There have been some changes with respect to SELinux in FC-5 including new tools and new policies and I haven't grappled with them yet but so far, SELinux hasn't created any obstacles that weren't relatively easy to solve, and yes, there were times I needed some help.
So, here is a interesting one for you :)
In one of my CentOS machines (originally installed with 4.0, not 4.3), several of my files lost their selinux context information. Several others are with wrong values.
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
Of course, reinstalling the machine is always an option, but since it is located on a datacenter (on another country), that might be a bit of a PITA.
TIA,
PS.: Another one for the "Good Thing(TM)": Never hijack threads. If you want to use the content of one e-mail to start a new thread, always remove the "In-Reply-To:" header line. :)
---- fixfiles --help
fixfiles -R bind check fixfiles -R bind restore
where the settings are likely stored... ls -l /etc/selinux/targeted/contexts ls -l /etc/selinux/targeted/policy ...
Craig
On 3/29/06, Rodrigo Barbosa rodrigob@suespammers.org wrote:
Is there a way to restore the original selinux context on these files ? Maybe using RPM (even tho I don't think the value is stored on the RPM database, I'm not sure).
Two more answers, just for the archives:
"restorecon filename" will restore the security contexts on an individual file (rather than doing it systemwide or packagewide as fixfiles does).
"touch /.autorelabel" will cause fixfiles relabel to be run at the next reboot. I'm not sure if or how that's better than running fixfiles yourself.
Josh Kelley
-
Craig White -
Ignacio Vazquez-Abrams -
Josh Kelley -
Rodrigo Barbosa