SELinux Problems (Was: [CentOS] Forum Decorum: a reminder seems appropriate.)

Thu Mar 30 05:34:56 UTC 2006
Craig White <craigwhite at azapple.com>

On Thu, 2006-03-30 at 01:00 -0300, Rodrigo Barbosa wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Mar 29, 2006 at 08:47:16PM -0700, Craig White wrote:
> > On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
> > > On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
> > > > In one of my CentOS machines (originally installed with 4.0, not 4.3),
> > > > several of my files lost their selinux context information. Several
> > > > others are with wrong values.
> > > > 
> > > > Is there a way to restore the original selinux context on these files ?
> > > > Maybe using RPM (even tho I don't think the value is stored on the
> > > > RPM database, I'm not sure).
> > > 
> > > fixfiles relabel
> > ----
> > that might be the mallet when all it needs is a little tap.
> 
> Not in my case. I mean, even /bin/bash was with wrong contexts until
> a few days ago. And /etc/passwd :)
> 
> > that also requires a reboot doesn't it?
> 
> Not likely. I mean, yes, it would be recomended, but I'm pretty good
> as changing things without needing to reboot, and I'm daring enough to
> do it :) After all, it is not like this is an important machine. It is
> just my company main internet server :)
----
It sort of occurs to me that breaking the security contexts of things
like /etc/passwd and /bin/bash (/bin/sh) suggests to me that a much
larger problem exists.

fixfiles relabel is a time consuming process (perhaps not a big deal)
but can change things that were specifically labeled other than the
default setting, creating new issues.

# rpm -q --whatprovides /etc/passwd
setup-2.5.44-1.1
(my FC-4 system)
# fixfiles -R setup restore

[root at lin-workstation activeldap]# rpm -q --whatprovides /bin/bash
bash-3.0-31
(again my FC-4 system)
# fixfiles -R bash restore

Craig