SELinux Problems (Was: [CentOS] Forum Decorum: a reminder seems appropriate.)

Thu Mar 30 06:08:45 UTC 2006
Rodrigo Barbosa <rodrigob at suespammers.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 29, 2006 at 10:34:56PM -0700, Craig White wrote:
> > Not likely. I mean, yes, it would be recomended, but I'm pretty good
> > as changing things without needing to reboot, and I'm daring enough to
> > do it :) After all, it is not like this is an important machine. It is
> > just my company main internet server :)
> ----
> It sort of occurs to me that breaking the security contexts of things
> like /etc/passwd and /bin/bash (/bin/sh) suggests to me that a much
> larger problem exists.

Yeah, it existed. I played a lot with SELinux on this machine
before going into production, and also with the policies. It was,
after all, my first CentOS machine :)

> fixfiles relabel is a time consuming process (perhaps not a big deal)
> but can change things that were specifically labeled other than the
> default setting, creating new issues.

That is not a problem. The only context change I did intentionaly
was documented, so I just did it again after the relabel.

And it was kind of fast, come to think of it. About 5 minutes or so.

> # rpm -q --whatprovides /etc/passwd
> setup-2.5.44-1.1
> (my FC-4 system)
> # fixfiles -R setup restore
> 
> [root at lin-workstation activeldap]# rpm -q --whatprovides /bin/bash
> bash-3.0-31
> (again my FC-4 system)
> # fixfiles -R bash restore

Tkx, but I had fixes those 2 manually some time ago, with chcon.
But it was a cat and mouse game, since I was pretty sure there were
other files with wrong contexts I was not aware of.

After the relabel, all errors stopped (checking on dmesg), and everything
I tried worked flawlessly.

I'm a very happy kitten right now :)

- -- 
Rodrigo Barbosa <rodrigob at suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK3XtpdyWzQ5b5ckRAixPAJ95UBidPuibj8k5xkt/xlJVMwd72wCgpl+b
9ARLbMzp4ur5BStk+TIa2QM=
=PwKZ
-----END PGP SIGNATURE-----