[lug] SElinux Relabel
stimits at comcast.net
stimits at comcast.net
Thu Oct 24 07:23:36 MDT 2013
...
> If I had to guess, I'd say you booted Fedora 19 and let it see your Fedora 16 partitions. Perhaps -- just guessing -- the SELinux labels changed between 16 and 19 (which is > about two years worth of development.) So F19 might have modified the labels on F16 files and when you booted it back into F16, it didn't like that.
This seems to be the case. Prior settings did enable targeted selinux, and prior boot config did not disable fedora 16. Those partitions were mounted on a convenience point during install, and so installation and rpm update of fedora 19 would have seen these partitions. Advice to others: Do NOT tell an install about any partitions you want to view from a past o/s and instead add those mount options after install.
> You can simply edit /etc/selinux/config finding the line that says "Enforcing" and change it to "Permissive" or "Disabled" to get around SELinux issues.
This was originally set to enforcing so I'm going to attempt the restorecon mentioned below.
> If you want to keep it enabled, I would try this: (not tested!)
> 1. Boot your F16 into single user mode
NOTE: With the relabel bug from the f19 install there is no login possible of any kind in the old f16 installation. SElinux has to be completely turned off from a rescue once this bug hits.
> 2. Mount the root file system as read-write
> # mount -o remount,rw /
> 3. Use SElinux' restorecon utility to set individual file permissions to what the booted database's installed base of SELinux labels thinks they should be. This would be
> # restorecon -R /
I'm going to try this later today, after my bravery increases (I guess I should avoid coffee today!). A big question for the people here...since I have to boot into this with selinux disabled via a kernel option in grub2, will restorecon -R still work as expected? Or if I were to boot to the f19 install (or any rescue) and then chroot to the old partition, would restorecon -R function correctly using only the older system's config?
I'm assuming that whatever files exist in the old f16 system, that the actual f16 rpm config itself did not change, that the fault is relabel from the f19 config when it really needed the f16 config present on the old f16 install.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20131024/0d9804d8/attachment.html>
More information about the LUG
mailing list