CentOS - Mar 2006 - SELinux Problems (Was: Forum Decorum: a reminder seems appropriate.)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Wed, Mar 29, 2006 at 07:06:23PM -0700, Craig White
wrote:
> SELinux has not been a problem for me on CentOS 4, RHEL 4 or FC-3 or
> FC-4. There have been some changes with respect to SELinux in FC-5
> including new tools and new policies and I haven''t grappled with
them
> yet but so far, SELinux hasn''t created any obstacles that
weren''t
> relatively easy to solve, and yes, there were times I needed some help.
So, here is a interesting one for you :)

In one of my CentOS machines (originally installed with 4.0, not 4.3),
several of my files lost their selinux context information. Several
others are with wrong values.

Is there a way to restore the original selinux context on these files ?
Maybe using RPM (even tho I don''t think the value is stored on the
RPM database, I''m not sure).

Of course, reinstalling the machine is always an option, but since it
is located on a datacenter (on another country), that might be a
bit of a PITA.

TIA,

PS.: Another one for the "Good Thing(TM)": Never hijack threads. If
you
want to use the content of one e-mail to start a new thread, always
remove the "In-Reply-To:" header line. :)

- -- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK06/pdyWzQ5b5ckRAoImAJ9AnKTrzjfXpaxDioU0bt/M4kMjPACfW01y
VF6zgElVme4QgtyLrjxoWbc=V31j
-----END PGP SIGNATURE-----

On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa
wrote:
> In one of my CentOS machines (originally installed with 4.0, not 4.3),
> several of my files lost their selinux context information. Several
> others are with wrong values.
> 
> Is there a way to restore the original selinux context on these files ?
> Maybe using RPM (even tho I don''t think the value is stored on the
> RPM database, I''m not sure).
fixfiles relabel

-- 
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/

gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :
http://lists.centos.org/pipermail/centos/attachments/20060329/11a0c543/attachment.bin

On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On Wed, Mar 29, 2006 at 07:06:23PM -0700, Craig White wrote:
> > SELinux has not been a problem for me on CentOS 4, RHEL 4 or FC-3 or
> > FC-4. There have been some changes with respect to SELinux in FC-5
> > including new tools and new policies and I haven''t grappled
with them
> > yet but so far, SELinux hasn''t created any obstacles that
weren''t
> > relatively easy to solve, and yes, there were times I needed some
help.
> 
> So, here is a interesting one for you :)
> 
> In one of my CentOS machines (originally installed with 4.0, not 4.3),
> several of my files lost their selinux context information. Several
> others are with wrong values.
> 
> Is there a way to restore the original selinux context on these files ?
> Maybe using RPM (even tho I don''t think the value is stored on the
> RPM database, I''m not sure).
> 
> Of course, reinstalling the machine is always an option, but since it
> is located on a datacenter (on another country), that might be a
> bit of a PITA.
> 
> TIA,
> 
> PS.: Another one for the "Good Thing(TM)": Never hijack threads.
If you
> want to use the content of one e-mail to start a new thread, always
> remove the "In-Reply-To:" header line. :)
----
fixfiles --help

fixfiles -R bind check
fixfiles -R bind restore

where the settings are likely stored...
ls -l /etc/selinux/targeted/contexts
ls -l /etc/selinux/targeted/policy
...

Craig

On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams
wrote:
> On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
> > In one of my CentOS machines (originally installed with 4.0, not 4.3),
> > several of my files lost their selinux context information. Several
> > others are with wrong values.
> > 
> > Is there a way to restore the original selinux context on these files
?
> > Maybe using RPM (even tho I don''t think the value is stored
on the
> > RPM database, I''m not sure).
> 
> fixfiles relabel
----
that might be the mallet when all it needs is a little tap.

that also requires a reboot doesn''t it?

Craig

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 29, 2006 at 08:47:16PM -0700, Craig White
wrote:
> On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
> > On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
> > > In one of my CentOS machines (originally installed with 4.0, not
4.3),
> > > several of my files lost their selinux context information.
Several
> > > others are with wrong values.
> > > 
> > > Is there a way to restore the original selinux context on these
files ?
> > > Maybe using RPM (even tho I don''t think the value is
stored on the
> > > RPM database, I''m not sure).
> > 
> > fixfiles relabel
> ----
> that might be the mallet when all it needs is a little tap.
Not in my case. I mean, even /bin/bash was with wrong contexts until
a few days ago. And /etc/passwd :)
> that also requires a reboot doesn''t it?
Not likely. I mean, yes, it would be recomended, but I''m pretty good
as changing things without needing to reboot, and I''m daring enough to
do it :) After all, it is not like this is an important machine. It is
just my company main internet server :)

[]s

- -- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK1fHpdyWzQ5b5ckRAkdSAJ9zWhlC9WEX2dlmUXWjX1qhqbibzgCcC/Eh
H376q7FXVTv/NEW5J743EGw=h1D7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 29, 2006 at 10:43:29PM -0500, Ignacio Vazquez-Abrams
wrote:
> On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
> > Is there a way to restore the original selinux context on these files
?
> > Maybe using RPM (even tho I don''t think the value is stored
on the
> > RPM database, I''m not sure).
> 
> fixfiles relabel
That did the trick. Thank you tons.

- -- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK1fmpdyWzQ5b5ckRAmlKAJ9NZtxVPjjOATY37ypIocrHsYGjZgCgro0x
Z+4CqWK7ZvQQtJv1yoK22E0=GgH0
-----END PGP SIGNATURE-----

On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
> On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
> > fixfiles relabel
> ----
> that might be the mallet when all it needs is a little tap.
> 
> that also requires a reboot doesn''t it?
Only if you insist on wiping /tmp.

-- 
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/

gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :
http://lists.centos.org/pipermail/centos/attachments/20060329/11efc936/attachment.bin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 29, 2006 at 11:16:17PM -0500, Ignacio Vazquez-Abrams
wrote:
> On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
> > On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
> > > fixfiles relabel
> > ----
> > that might be the mallet when all it needs is a little tap.
> > 
> > that also requires a reboot doesn''t it?
> 
> Only if you insist on wiping /tmp.
I wonder why. Any idea ?

- -- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK1zwpdyWzQ5b5ckRAum8AJsFMUJvqaTQ9adONICTbOuuIc/cOQCgq29L
ihlrmLyIxvBmGKCOC4CwC+E=m344
-----END PGP SIGNATURE-----

On Thu, 2006-03-30 at 01:22 -0300, Rodrigo Barbosa
wrote:
> On Wed, Mar 29, 2006 at 11:16:17PM -0500, Ignacio Vazquez-Abrams wrote:
> > On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
> > > On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
> > > > fixfiles relabel
> > > ----
> > > that might be the mallet when all it needs is a little tap.
> > > 
> > > that also requires a reboot doesn''t it?
> > 
> > Only if you insist on wiping /tmp.
> 
> I wonder why. Any idea ?
Lots of daemons put files in /tmp. If you wipe them then you remove the
mechanism used to connect to the daemons. The only reliable way to
restore access is to restart the daemons. The easiest way to do so is
usually to reboot.

-- 
Ignacio Vazquez-Abrams <ivazquez@ivazquez.net>
http://centos.ivazquez.net/

gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :
http://lists.centos.org/pipermail/centos/attachments/20060329/94b6800b/attachment.bin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 29, 2006 at 11:45:10PM -0500, Ignacio Vazquez-Abrams
wrote:
> On Thu, 2006-03-30 at 01:22 -0300, Rodrigo Barbosa wrote:
> > On Wed, Mar 29, 2006 at 11:16:17PM -0500, Ignacio Vazquez-Abrams
wrote:
> > > On Wed, 2006-03-29 at 20:47 -0700, Craig White wrote:
> > > > On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams
wrote:
> > > > > fixfiles relabel
> > > > ----
> > > > that might be the mallet when all it needs is a little tap.
> > > > 
> > > > that also requires a reboot doesn''t it?
> > > 
> > > Only if you insist on wiping /tmp.
> > 
> > I wonder why. Any idea ?
> 
> Lots of daemons put files in /tmp. If you wipe them then you remove the
> mechanism used to connect to the daemons. The only reliable way to
> restore access is to restart the daemons. The easiest way to do so is
> usually to reboot.
I sure hope that doesn''t happen. Using /tmp for that kind of thing is,
to say the least, a liability.

Anyway, if thats the case, I really don''t think rebooting is necessary.
Maybe easier, as you said.

[]s

- -- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK2drpdyWzQ5b5ckRAnDRAJ4tMQhphPm4OdvYLak61DU5fqjtYgCgpBM0
csd2+mkeHSlSFySjwxB3wWU=er1J
-----END PGP SIGNATURE-----

On Thu, 2006-03-30 at 01:00 -0300, Rodrigo Barbosa
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, Mar 29, 2006 at 08:47:16PM -0700, Craig White wrote:
> > On Wed, 2006-03-29 at 22:43 -0500, Ignacio Vazquez-Abrams wrote:
> > > On Thu, 2006-03-30 at 00:21 -0300, Rodrigo Barbosa wrote:
> > > > In one of my CentOS machines (originally installed with 4.0,
not 4.3),
> > > > several of my files lost their selinux context information.
Several
> > > > others are with wrong values.
> > > > 
> > > > Is there a way to restore the original selinux context on
these files ?
> > > > Maybe using RPM (even tho I don''t think the value
is stored on the
> > > > RPM database, I''m not sure).
> > > 
> > > fixfiles relabel
> > ----
> > that might be the mallet when all it needs is a little tap.
> 
> Not in my case. I mean, even /bin/bash was with wrong contexts until
> a few days ago. And /etc/passwd :)
> 
> > that also requires a reboot doesn''t it?
> 
> Not likely. I mean, yes, it would be recomended, but I''m pretty
good
> as changing things without needing to reboot, and I''m daring
enough to
> do it :) After all, it is not like this is an important machine. It is
> just my company main internet server :)
----
It sort of occurs to me that breaking the security contexts of things
like /etc/passwd and /bin/bash (/bin/sh) suggests to me that a much
larger problem exists.

fixfiles relabel is a time consuming process (perhaps not a big deal)
but can change things that were specifically labeled other than the
default setting, creating new issues.

# rpm -q --whatprovides /etc/passwd
setup-2.5.44-1.1
(my FC-4 system)
# fixfiles -R setup restore

[root@lin-workstation activeldap]# rpm -q --whatprovides /bin/bash
bash-3.0-31
(again my FC-4 system)
# fixfiles -R bash restore

Craig

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Mar 29, 2006 at 10:34:56PM -0700, Craig White
wrote:
> > Not likely. I mean, yes, it would be recomended, but I''m
pretty good
> > as changing things without needing to reboot, and I''m daring
enough to
> > do it :) After all, it is not like this is an important machine. It is
> > just my company main internet server :)
> ----
> It sort of occurs to me that breaking the security contexts of things
> like /etc/passwd and /bin/bash (/bin/sh) suggests to me that a much
> larger problem exists.
Yeah, it existed. I played a lot with SELinux on this machine
before going into production, and also with the policies. It was,
after all, my first CentOS machine :)
> fixfiles relabel is a time consuming process (perhaps not a big deal)
> but can change things that were specifically labeled other than the
> default setting, creating new issues.
That is not a problem. The only context change I did intentionaly
was documented, so I just did it again after the relabel.

And it was kind of fast, come to think of it. About 5 minutes or so.
> # rpm -q --whatprovides /etc/passwd
> setup-2.5.44-1.1
> (my FC-4 system)
> # fixfiles -R setup restore
> 
> [root@lin-workstation activeldap]# rpm -q --whatprovides /bin/bash
> bash-3.0-31
> (again my FC-4 system)
> # fixfiles -R bash restore
Tkx, but I had fixes those 2 manually some time ago, with chcon.
But it was a cat and mouse game, since I was pretty sure there were
other files with wrong contexts I was not aware of.

After the relabel, all errors stopped (checking on dmesg), and everything
I tried worked flawlessly.

I''m a very happy kitten right now :)

- -- 
Rodrigo Barbosa <rodrigob@suespammers.org>
"Quid quid Latine dictum sit, altum viditur"
"Be excellent to each other ..." - Bill & Ted (Wyld Stallyns)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEK3XtpdyWzQ5b5ckRAixPAJ95UBidPuibj8k5xkt/xlJVMwd72wCgpl+b
9ARLbMzp4ur5BStk+TIa2QM=PwKZ
-----END PGP SIGNATURE-----

On 3/29/06, Rodrigo Barbosa <rodrigob@suespammers.org>
wrote:
> Is there a way to restore the original selinux context on these files ?
> Maybe using RPM (even tho I don''t think the value is stored on the
> RPM database, I''m not sure).
Two more answers, just for the archives:

"restorecon filename" will restore the security contexts on an
individual file (rather than doing it systemwide or packagewide as
fixfiles does).

"touch /.autorelabel" will cause fixfiles relabel to be run at the
next reboot.  I''m not sure if or how that''s better than
running
fixfiles yourself.

Josh Kelley