[Bug 428043] [NEW] [karmic] setfiles fails to relabel if selinux not yet enabled

Caleb Case calebcase at gmail.com
Fri Sep 11 18:24:39 UTC 2009 

Public bug reported:

Binary package hint: policycoreutils

When selinux is installed it schedules the system to relabeled on
shutdown:

root at kks:~# apt-get install selinux
<snip>
Processing triggers for selinux ...
semodule deferred processing now taking place
/usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed.
 * File relabel will occur upon next shutdown/reboot.
 * Starting SELinux autorelabel                                                                                                                                 * A relabel has already been requested. Please reboot to finish relabeling your system.
                                                                                                                                                        [ OK ]


However, this relabel fails to run and silently exits. This is because setfiles now checks the capabilities on the mounted file systems for 'seclabel' (see setfiles/setfiles.c:723:exclude_non_seclabel_mounts) on newer kernels (>=2.6.30 see setfiles.c:734). However the 'seclabel' feature is not available if selinux is not enabled, as is the case on a default karmic install. The result is that setfiles silently fails to relabel any filesystems and on reboot the user will find that they are logged in with an improper context (e.g. unconfined_u:system_r:insmod_t:s0-s0:c0.c255).

root at kks:~# lsb_release -rd
Description:	Ubuntu karmic (development branch)
Release:	9.10

root at kks:~# apt-cache policy policycoreutils
policycoreutils:
  Installed: 2.0.69-2ubuntu2
  Candidate: 2.0.69-2ubuntu2
  Version table:
 *** 2.0.69-2ubuntu2 0
        500 file: karmic/ Packages
        100 /var/lib/dpkg/status
     2.0.69-2ubuntu1 0
        500 http://192.168.7.101 karmic/universe Packages

** Affects: policycoreutils (Ubuntu)
     Importance: Undecided
         Status: New

-- 
[karmic] setfiles fails to relabel if selinux not yet enabled
https://bugs.launchpad.net/bugs/428043
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list