Send More Bugs

Wade Mealing blogged Do the Fedora Developers run with SELinux enabled ?, after encountering a lot of AVC messages on his Fedora Core box. Looking at the messages, it seems that the system is out of whack generally and needs to be relabeled. The cleanest way to do this is:

# yum update
# touch /.autorelabel
# reboot

and the early init scripts should fix the labels.

The hint that it’s a general labeling problem is the presence of file_t and unlabeled_t labels in the AVCs, which are generic fallback values and should not typically be seen in the wild. In fact, any AVC messages or SELinux issues for a normal user should be regarded as a bug.

This type of thing should not normally ever happen and we’d really like to know how the system got into this state. It could be that the policy has not been kept up to date with the rest of the system, which should only really be an issue for people who are playing with development versions of the distro and selectively upgrading rpms. It’s also possible that the presence of hard disk error messages in the logs has something to do with it. Another possible cause is mounting a non-labeled disk somewhere critical in the fs. Without more detailed information, we don’t know for sure, so please always report bugs.

Any of the following mailing lists are good for this:

  • http://www.redhat.com/mailman/listinfo/fedora-list
  • http://www.redhat.com/mailman/listinfo/fedora-selinux-list (subscriber-only)
  • http://www.nsa.gov/selinux/info/list.cfm

SELinux-related bugzilla entries are typically resolved very quickly:

  • https://bugzilla.redhat.com/bugzilla/index.cgi

Bugs are good.

Send us some!

Note that soon, setroubleshoot will have a plugin for this specific issue, and explain to the user what’s wrong and what to do about it.