cleaning psidfiles database

cleaning psidfiles database

[Russell Coker]

psidfiles_init:  error 22 in obtaining SID for context 
system_u:object_r:dmesg_exec_t (psid 9).
psidfiles_init:  error 22 in obtaining SID for context 
system_u:object_r:mesg_exec_t (psid 107).

As a follow up to my previous messages on the topic of psidfiles, if the root 
file system is mounted without a valid policy (or if an initrd is used that 
doesn't have a valid policydb) then messages such as the above appear for all 
types that used to be applied to files on the file system.  The above two 
examples are for file types that were not used for several months!

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cleaning psidfiles database

[Stephen Smalley]

On Wed, 10 Jul 2002, Russell Coker wrote:

> psidfiles_init:  error 22 in obtaining SID for context
> system_u:object_r:dmesg_exec_t (psid 9).
> psidfiles_init:  error 22 in obtaining SID for context
> system_u:object_r:mesg_exec_t (psid 107).
>
> As a follow up to my previous messages on the topic of psidfiles, if the root
> file system is mounted without a valid policy (or if an initrd is used that
> doesn't have a valid policydb) then messages such as the above appear for all
> types that used to be applied to files on the file system.  The above two
> examples are for file types that were not used for several months!

What previous messages on the topic of psidfiles?  Are you referring back
to the "Major reduction in errors" thread?

You can use 'make reset' in the policy directory to recreate the
persistent label mappings from scratch, purging any obsoleted entries.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: cleaning psidfiles database

[Ed Street]

Hello,

Speaking of make relabel.  Would it not be a good idea to run a relabel
at boot time?

Ed

=> -----Original Message-----
=> From: owner-selinux@tycho.nsa.gov
[mailto:owner-selinux@tycho.nsa.gov] On
=> Behalf Of Stephen Smalley
=> Sent: Wednesday, July 10, 2002 7:36 AM
=> To: Russell Coker
=> Cc: SE Linux
=> Subject: Re: cleaning psidfiles database
=> 
=> 
=> On Wed, 10 Jul 2002, Russell Coker wrote:
=> 
=> > psidfiles_init:  error 22 in obtaining SID for context
=> > system_u:object_r:dmesg_exec_t (psid 9).
=> > psidfiles_init:  error 22 in obtaining SID for context
=> > system_u:object_r:mesg_exec_t (psid 107).
=> >
=> > As a follow up to my previous messages on the topic of psidfiles,
if
=> the root
=> > file system is mounted without a valid policy (or if an initrd is
used
=> that
=> > doesn't have a valid policydb) then messages such as the above
appear
=> for all
=> > types that used to be applied to files on the file system.  The
above
=> two
=> > examples are for file types that were not used for several months!
=> 
=> What previous messages on the topic of psidfiles?  Are you referring
back
=> to the "Major reduction in errors" thread?
=> 
=> You can use 'make reset' in the policy directory to recreate the
=> persistent label mappings from scratch, purging any obsoleted
entries.
=> 
=> --
=> Stephen D. Smalley, NAI Labs
=> ssmalley@nai.com
=> 
=> 
=> 
=> 
=> --
=> You have received this message because you are subscribed to the
selinux
=> list.
=> If you no longer wish to subscribe, send mail to
majordomo@tycho.nsa.gov
=> with
=> the words "unsubscribe selinux" without quotes as the message.


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: cleaning psidfiles database

[Stephen Smalley]

On Wed, 10 Jul 2002, Ed Street wrote:

> Speaking of make relabel.  Would it not be a good idea to run a relabel
> at boot time?

Not unless you really want to reset the system to the initial state
specified in file_contexts on each boot.  The persistent label mappings
track runtime changes made since the initialization, like file type
transitions for new files and individual relabels via chcon.  A 'make
relabel' on each boot will lose such runtime changes unless you update
your file contexts configuration or you exclude these files via <<none>>
entries.  'make relabel' is also slow, as it must traverse the entire
filesystem.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: cleaning psidfiles database

[Russell Coker]

On Wed, 10 Jul 2002 15:58, Stephen Smalley wrote:
> On Wed, 10 Jul 2002, Ed Street wrote:
> > Speaking of make relabel.  Would it not be a good idea to run a relabel
> > at boot time?
>
> Not unless you really want to reset the system to the initial state
> specified in file_contexts on each boot.  The persistent label mappings
> track runtime changes made since the initialization, like file type
> transitions for new files and individual relabels via chcon.  A 'make
> relabel' on each boot will lose such runtime changes unless you update
> your file contexts configuration or you exclude these files via <<none>>
> entries.  'make relabel' is also slow, as it must traverse the entire
> filesystem.

It should be noted that anyone who wants the functionality of a "make relabel 
on boot" would be better off making a copy of file_contexts for use with 
genfs which uses only pattern matching not regex's.

But it shouldn't be necessary, persistant labelling should do everything you 
want apart from the cases of ISO9660, nfs, and other file systems that can't 
be labelled.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.