Is make relabel suposed to be run from policy or or setfiles?

[JW <jw@centraltexasit.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As per the instructions on http://www.nsa.gov/selinux/doc/readme.html section 16,  I rebooted into the selinux kernel, loged in as jw (who is the sysadmin, sysadm_r:sysadm_t) su'd to root (who,a ccording to the default selinux setup [which I did not change] is a 'common user', cd'd to /usr/src/selinux/policy and ran 'make relabel' with the following results:

ccs001:/usr/src/selinux/policy # make relabel
/usr/local/selinux/bin/setfiles file_contexts/file_contexts `mount | awk '/(ext[23]|reiserfs)/{print $3}'`
/usr/local/selinux/bin/setfiles:  Running on a SELinux kernel, using new system calls
/usr/local/selinux/bin/setfiles:  read 665 specifications
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:inetd_var_log_t on line number 625
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:inetd_var_log_t on line number 626
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:inetd_var_log_t on line number 637
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:inetd_var_log_t on line number 638
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:initrc_runlevel_t on line number 654
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:initrc_runlevel_t on line number 655
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:initrc_runlevel_t on line number 668
/usr/local/selinux/bin/setfiles:  invalid context system_u:object_r:initrc_runlevel_t on line number 669
make: *** [relabel] Error 1
ccs001:/usr/src/selinux/policy #

I did notice the following in /var/log/warn:

Jul  8 19:48:18 ccs001 kernel:
Jul  8 19:48:18 ccs001 kernel: avc:  denied  { write } for  pid=759 exe=/bin/su path=/dev/log dev=08:03 ino=26755 scontext=jw:sysadm_r:sysadm_su_t tcontext=system_u:object_r:device_t tclass=sock_file
Jul  8 19:48:18 ccs001 kernel:
Jul  8 19:48:18 ccs001 kernel: avc:  denied  { sendto } for  pid=759 exe=/bin/su path=/dev/log scontext=jw:sysadm_r:sysadm_su_t tcontext=system_u:system_r:initrc_t tclass=unix_dgram_socket


I noticed a post from Russel suggested that make relabel should be run from selinux/setfiles/ not selinux/policy, but I'm not sure if that's correct or not.

ccs001:/usr/src/selinux/setfiles # make relabel
chcon system_u:object_r:setfiles_exec_t /usr/local/selinux/bin/setfiles
ccs001:/usr/src/selinux/setfiles #

Is that correct? Based on some discussion I had on IRC, I think it is NOT correct.
Perhaps someone could update the web page if it is correct.
I'll also point out that step 17 (PATH changes) have to occur before you can run make relabel, because use is made of /usr/local/selinux/chcon

Just out of curiosity, why do you have to be root to do that? I have no doubt that I've much to lera here :-) but considering that 'jw' is sysadm_* and 'root' is just user_*, I would think that jw would be the proper account to run make relabel under.


- -- 

- ----------------------------------------------------
Jonathan Wilson
System Administrator
Cedar Creek Software     http://www.cedarcreeksoftware.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9Kjl0Q5u80xXOLBcRAv2EAJ431gypUeAcKK8KZJS9JGutL+wFRACcCrgo
slqOJh1GOr5CDofyUUQJb84=
=4n1v
-----END PGP SIGNATURE-----


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.