Just got burnt by this one this morning.
If you are upgrading from 6.3 to 6.4 and you use shorewall, you will want to run
restorecon -Rv /sbin
before rebooting. Original solution from:
That’s odd. Part of the selinux postinstall script involves running
“fixfiles” on any files whose context has changed. I confirmed that the iptables contexts changed when I ran restorecon on one system, but I
can’t understand why they weren’t fixed by the postinstall script.
My thoughts exactly. Just doubled checked the postinstall script and can’t see any obvious bugs. Hmmm …
If I compare the old and new file_context files …
diff file_contexts.new file_contexts.old | grep ip6?tables-multi
< /sbin/ip6?tables-multi.* -- system_u:object_r:iptables_exec_t:s0
so the postinstall script runs (esentially)
fixfiles -C file_contexts.old restore
which tries to fix the context for a /sbin/ip6?tables-multi which does not exist on the updated system (which now uses alternatives trickery to version these).
There is a bug in the fixfiles script which was causing triggered by the weird regex, so the change was not being caught.
—–BEGIN PGP SIGNATURE—