Bug 1131501

Summary: Mislabeled file '/var/lock/subsys/rtas_errd' found
Product: Red Hat Enterprise Linux 6 Reporter: Martin Žember <mzember>
Component: ppc64-diagAssignee: Jakub Čajka <jcajka>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team-automation>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: dhorak, ebenes, jherrman, mganisin, pkotvan, rvokal, secondary-arch-list
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ppc64-diag-2.6.7-1.el6 Doc Type: Bug Fix
Doc Text:
Prior to this update, the /var/lock/subsys/rtas_errd file was incorrectly labeled for SELinux as "system_u:object_r:var_lock_t:s0". This update corrects the SELinux label to "system_u:object_r:rtas_errd_var_lock_t:s0".
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-22 06:29:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Žember 2014-08-19 12:45:52 UTC 
Description of problem:
Mislabeled regular file '/var/lock/subsys/rtas_errd' found. Labeled as 'system_u:object_r:var_lock_t:s0', should be 'system_u:object_r:rtas_errd_var_lock_t:s0'.

Version-Release number of selected component (if applicable):
librtas-1.3.10-1.el6
RHEL-6.6-20140731.1

How reproducible:
Always

Steps to Reproduce:
1. Install all packages on a RHEL-6.6 system, RHEL-6.6-20140731.1
2. # matchpathcon /var/lock/subsys/rtas_errd
/var/lock/subsys/rtas_errd	system_u:object_r:rtas_errd_var_lock_t:s0
3. # restorecon -v /var/lock/subsys/*
restorecon reset /var/lock/subsys/rtas_errd context system_u:object_r:var_lock_t:s0->system_u:object_r:rtas_errd_var_lock_t:s0

Actual results:
restorecon reset /var/lock/subsys/rtas_errd context system_u:object_r:var_lock_t:s0->system_u:object_r:rtas_errd_var_lock_t:s0

Expected results:
Already rtas_errd_var_lock_t

At least that is how it looks like after:
# restorecon /boot/etc/yaboot.conf
Comment 1 Martin Žember 2014-08-19 12:50:18 UTC 
Additional info:
# ls -Zl /var/lock/subsys
-rw-r--r--. 1 system_u:object_r:var_lock_t:s0  root root 0 Aug 18 12:57 abrt-ccpp
-rw-r--r--. 1 system_u:object_r:var_lock_t:s0  root root 0 Aug 18 12:57 abrtd
-rw-r--r--. 1 system_u:object_r:var_lock_t:s0  root root 0 Aug 18 12:57 anamon
(...too long)

2 files have a more specific context, e.g. rtas_errd_var_lock_t, the rest (29 files) have var_lock_t. Don't the other files deserve a more specific context, too? I am trying to find a way to speed up the process as there are many of them.
Comment 3 Martin Žember 2014-08-19 15:49:43 UTC 
There are no transition rules if a initrc_t-labeled process creates the file:
# sesearch -s initrc_t -t var_lock_t -c file -T

The daemon itself does not create it:
# sesearch -s rtas_errd_t -t var_lock_t -c file -T
Found 1 semantic te rules:
   type_transition rtas_errd_t var_lock_t : file rtas_errd_var_lock_t; 

It is /etc/init.d/rtas_errd who creates it by 'touch'.

Solution: either run 'restorecon' from within /etc/init.d/rtas_errd or create the lock file in the daemon.
Comment 11 errata-xmlrpc 2015-07-22 06:29:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1320.html