Bug 1139138

Summary: cockpit-agent file context should be in cockpit module
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: dwalsh, mgrepl, mvollmer
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-08 10:49:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1139380    

Description Stef Walter 2014-09-08 08:03:30 UTC 
The cockpit-agent line like this:

+/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)

Should be in the cockpit file_contexts and in the cockpit module.

The problem arises when in our integration tests upstream, when we try to test with selinux. We have to replace the cockpit selinux module with our own customized version (because of new features that have landed upstream, but not yet in Fedora).

Because the above line is not in the cockpit module in selinux-policy-targetted, we get this failure:

[stef@stef cockpit]$ sudo semodule -i x86_64/cockpit.pp 
[sudo] password for stef: 
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/libexec/cockpit-agent.
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!
Comment 1 Miroslav Grepl 2014-09-08 10:49:20 UTC 
+/usr/libexec/cockpit-agent      --  gen_context(system_u:object_r:shell_exec_t,s0)

needs to belong to corecommands.pp because shell_exec_t comes from this module. It's about modularity.

Why not just add cockip_test.pp or something like this. It could raise another issues if you replace a module which we shipped.
Comment 2 Stef Walter 2014-09-08 12:20:28 UTC 
(In reply to Miroslav Grepl from comment #1)
> +/usr/libexec/cockpit-agent      -- 
> gen_context(system_u:object_r:shell_exec_t,s0)
> 
> needs to belong to corecommands.pp because shell_exec_t comes from this
> module. It's about modularity.
> 
> Why not just add cockip_test.pp or something like this. It could raise
> another issues if you replace a module which we shipped.

Because we need to be able to take out rules/declarations as well as add them.

It's not just about adding rules until the Cockpit integration tests work. If we wanted that, we could just run with 'setenforce 0'.
Comment 3 Stef Walter 2014-09-08 19:43:16 UTC 
Work around in cockpit: https://github.com/cockpit-project/cockpit/commit/6f6f7535dcbdcbfa6cdd1a5ff061687a2e1a687e