Bug 118617

Summary:	restorecon on symlink applies wrong context
Product:	[Fedora] Fedora	Reporter:	Stephen Tweedie <sct>
Component:	policycoreutils	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED RAWHIDE	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	rawhide	CC:	pgraner, sct
Target Milestone:	---
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2004-03-25 05:20:34 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Stephen Tweedie 2004-03-18 12:51:20 UTC

Description of problem:
"restorecon" on a symlink has entirely the wrong behaviour.  It looks
up the correct context for the symlink, but then applies that context
to the file that the symlink points to.

So, for example, "restorecon /bin/sh" will give bash the context
system_u:object_r:bin_t instead of system_u:object_r:shell_exec_t. 
This breaks all manner of things.

"restorecon -h" will work, but without -h, we do something completely
broken.  If we're going to follow the symlink when applying the
context, then we need to follow the symlink when looking up the
appropriate context, too.

"restorecon" is what people will use to fix policy, it should really
try to avoid this unexpected behaviour by default.

Version-Release number of selected component (if applicable):
policycoreutils-1.9-8

How reproducible:
100%

Steps to Reproduce:
# restorecon /bin/sh
# ls -lZ /bin/bash

Actual results:
-rwxr-xr-x+ root root system_u:object_r:bin_t /bin/bash

Expected results:
-rwxr-xr-x+ root root system_u:object_r:shell_exec_t /bin/bash

Comment 1 Daniel Walsh 2004-03-18 13:33:23 UTC

I pulled out the handlng of symlinks and made it always set the
context of the file handed to it, whether it is a symlink or a file.

-h option removed.

Available in policycoreutils-1.9-9