Bug 1271338

Summary: oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: ContainersAssignee: Timothy Williams <tiwillia>
Status: CLOSED ERRATA QA Contact: Chao Yang <chaoyang>
Severity: unspecified Docs Contact:
Priority: high    
Version: 2.2.0CC: adellape, aos-bugs, jialiu, jokerman, mmccomas, nicholas_schuetz, pep, tiwillia
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openshift-origin-node-util-1.38.5.1-1.el6op Doc Type: Bug Fix
Doc Text:
When restoring SELinux labels, the action was performed on a directory, which does not include hidden files. This caused SELinux labels to not be properly restored on hidden files within a gear directory if they were incorrect. This bug fix ensures that the SELinux label change is performed on all files within a directory, rather than the directory. As a result, hidden files in a gear now have the proper SELinux labels set when they are incorrect.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-17 17:11:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ryan Howe 2015-10-13 17:02:58 UTC 
Description of problem:
 oo-restorecon -v -a  does not add selinux MCS labels to files under hidden directory 

example:   .env/* 

Version-Release number of selected component (if applicable):
v2.2.x

How reproducible:
100%

Steps to Reproduce:
1. mv /var/lib/openshift/<gearUUID>
2. lose selinux attributes 
3. run oo-restorecon -v -a 

Actual results:

# oo-restorecon -v -a
chcon -l s0:c86,c118 -R /var/lib/openshift/55f8844b8d24b7a8e50000a8/*
restorecon -R /var/lib/openshift/5602de3b8d24b7872c000878/
chcon -l s0:c82,c817 -R /var/lib/openshift/5602de3b8d24b7872c000878/*


# ls -lhaRZ .env/
.env/:
drwxr-x---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 .
drwxr-x---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 ..
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 GEM_HOME
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 HISTFILE
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 HOME
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0:c82,c817 JAVA_OPTS_EXT
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 JENKINS_PASSWORD
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 JENKINS_URL
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 JENKINS_USERNAME
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 OPENSHIFT_APP_DNS
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 OPENSHIFT_APP_NAME
-rw-r--r--. root 5602de3b8d24b7872c000878 

.env/user_vars:
drwxrwx---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 .
drwxr-x---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 ..


Expected results:

All attribute get restored. 


Additional info:
Comment 2 Josep 'Pep' Turro Mauri 2015-10-13 17:27:06 UTC 
Haven't tested but this should hopefully help:

https://github.com/openshift/origin-server/pull/6273
Comment 7 Johnny Liu 2015-11-18 07:35:49 UTC 
Verified this bug with openshift-origin-node-util-1.38.5.1-1.el6op.noarch, and PASS.


# touch .env/bb

# ll -Z .env/bb
-rw-r--r--. root root unconfined_u:object_r:openshift_var_lib_t:s0 .env/bb

# oo-restorecon -v -a 
restorecon -R /var/lib/openshift/jialiu-python33app-1/
chcon -l s0:c6,c673 -R /var/lib/openshift/jialiu-python33app-1/

# ll -Z .env/bb
-rw-r--r--. root root unconfined_u:object_r:openshift_var_lib_t:s0:c6,c673 .env/bb
Comment 9 errata-xmlrpc 2015-12-17 17:11:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2666.html