Bug 1308704

Summary: SELinux file contexts for TripleO ISO
Product: Red Hat Enterprise Linux 7 Reporter: Thom Carlin <tcarlin>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, tcarlin
Target Milestone: pre-dev-freezeKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-17 10:54:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thom Carlin 2016-02-15 19:36:38 UTC 
Description of problem:

"restorecon" should not have to change the type portion of the security context.

Version-Release number of selected component (if applicable):

TP2 RC9

How reproducible:

Believe 100%

Steps to Reproduce:
1. Install TripleO ISO
2. Log in to run launch-fusor-undercloud-installer
3. restorecon -RFvv /

Actual results:

Type portion of security context changes for some files

Expected results:

No type portion changes

Additional info:

Edited List:
* restorecon reset /dev/shm/pulse-shm-* context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:user_tmpfs_t:s0
* restorecon reset /run/netns/qdhcp-* context system_u:object_r:proc_t:s0->system_u:object_r:ifconfig_var_run_t:s0 <- Not sure about this one
* restorecon reset /run/user/0/gvfs context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:fusefs_t:s0
* restorecon reset /run/user/0/keyring-<string> context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:gkeyringd_tmp_t:s0 (and contents)
* restorecon reset /etc/sysconfig/network context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0
* restorecon reset /root/.config context system_u:object_r:admin_home_t:s0->system_u:object_r:config_home_t:s0 (and contents)
* restorecon reset /root/.Xauthority context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0
* restorecon reset /var/lib/heat-cfntools/cfn-init-data context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:var_lib_t:s0
* restorecon reset /var/log/yum.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:rpm_log_t:s0
Comment 6 Thom Carlin 2016-08-05 20:48:55 UTC 
In QCI 1.0:
type=AVC msg=audit(1470268404.190:354): avc:  denied  { create } for  pid=10341 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1470281262.458:1948): avc:  denied  { dac_override } for  pid=20052 comm="ovs-vsctl" capability=1  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability
Comment 7 Thom Carlin 2016-08-08 15:41:42 UTC 
Per QCI developers, switching to RHEL
Comment 11 Milos Malik 2017-08-17 07:21:01 UTC 
Is it still relevant? Do you still see mislabeled files when running restorecon in this scenario?
Comment 12 Thom Carlin 2017-08-17 10:52:02 UTC 
No, this is no longer needed
Comment 13 Lukas Vrabec 2017-08-17 10:54:44 UTC 
Thanks Thom