Bug 131187
Summary: | fstab-sync trashes /etc/fstab's SELinux context | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | W. Michael Petullo <redhat> | ||||
Component: | hal | Assignee: | David Zeuthen <davidz> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | high | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | mclasen, russell | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-09-01 10:00:27 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 123268, 130887 | ||||||
Attachments: |
|
Description
W. Michael Petullo
2004-08-28 16:58:04 UTC
Thanks for the report. I'll look into this. Glad I checked before I filed.... I'm seeing this too with hal-0.2.97.cvs20040827-3. Alright, I've added support for this in fstab-sync. I don't have a selinux system available presently, so please try this fstab-sync binary here http://freedesktop.org/~david/selinux/ it's for i386; let me know if you use another architecture and I'll build some RPMS insteads. Should this not work, please include the output of 'hald --daemon=no verbose=yes' running as root (remember to stop the haldaemon service). Thanks, David I just saw that you are using PPC (at least your browser suggests that), so I've just uploaded a SRPM to the location given above (built at my local box). If it looks good I'll put this into Rawhide, so please let me know how it works out. Created attachment 103224 [details] Output from "hald --daemon=no --verbose=yes" I just tried hal-0.2.97.cvs20040830-1 and the problem remains. I verified that fstab-sync is linked against libselinux. This has also been talked about on the fedora-selinux mailing list: http://www.redhat.com/archives/fedora-selinux-list/2004-August/msg00204.html OK, here we go again, please try http://freedesktop.org/~david/selinux/hal-0.2.97.cvs20040830-2.src.rpm Now we don't create the temporary file in /tmp but rather in /etc. Please give a 'ls -lZ /etc/fstab' and hald dump if this still fails. Much thanks. Here are the results with hal-0.2.97.cvs20040830-2: [root@imp /]# ls -lZ /etc/fstab -rw-r--r-- root root system_u:object_r:etc_t /etc/fstab [root@imp /]# fstab-sync -c /etc/fstab [root@imp /]# ls -lZ /etc/fstab -rw-r--r-- root root root:object_r:etc_t /etc/fstab [root@imp /]# restorecon /etc/fstab [root@imp /]# ls -lZ /etc/fstab -rw-r--r-- root root system_u:object_r:etc_t /etc/fstab This is closer but now we switch from system_u:object_r:etc_t to root:object_r:etc_t. Alright, I think I know what is wrong, please try with this one http://people.redhat.com/davidz/hal-0.2.97.cvs20040831-1.src.rpm if it doesn't work please post the output of 'fstab-sync -c -v' (the -v is important). Much thanks. Btw, I implemented this using code from restorecon to save a fork+exec and possible error paths; does this mean that fstab-sync will require some extra privs to relabel files? Is this the recommended way to do this? (FWIW, I have to rename a tmp file in /etc to /etc/fstab to achieve atomicity in the update; but now that I need to do the restorecon thing this no longer appears atomic on selinux; we may fail between rename(2) and restorecon, right? Hmm). hal-0.2.97.cvs20040831-1 seems to fix things. I did get the following SELinux-related log (SELinux is not currently enforcing my policy -- only checking): Aug 30 21:36:02 imp kernel: audit(1093919762.305:0): avc: denied { read } for pid=15888 exe=/usr/sbin/fstab-sync path=pipe:[20827] dev=pipefs ino=20827 scontext=root:system_r:updfstab_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Aug 30 21:36:02 imp fstab-sync[15888]: removed all generated mount points ...but it seems dbus, udev and crew in general have a lot of issues with the current strict policy anyway. It seems that there is a lot of copy and pasting of code from restorecon.c. It's unfortunate if there is no higher level function to do something that seems this fundamental. I would also be interested in seeing comment on the atomic issue raised in comment #9. I've built hal-0.2.97.cvs20040901-1 into Rawhide with this fix - I'll keep the atomic issue with in mind. Thanks. *** Bug 131413 has been marked as a duplicate of this bug. *** |