Bug 1361000

Summary: file contexts from custom SELinux policy modules are discarded when upgrading policy
Product: Red Hat Enterprise Linux 7 Reporter: Dan Callaghan <dcallagh>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: high    
Version: 7.3CC: dapospis, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, szidek
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-93.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:35:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dan Callaghan 2016-07-28 06:33:45 UTC 
Description of problem:
When upgrading to the RHEL7.3 selinux-policy (along with its corresponding updates to libsemanage 2.5 and policycoreutils 2.5) files are relabelled without taking into account the rules from custom policy modules.

Version-Release number of selected component (if applicable):
libsemanage-2.5-3.el7
policycoreutils-2.5-5.1.el7
selinux-policy-3.13.1-82.el7
selinux-policy-targeted-3.13.1-82.el7

How reproducible:
with some difficulty

Steps to Reproduce:
1. Write a custom policy module with file context rules for /var/lib/something
2. On RHEL7.2, semodule -i <policy>
3. Upgrade to libsemanage-2.5-3.el7, policycoreutils-2.5-5.1.el7, selinux-policy-3.13.1-82.el7

Actual results:
Files in /var/lib/something have been relabelled ignoring the rules from the custom policy (changed back to var_lib_t).

Expected results:
Labels should not be wrong. File context rules from the custom policy module should still be applied.

Additional info:
Workaround is to restorecon after the yum transaction is complete. This works because at that point, the custom policy module *is* loaded again -- it's just not loaded when fixfiles is invoked in the %post scriptlet for selinux-policy-targeted.

We hit this in Beaker, where the harness (beah) includes a custom policy module. Background info is in bug 1351202. This can be reproduced fairly easily in a Beaker job.
Comment 1 Dan Callaghan 2016-07-28 07:43:06 UTC 
I think this might be related to:
https://github.com/SELinuxProject/selinux/wiki/Policy-Store-Migration

By some very unscientific methods (basically SIGSTOP'ing yum at various points during the upgrade and poking around at what it's doing) I saw that there is a triggerpostun scriptlet for the newer selinux-policy-targeted, which is moving custom policy modules to the new store location:

[...]
for i in `find /etc/selinux/targeted/modules/active/modules/ -name *.pp 2> /dev/null`; do 
    INSTALL_MODULES="${INSTALL_MODULES} $i" 
done 
if [ -n "$INSTALL_MODULES" ]; then 
	semodule -s targeted -X 400 -i $INSTALL_MODULES 
fi 
[...]

But it seems that this happens *after* the %post scriptlet from selinux-policy-targeted which is running fixfiles -C, to relabel files whose contexts have changed. So the fixfiles invocation is running without custom policy modules installed, therefore it gets the labels wrong.
Comment 4 Lukas Vrabec 2016-08-08 16:42:05 UTC 
Dan, 
You are right, store migration is executed after relabeling. This is wrong. I changed the order. Looks it is fixed now.
Comment 10 errata-xmlrpc 2016-11-04 02:35:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html