Bug 1376414

Summary: Test case failure: /CoreOS/tar/Regression/bz1347396-coredump-when-selinux-on-but-policy-missing
Product: Red Hat Enterprise Linux 7 Reporter: Karel Volný <kvolny>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: kvolny, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-17 10:53:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1393066    

Comment 6 Milos Malik 2017-08-17 09:48:04 UTC 
I believe that setfattr is not capable of deciding (before it tries to save the value on filesystem) what value is correct or valid or well-formatted from SELinux point of view. No matter if SELinux is enforcing or permissive, the "unlabeled" value will be rejected and the SELINUX_ERR will be generated.

If you want to get rid of SELinux errors, please use following command in your TC:

rlRun "setfattr -n security.selinux -v system_u:object_r:unlabeled_t:s0 bz1347396" 0 "Setting 'unlabeled' attribute on the testfile"

If you want to apply an invalid (because atd_t is a process type, not a file type) but well-formatted label, please use following commands:

# setenforce 0
# setfattr -n security.selinux -v system_u:object_r:atd_t:s0 bz1347396
# ls -Z bz1347396 
-rw-r--r--. root root system_u:object_r:atd_t:s0       bz1347396
# setenforce 1
# ls -Z bz1347396 
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 bz1347396
#

Running the same command as root in a SSH terminal and in a beaker test via beaker harness does not always result in the same SELinux context. The difference is visible in the "*_u" parts of scontext and tcontext:

automated run via beaker harness
====
type=AVC msg=audit(1473870156.661:82): avc:  denied  { mac_admin } for  pid=28341 comm="setfattr" capability=33  scontext=system_u:unconfined_r:unconfined_t:s0 tcontext=system_u:unconfined_r:unconfined_t:s0 tclass=capability2

manual run in a SSH terminal
====
type=AVC msg=audit(1502961768.137:94): avc:  denied  { mac_admin } for  pid=11470 comm="setfattr" capability=33  scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2