Bug 1395778
| Summary: | file_contexts.local not present even though it should be | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Haines <david.haines> |
| Component: | policycoreutils | Assignee: | Petr Lautrbach <plautrba> |
| Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | akkornel, billtang, cshao, csheets, dapospis, david.haines, dguo, dougsland, dwalsh, fdeutsch, gtirloni, hunter86_bg, huzhao, jiawu, lsurette, lvrabec, matthias, mgoldboi, mgrepl, miturria, mmalik, netwiz, pasteur, pchavan, plautrba, pvrabec, robert.moucha, srandhaw, ssekidde, tseewald, ycui, ykaul |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | policycoreutils-2.5-15.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1381112 | Environment: | |
| Last Closed: | 2017-08-01 16:16:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Haines
2016-11-16 16:07:47 UTC
David, I am unable to reproduce this error [root@localhost ~]# lsb_release -d; getenforce; rpm -q selinux-policy-targeted; rpm -q policycoreutils-python; audit2allow -a Description: Red Hat Enterprise Linux Server release 7.3 (Maipo) Enforcing selinux-policy-targeted-3.13.1-102.el7_3.4.noarch policycoreutils-python-2.5-8.el7.x86_64 [root@localhost ~]# David, Are you still seeing this problem with the latest selinux-policy packages? I just did a clean new install of 7.3 from the DVD ISO media - then a yum -y update. Packaged installed is: selinux-policy-targeted-3.13.1-102.el7_3.7.noarch I see: # audit2allow -a /var/log/audit/audit.log [Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local' A reinstall via 'yum reinstall selinux-policy-targeted' didn't fix the issue. Fixed via: # touch /etc/selinux/targeted/contexts/files/file_contexts.local audit2allow now works as expected - however this should probably be fixed in the package installation. I can confirm the same issue, affecting only clean installs of RHEL 7.3 (not systems updated from prior releases).
The problem, as described, is that the /etc/selinux/targeted/contexts/files/file_contexts.local file does not exist anymore on a new system, and the audit2allow command fails because of that. "touch"ing the file does indeed fix it.
This is with :
selinux-policy-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch
I have dug a bit into the rpm changes, comparing 3.13.1-60.el7 (RHEL 7.2) with selinux-policy-3.13.1-102.el7_3.7 (RHEL 7.3), and the problem is that this file used to be included empty, but is now referenced as %ghost and no longer included. This change broke audit2allow, since apparently it needs the file and doesn't automatically create it if missing.
selinux-policy-3.13.1-60.el7 spec :
[...]
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
[...]
selinux-policy-3.13.1-102.el7_3.7 spec :
[...]
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.local \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.local.bin \
[...]
The file needs to be set back to %config(noreplace), or audit2allow modified to create the file when it's missing.
*** Bug 1419929 has been marked as a duplicate of this bug. *** Experiencing the same issue with updated packages: policycoreutils-2.5-11.el7_3.x86_64 policycoreutils-python-2.5-11.el7_3.x86_64 selinux-policy-3.13.1-102.el7_3.13.noarch selinux-policy-targeted-3.13.1-102.el7_3.13.noarch *** Bug 1391009 has been marked as a duplicate of this bug. *** I am experiencing the same issue with redhat 7.3 (kernel-3.10.0-514.16.1.el7.x86_64): policycoreutils-python-2.5-11.el7_3.x86_64 policycoreutils-2.5-11.el7_3.x86_64 selinux-policy-targeted-3.13.1-102.el7_3.16.noarch selinux-policy-3.13.1-102.el7_3.16.noarch Is there a work around? [root@host-1 ~]# audit2allow -a [Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local' I am experiencing the same issue with redhat 7.3 (kernel-3.10.0-514.16.1.el7.x86_64): policycoreutils-python-2.5-11.el7_3.x86_64 policycoreutils-2.5-11.el7_3.x86_64 selinux-policy-targeted-3.13.1-102.el7_3.16.noarch selinux-policy-3.13.1-102.el7_3.16.noarch [root@host-1 ~]# audit2allow -a [Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local' workaround appears to be creating a zero length file [root@host-1 ~]# touch /etc/selinux/targeted/contexts/files/file_contexts.local Hello, I can confirm that a fresh install of RHEL 7.3 is missing the file. Also the "sepolicy manpage" command fails until a zero lenght file is created. I can confirm the workaround in comment 21 has resolved the problem on my machines. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1883 |