Bug 1400482
| Summary: | semanage node --extract does not print MLS/MCS security range | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> | |
| Component: | policycoreutils | Assignee: | Vit Mojzis <vmojzis> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 7.3 | CC: | dwalsh, lvrabec, mmalik, plautrba, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | policycoreutils-2.5-31.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1400550 (view as bug list) | Environment: | ||
| Last Closed: | 2019-08-06 13:00:15 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
The same issue is reproducible with semanage interface: # seinfo --netifcon Netifcon: 1 netifcon xyz system_u:object_r:netif_t:s0 - s0:c0.c1 system_u:object_r:netif_t:s0 - s0:c0.c1 # semanage interface -l SELinux Interface Context xyz system_u:object_r:netif_t:s0-s0:c0,c1 # semanage interface -E interface -a -t netif_t xyz # My guess is that all semanage sub-commands which support -E, --extract options suffer from this issue: # semanage fcontext -l -C # semanage fcontext -a -t tmp_t -r s0:c0.c1 /pokus # semanage fcontext -l -C SELinux fcontext type Context /pokus all files system_u:object_r:tmp_t:s0:c0.c1 # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D fcontext -a -f a -t tmp_t '/pokus' # semanage fcontext -E fcontext -a -f a -t tmp_t '/pokus' # The export sub-command of semanage does not print the MLS/MCS security range either. Because the export option for user and login sub-command prints MLS/MCS security range:
# semanage user -E
user -a -L s0 -r s0 -R 'user_r' user_u
user -a -L s0 -r s0 -R 'xguest_r' xguest_u
# semanage login -E
login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
login -a -s guest_u -r 's0' guest-user
login -a -s staff_u -r 's0-s0:c0.c1023' staff-user
login -a -s user_u -r 's0' user-user
login -a -s xguest_u -r 's0' xguest
login -a -s xguest_u -r 's0' xguest-user
#
it would be great if the export option also printed MLS/MCS range in case of other sub-commands. Otherwise the export/import mechanism looses information.
# grep semanage /usr/libexec/selinux/selinux-policy-migrate-local-changes.sh
if [ -x /usr/sbin/semanage ]; then
/usr/sbin/semanage export | /usr/sbin/semanage import
#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2160 |
Description of problem: -E, --extract Extract customizable commands, for use within a transaction If the extract option is used in a transaction then the security range is lost. Version-Release number of selected component (if applicable): policycoreutils-2.5-8.el7.x86_64 policycoreutils-python-2.5-8.el7.x86_64 How reproducible: * always Steps to Reproduce: # seinfo --nodecon Nodecon: 0 # semanage node -l # semanage node -E # semanage node -a -M 255.255.255.0 -p ipv4 -t node_t -r s0-s0:c0.c1 192.168.0.123 # seinfo --nodecon Nodecon: 1 nodecon 192.168.0.123 255.255.255.0 system_u:object_r:node_t:s0 - s0:c0.c1 # semanage node -l IP Address Netmask Protocol Context 192.168.0.123 255.255.255.0 ipv4 system_u:object_r:node_t:s0-s0:c0,c1 # semanage node -E node -a -M 255.255.255.0 -p ipv4 -t node_t 192.168.0.123 # Expected results: * the security range is also printed