Bug 1400550

Summary: semanage node --extract does not print MLS/MCS security range
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.9CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1400482 Environment:
Last Closed: 2017-10-02 14:24:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2016-12-01 13:26:22 UTC 
+++ This bug was initially created as a clone of Bug #1400482 +++

Description of problem:
  -E, --extract         Extract customizable commands, for use within a
                        transaction
If the extract option is used in a transaction then the security range is lost.

Version-Release number of selected component (if applicable):
policycoreutils-python-2.0.83-29.el6.x86_64
policycoreutils-2.0.83-29.el6.x86_64

How reproducible:
* always

Steps to Reproduce:
# seinfo --nodecon
Nodecon: 0
# semanage node -l
# semanage node -E
# semanage node -a -M 255.255.255.0 -p ipv4 -t node_t -r s0-s0:c0.c1 192.168.0.123
# seinfo --nodecon
Nodecon: 1
   nodecon 192.168.0.123 255.255.255.0 system_u:object_r:node_t:s0 - s0:c0.c1
# semanage node -l
IP Address         Netmask            Protocol Context

192.168.0.123      255.255.255.0      ipv4  system_u:object_r:node_t:s0-s0:c0,c1 
# semanage node -E
node -a -M 255.255.255.0 -p ipv4 -t node_t 192.168.0.123
# 

Expected results:
* the security range is also printed

--- Additional comment from Milos Malik on 2016-12-01 05:51:03 EST ---

The same issue is reproducible with semanage interface:

# seinfo --netifcon

Netifcon: 1
   netifcon xyz system_u:object_r:netif_t:s0 - s0:c0.c1 system_u:object_r:netif_t:s0 - s0:c0.c1
# semanage interface -l
SELinux Interface              Context

xyz                            system_u:object_r:netif_t:s0-s0:c0,c1 
# semanage interface -E
interface -a -t netif_t xyz
#

--- Additional comment from Milos Malik on 2016-12-01 07:57:33 EST ---

My guess is that all semanage sub-commands which support -E, --extract options suffer from this issue:

# semanage fcontext -l -C
# semanage fcontext -a -t tmp_t -r s0:c0.c1 /pokus
# semanage fcontext -l -C
SELinux fcontext                                   type               Context

/pokus                                             all files          system_u:object_r:tmp_t:s0:c0.c1 
# semanage -o -
boolean -D
login -D
login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -D
port -D
interface -D
node -D
fcontext -D
fcontext -a -f 'all files' -t tmp_t '/pokus'
#

The semanage option for output-ing local customizations does not print the MLS/MCS security range either.
Comment 1 Petr Lautrbach 2017-10-02 14:24:34 UTC 
Red Hat Enterprise Linux 6 transitioned to the Production 3 Phase on May 10, 2017.  During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available.

The official life cycle policy can be reviewed here:
http://redhat.com/rhel/lifecycle

This issue does not appear to meet the inclusion criteria for the Production Phase 3 and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification.  Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL:

https://access.redhat.com