Bug 1409813

Also (as noticed by Milos) does not seem to work correctly for the snapper module shipped by RH:

  # semanage fcontext -l | grep ^/home
/home/(.*/)?\.snapshots(/.*)?                      all files          system_u:object_r:snapperd_data_t:s0 
/home/\.snapshots(/.*)?                            all files          system_u:object_r:snapperd_data_t:s0 

  # mkdir -p /home/.snapshots /home/a/.snapshots
  # ls -Zd /home/.snapshots /home/a/.snapshots
drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 /home/a/.snapshots
drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 /home/.snapshots

  # matchpathcon /home/.snapshots /home/a/.snapshots
/home/.snapshots        unconfined_u:object_r:user_home_dir_t:s0
/home/a/.snapshots      unconfined_u:object_r:user_home_t:s0

  # restorecon -Rvn /home/.snapshots /home/a/.snapshots
restorecon reset /home/.snapshots context unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_dir_t:s0
restorecon reset /home/a/.snapshots context unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_t:s0

Why semanage fcontext -l prints only 2 file context patterns related to home directories?

# semanage fcontext -l | grep ^/home
/home/(.*/)?\.snapshots(/.*)?                      all files          system_u:object_r:snapperd_data_t:s0 
/home/\.snapshots(/.*)?                            all files          system_u:object_r:snapperd_data_t:s0 
#

When matchpathcon knows many file context patterns related to home directories. For example:

# matchpathcon /home/tester/.fetchmailrc
/home/tester/.fetchmailrc	unconfined_u:object_r:fetchmail_home_t:s0
# matchpathcon /home/tester/bin
/home/tester/bin	unconfined_u:object_r:home_bin_t:s0
# matchpathcon /home/tester/.config
/home/tester/.config	unconfined_u:object_r:config_home_t:s0
# matchpathcon /home/tester/.k5login
/home/tester/.k5login	unconfined_u:object_r:krb5_home_t:s0
# 

It seems that I have to define 2 file context patterns to make 1 file context pattern visible to both tools (matchpathcon and semanage):

/home/squid(/.*)?                        gen_context(system_u:object_r:squid_cache_t,s0)
HOME_ROOT/squid(/.*)?                        gen_context(system_u:object_r:squid_cache_t,s0)

I will try to explain how does it work right now.

All .fc entries from selinux-policy and its modules are extracted to file_contexts.template file which is then used to build the following files:

- contexts/files/file_contexts.homedirs - this file is generated from homedir_template which contains all lines from file_contexts.template with HOME_ROOT, HOME_DIR and/or USER keywords

- contexts/files/file_contexts file -  all other lines from the generated file_contexts.template.

And then there's another file:

- contexts/files/file_contexts.local file - local modifications made by 'semanage fcontext [-a|m]'


When a labeling utility, like matchpathcon or restorecon, looks for a label, it looks for local changes/modifications first. If it doesn't find a matching pattern, it looks into file_contexts.homedirs and finally it looks into file_contexts file.

Given that file_contexts.homedirs defines a label for everything in HOME_ROOT, it overrides everything with '/home' specified in modules .fc so you need to use 'HOME_ROOT' instead of '/home'.

Unfortunately, 'semanage fcontext -l' doesn't list records from file_contexts.homedirs now.

I guess that what Milos suggested - use 2 records, 1 with /home, 1 with HOME_ROOT - could be used as a workaround for this issue:

/home/squid(/.*)?         gen_context(system_u:object_r:squid_cache_t,s0)
HOME_ROOT/squid(/.*)?     gen_context(system_u:object_r:squid_cache_t,s0)

(In reply to Zdenek Pytela from comment #2)
> Also (as noticed by Milos) does not seem to work correctly for the snapper
> module shipped by RH:

snapper.pp should be probably updated to use HOME_ROOT instead of or together with /home

> 
>   # semanage fcontext -l | grep ^/home
> /home/(.*/)?\.snapshots(/.*)?                      all files         
> system_u:object_r:snapperd_data_t:s0 
> /home/\.snapshots(/.*)?                            all files         
> system_u:object_r:snapperd_data_t:s0 
> 
>   # mkdir -p /home/.snapshots /home/a/.snapshots
>   # ls -Zd /home/.snapshots /home/a/.snapshots
> drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0
> /home/a/.snapshots
> drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0
> /home/.snapshots
> 
>   # matchpathcon /home/.snapshots /home/a/.snapshots
> /home/.snapshots        unconfined_u:object_r:user_home_dir_t:s0
> /home/a/.snapshots      unconfined_u:object_r:user_home_t:s0
> 
>   # restorecon -Rvn /home/.snapshots /home/a/.snapshots
> restorecon reset /home/.snapshots context
> unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:
> user_home_dir_t:s0
> restorecon reset /home/a/.snapshots context
> unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_t:
> s0

Petr,

Thanks for the info. Do I understand correctly you don't find this issue as such being a bug? From my point of view it is inconsistent at least as it occurs only if both the conditions are met - an entry is in /home and regex is used. See also my example in this bug description and matchpathcon command output:

  # matchpathcon /home/squic/data/a /home/squic/data /home/squic
/home/squic/data/a      unconfined_u:object_r:user_home_t:s0
/home/squic/data        system_u:object_r:squid_conf_t:s0
/home/squic     system_u:object_r:squid_cache_t:s0

In that case:
1. Documentation should be updated to point to the fact
2. semanage fcontext should be fixed as it does not take file_contexts.homedirs into account

Petr, 
Thanks for investigation. 

I think we should fix this in poliycoreutils. Moving to policycoreutils component.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0913