Bug 1599114

Summary: RHEL7: fixfiles doesn't label the rule added by "semanage fcontext" due to /etc/selinux/fixfiles_exclude_dirs
Product: Red Hat Enterprise Linux 7 Reporter: kyoneyama <kyoneyam>
Component: policycoreutilsAssignee: Vit Mojzis <vmojzis>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.5CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-09 16:10:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description kyoneyama 2018-07-09 01:49:21 UTC 
Description of problem:

When there is "/etc/selinux/fixfiles_exclude_dirs", it doesn't label the rule added by "semanage fcontext" during autorelabel on boot.

Autorelabel on boot runs "fixfiles restore".

If there is fixfiles_exclude_dirs, fixfiles performs the operations below, that creates a temporary `file_contexts` files and executes setfiles based on a temporary files.

  # cd /etc/selinux/targeted/contexts/files/
  # mktemp file_contexts.XXXXXXXXX
  # cp -p /etc/selinux/targeted/contexts/files/file_contexts file_contexts.WniqAxMKPP
  # cp -p /etc/selinux/targeted/contexts/files/file_contexts.subs_dist file_contexts.WniqAxMKPP.subs_dist
  # cp -p /etc/selinux/targeted/contexts/files/file_contexts.subs file_contexts.WniqAxMKPP.subs
  # cp -p /etc/selinux/targeted/contexts/files/file_contexts.homedirs file_contexts.WniqAxMKPP.homedirs
  # setfiles -v -e /boot/efi -q /etc/selinux/targeted/contexts/files/file_contexts.WniqAxMKPP /


However, a temporary file of /etc/selinux/targeted/contexts/files/file_contexts.local isn't created, which additional rules are logged.
That's why fixfiles can't label additional rules.


Version-Release number of selected component (if applicable):

  - Red Hat Enterprise Linux 7.5
  - policycoreutils-2.5-22.el7

How reproducible:

  - Always

Steps to Reproduce:

1. Add local labeling rule with "semanage fcontext"

  # mkdir /share
  # semanage fcontext -a -t samba_share_t /share

2. Create /etc/selinux/fixfiles_exclude_dirs

  # echo "/boot/efi" > /etc/selinux/fixfiles_exclude_dirs

3. Execute "fixfiles restore"

  # fixfiles -v restore

4. Ensure the file context of /share

  # ls -ldZ /share

Actual results:

  - It doesn't label additional labels.

Expected results:

  - It can label additional labels.


Additional info:
Comment 3 Vit Mojzis 2018-07-09 16:10:24 UTC 
Thank you for reporting the issue. 
We have a fix which will be released soon. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1559808 for more details.

*** This bug has been marked as a duplicate of bug 1559808 ***