Bug 1659905

Summary: Incorrect SELinux label of fontconfig cache directory
Product: [Fedora] Fedora Reporter: Maciek Borzecki <maciek.borzecki>
Component: selinux-policy-targetedAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: high    
Version: 29CC: ajax, dwalsh, fonts-bugs, herrold, i18n-bugs, john.j5live, lvrabec, mclasen, pnemade, rhughes, rstrode, sandmann, tagoh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-18 01:56:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Maciek Borzecki 2018-12-17 07:45:36 UTC
Description of problem:

The /usr/lib/fontconfig/cache directly is labeled as lib_t, but should be labeled as fonts_cache_t, same as /var/cache/fontconfig was before.

[guest@localhost ~]$ ls -laZ /usr/lib/fontconfig/cache/
total 40
drwxr-xr-x. 2 root root system_u:object_r:lib_t:s0      4096 Dec 17 07:35 .
drwxr-xr-x. 3 root root system_u:object_r:lib_t:s0      4096 Dec 17 07:35 ..
-rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0   136 Dec 17 07:35 14f2600e-0a03-4bcf-ad84-39369899c767-le64.cache-7
-rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0 20904 Dec 17 07:35 6d2e07ad-8b0a-44cf-ad7a-4c0d0bc787a2-le64.cache-7
-rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0   200 Dec 17 07:35 CACHEDIR.TAG

Either a missing piece of the core policy or /usr/lib/fontconfig/cache ought to be created with proper labeling.

Version-Release number of selected component (if applicable):

fontconfig-2.13.1-3.fc29.x86_64
selinux-policy-3.14.2-44.fc29.noarch
selinux-policy-devel-3.14.2-44.fc29.noarch
selinux-policy-targeted-3.14.2-44.fc29.noarch

How reproducible:
always

Comment 1 Akira TAGOH 2018-12-17 09:13:16 UTC
Similarly $HOME/.config/fontconfig/fonts.conf and $HOME/.config/fontconfig/conf.d/* for user_fonts_config_t and $HOME/.cache/fontconfig/* for user_fonts_cache_t

Comment 2 Zdenek Pytela 2019-03-21 16:44:04 UTC
Hi,

Thank you for reporting the issue. I am currently checking the possible ways of resolving as there are already rules for the per-application configuration directories.

  # semanage fcontext -l| grep /home.*fonts_cache_t
/home/[^/]+/\.fontconfig(/.*)?                     all files          unconfined_u:object_r:user_fonts_cache_t:s0 
/home/[^/]+/\.fonts/auto(/.*)?                     all files          unconfined_u:object_r:user_fonts_cache_t:s0 
/home/[^/]+/\.fonts\.cache-.*                      regular file       unconfined_u:object_r:user_fonts_cache_t:s0

Comment 3 Akira TAGOH 2019-03-22 05:00:30 UTC
I think all of them are deprecated paths to store fontconfig caches. those are still valid for backward compatibility but will be dropped in the future. though no ETA of dropping so far.

Comment 4 Zdenek Pytela 2019-03-27 15:06:19 UTC
Created a PR, waiting for review:

https://github.com/fedora-selinux/selinux-policy/pull/253

Comment 5 Zdenek Pytela 2019-03-27 16:47:24 UTC
Another PR for a new interface:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/97

Comment 6 Fedora Update System 2019-06-18 11:33:10 UTC
FEDORA-2019-096a80ef39 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39

Comment 7 Fedora Update System 2019-06-19 04:13:59 UTC
selinux-policy-3.14.2-61.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39

Comment 8 Fedora Update System 2019-07-10 12:47:30 UTC
FEDORA-2019-2eec328cc1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1

Comment 9 Fedora Update System 2019-07-11 03:10:56 UTC
selinux-policy-3.14.2-62.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1

Comment 10 Fedora Update System 2019-07-19 08:08:48 UTC
FEDORA-2019-8071724c9b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b

Comment 11 Fedora Update System 2019-07-20 03:41:53 UTC
selinux-policy-3.14.2-63.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b

Comment 12 Fedora Update System 2019-08-02 07:50:19 UTC
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502

Comment 13 Fedora Update System 2019-08-03 02:02:21 UTC
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502

Comment 14 Fedora Update System 2019-08-18 01:56:37 UTC
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.