Bug 1727342
| Summary: | No default label for item in /var/spool/cron | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Steffen Froemer <sfroemer> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 8.0 | CC: | lvrabec, mmalik, plautrba, ssekidde, yferszt, zpytela |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | 8.1 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.14.3-12.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-05 22:11:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Steffen Froemer
2019-07-05 15:23:59 UTC
Hi Steffen, Do you have some real issue with crontab? Or you just see Warning from bug description? I don't see this as a bug, so if you have some real example, please provide the reproducer. Thanks, Lukas. Following lines show the difference between RHEL-7 and RHEL-8: RHEL-7 ====== # ls -Z /var/spool/cron/ -rw-r--r--. root root unconfined_u:object_r:user_cron_spool_t:s0 staff-user # restorecon -Rvn /var/spool/cron/ restorecon: Warning no default label for /var/spool/cron/staff-user # RHEL-8 ====== # ls -Z /var/spool/cron/ unconfined_u:object_r:user_cron_spool_t:s0 staff-user # restorecon -Rvn /var/spool/cron/ # Please notice that file context patterns are the same on RHEL-7 and RHEL-8, but their order is different: RHEL-7 ====== # semanage fcontext -l | grep /var/spool/cron /var/spool/cron/[^/]* regular file <<None>> /var/spool/cron/a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/spool/cron/crontabs/.* regular file <<None>> /var/spool/cron directory system_u:object_r:user_cron_spool_t:s0 /var/spool/cron/crontabs directory system_u:object_r:cron_spool_t:s0 # RHEL-8 ====== # semanage fcontext -l | grep '/var/spool/cron' /var/spool/cron directory system_u:object_r:user_cron_spool_t:s0 /var/spool/cron/[^/]* regular file <<None>> /var/spool/cron/a?quota\.(user|group) regular file system_u:object_r:quota_db_t:s0 /var/spool/cron/crontabs directory system_u:object_r:cron_spool_t:s0 /var/spool/cron/crontabs/.* regular file <<None>> # Is it possible that the different order of file context patterns causes the warning message? RHEL-7 ====== # ls -Z /var/spool/cron/ -rw-------. staff-user staff-user staff_u:object_r:user_cron_spool_t:s0 staff-user -rw-------. user-user user-user user_u:object_r:user_cron_spool_t:s0 user-user # restorecon -Rv /var/spool/cron/ restorecon: Warning no default label for /var/spool/cron/staff-user restorecon: Warning no default label for /var/spool/cron/user-user # restorecon -RvF /var/spool/cron/ restorecon: Warning no default label for /var/spool/cron/staff-user restorecon: Warning no default label for /var/spool/cron/user-user # ls -Z /var/spool/cron/ -rw-------. staff-user staff-user staff_u:object_r:user_cron_spool_t:s0 staff-user -rw-------. user-user user-user user_u:object_r:user_cron_spool_t:s0 user-user # RHEL-8 ====== # ls -lZ /var/spool/cron/ total 8 -rw-------. 1 staff-user staff-user staff_u:object_r:user_cron_spool_t:s0 14 Jul 10 07:35 staff-user -rw-------. 1 user-user user-user user_u:object_r:user_cron_spool_t:s0 14 Jul 10 07:38 user-user # restorecon -Rv /var/spool/cron/ # restorecon -RvF /var/spool/cron/ # ls -lZ /var/spool/cron/ total 8 -rw-------. 1 staff-user staff-user staff_u:object_r:user_cron_spool_t:s0 14 Jul 10 07:35 staff-user -rw-------. 1 user-user user-user user_u:object_r:user_cron_spool_t:s0 14 Jul 10 07:38 user-user # If the different order of file context patterns is not the cause of the warning messages, then the restorecon behaviour must have changed. Please answer questions in comment#11 and comment#12. Here is a way how to define correct SELinux context for individual user crontabs. First we need to modify the /var/lib/selinux/targeted/active/homedir_template file: # grep cron/USER /var/lib/selinux/targeted/active/homedir_template /var/spool/cron/USER -- system_u:object_r:user_cron_spool_t:s0 # Now, if we create a new user (not tested on already existing users): # useradd -Z sysadm_u sysadm-user # the file context patterns will contain a new file context pattern: # semanage fcontext -l | grep cron/sysadm-user /var/spool/cron/sysadm-user regular file sysadm_u:object_r:user_cron_spool_t:s0 # which means that restorecon will no longer produce above-mentioned warning messages and it will correct SELinux labels on files in /var/spool/cron directory: # touch /var/spool/cron/sysadm-user # ls -Z /var/spool/cron/sysadm-user unconfined_u:object_r:user_cron_spool_t:s0 /var/spool/cron/sysadm-user # restorecon -vF /var/spool/cron/sysadm-user Relabeled /var/spool/cron/sysadm-user from unconfined_u:object_r:user_cron_spool_t:s0 to sysadm_u:object_r:user_cron_spool_t:s0 # ls -Z /var/spool/cron/sysadm-user sysadm_u:object_r:user_cron_spool_t:s0 /var/spool/cron/sysadm-user # restorecon -Rv /var/spool/cron/sysadm-user # Unfortunately, following command removes all my changes in /var/lib/selinux/targeted/active/homedir_template: # semodule -B We need to find a permanent way how to store the homedir_template changes. *** Bug 1727341 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3547 |