Bug 1834674

Summary: file context pattern for /run/fapolicyd.pid is missing
Product: [Fedora] Fedora Reporter: Milos Malik <mmalik>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: rsroka, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fapolicyd-1.0-3.fc32 fapolicyd-1.0-3.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1841518 (view as bug list) Environment:
Last Closed: 2020-07-03 01:18:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1841518    

Description Milos Malik 2020-05-12 08:04:17 UTC 
Description of problem:
The fapolicyd policy module shipped in fapolicyd-selinux package does not define a file context pattern for /run/fapolicyd.pid file.

# semanage fcontext -l | grep fapolicyd_var_run_t
/var/run/fapolicyd(/.*)?                           all files          system_u:object_r:fapolicyd_var_run_t:s0 
#

It's a good practice to define file context pattern also for PID files. Majority of policy modules define file context patterns for PID files, which are associated with services confined by those policy modules. The rest of PID files end up with <<None>> which means that their SELinux context cannot be repaired (via restorecon or auto-relabel) if the file-system gets mislabeled.

# semanage fcontext -l | grep pid | grep -i none
/run/.*\.*pid                                      all files          <<None>>
/var/run/.*\.*pid                                  all files          <<None>>
#

Version-Release number of selected component (if applicable):
fapolicyd-0.9.4-1.fc32.x86_64
fapolicyd-selinux-0.9.4-1.fc32.noarch
selinux-policy-3.14.5-38.fc32.noarch
selinux-policy-devel-3.14.5-38.fc32.noarch
selinux-policy-doc-3.14.5-38.fc32.noarch
selinux-policy-targeted-3.14.5-38.fc32.noarch

How reproducible:
 * always

Steps to Reproduce:
1. get a Fedora 31 or 32 machine (targeted policy is active)
2. start the fapolicyd service

Actual results:
# matchpathcon /run/fapolicyd.pid 
/var/run/fapolicyd.pid	<<none>>
#

Expected results:
# matchpathcon /run/fapolicyd.pid 
/var/run/fapolicyd.pid	system_u:object_r:fapolicyd_var_run_t:s0
#
Comment 1 Fedora Update System 2020-06-24 16:54:24 UTC 
FEDORA-2020-f4711939b6 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-f4711939b6
Comment 2 Fedora Update System 2020-06-24 16:54:44 UTC 
FEDORA-2020-50e464eff0 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-50e464eff0
Comment 3 Fedora Update System 2020-06-25 00:58:29 UTC 
FEDORA-2020-50e464eff0 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-50e464eff0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-50e464eff0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2020-06-25 01:03:56 UTC 
FEDORA-2020-f4711939b6 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-f4711939b6`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-f4711939b6

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2020-07-03 01:18:17 UTC 
FEDORA-2020-f4711939b6 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Fedora Update System 2020-07-03 01:37:30 UTC 
FEDORA-2020-50e464eff0 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.