Bug 1919253

Summary: Invalid context in database for /var/tmp-inst, should be /var/tmp/tmp-inst
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 8.3CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-68.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:42:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2021-01-22 12:53:16 UTC 
Description of problem:

Polyinstanciation template /etc/security/namespace.conf defines /var/tmp/tmp-inst as root directory for /var/tmp instances:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/var/tmp /var/tmp/tmp-inst/   	level      root,adm
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The database however defines /var/tmp-inst, which ends up having /var/tmp/tmp-inst unlabelled, preventing users from logging in:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/var/tmp-inst                                      directory          system_u:object_r:tmp_t:s0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Please adjust to /var/tmp/tmp-inst


Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-54.el8.noarch


How reproducible:

N/A
Comment 1 Zdenek Pytela 2021-03-26 10:32:19 UTC 
*** Bug 1934444 has been marked as a duplicate of this bug. ***
Comment 2 Zdenek Pytela 2021-04-06 18:02:17 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/683
Comment 4 Zdenek Pytela 2021-04-09 18:47:34 UTC 
Merged in rawhide:
commit 3ca065eef7990b37d4b57218ada8dea8f0b18580
Author: Zdenek Pytela <zpytela>
Date:   Tue Apr 6 19:53:29 2021 +0200

    Add file context specification for /var/tmp/tmp-inst

    The pam_namespace.so module allows setup of private namespaces with
    polyinstantiated directories. Directories can be polyinstantiated based
    on user name or, in the case of SELinux, user name, sensitivity level or
    complete security context.

    Previously, file context specification for /var/tmp-inst was defined
    in SELinux policy instead of /var/tmp/tmp-inst, although pam_namespace
    is pre-configured for using /var/tmp/tmp-inst. It is noted in the
    /etc/security/namespace.conf file as well as in documentation.

    Resolves: rhbz#1919253
Comment 14 errata-xmlrpc 2021-11-09 19:42:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420