Bug 193489

Summary: SELinux context of /proc, /selinux, /sys is always incorrect
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: rpmAssignee: Paul Nasrat <nobody+pnasrat>
Status: CLOSED DUPLICATE QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: herrold, nobody+pnasrat
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-26 19:50:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150223    
Attachments:
Description Flags
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify none

Description Robert Scheck 2006-05-29 17:56:24 UTC 
Description of problem:
SELinux context of /proc, /selinux, /sys seems to be always incorrect when 
verifying using rpm:

# rpm -V filesystem
........C   /proc
........C   /selinux
........C   /sys
# 

Version-Release number of selected component (if applicable):
filesystem-2.3.7-1.2.1
selinux-policy-2.2.43-3

How reproducible:
Everytime, just do "rpm -qV filesystem"

Actual results:
Modified file context of /proc, /selinux, /sys...

Expected results:
Always correct file context for /proc, /selinux, /sys ;-)
Comment 1 Daniel Walsh 2006-05-30 12:48:16 UTC 
This is a  bug in libselinux, matchpatchon returns an error when it matches on
<<none>> which means the context could be anything.
Comment 2 Daniel Walsh 2006-06-15 22:48:10 UTC 
Created attachment 131010 [details]
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify

Basically certain directories either do not support context or the kernel
creates them so their is no "correct" label for those directories.  In this
case matchpathcon returns ENOENT, and rpm -V should just say it is ok.

This patch attempts to do ignore errors in rpm.  Sadly it does not work, but it
will give you an idea.
Comment 3 R P Herrold 2006-06-16 13:44:47 UTC 
How about a less intrusive approach; a proper packaging %files stanza, which
does not include them, rather than blaming RPM _or_ SELinux; %pre and %post are
sufficiently powerfuil to solve the need for their presence, and to sign them
for seLinux as needed

-- RPM does not need to ignore packages it is not to able to check, the
underlying 'filesystem' packger needs to package to accomodate the changes which
seLinux brings - at least one of these directory paths (/proc) and I suspect the
others are not in scope to it any more 

The packager needs to not include them (now) improperly in light of the new
Context checking rules added for SELinux, which are now emitting errors when
SELinux is enabled
Comment 4 Robert Scheck 2006-06-23 13:13:15 UTC 
Very similar problem at:

$ rpm -qV selinux-policy-targeted
........C   /etc/selinux/targeted/modules/active
$

As far as I can see, the problem is related with bug #193488 and should be 
resolved, when SELinux functionality is removed from rpm -V. This is just 
another reason for updating to latest RPM 4.4.7 when available :)
Comment 5 Paul Nasrat 2006-06-26 19:49:09 UTC 
Proposed patch to remove verification as discussed has been presented for
upstream discussion.
Comment 6 Paul Nasrat 2006-06-26 19:50:23 UTC 

*** This bug has been marked as a duplicate of 193488 ***