Bug 193489
Summary: | SELinux context of /proc, /selinux, /sys is always incorrect | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robert Scheck <redhat-bugzilla> | ||||
Component: | rpm | Assignee: | Paul Nasrat <nobody+pnasrat> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Mike McLean <mikem> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | herrold, nobody+pnasrat | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-06-26 19:50:23 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 150223 | ||||||
Attachments: |
|
Description
Robert Scheck
2006-05-29 17:56:24 UTC
This is a bug in libselinux, matchpatchon returns an error when it matches on <<none>> which means the context could be anything. Created attachment 131010 [details]
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify
Basically certain directories either do not support context or the kernel
creates them so their is no "correct" label for those directories. In this
case matchpathcon returns ENOENT, and rpm -V should just say it is ok.
This patch attempts to do ignore errors in rpm. Sadly it does not work, but it
will give you an idea.
How about a less intrusive approach; a proper packaging %files stanza, which does not include them, rather than blaming RPM _or_ SELinux; %pre and %post are sufficiently powerfuil to solve the need for their presence, and to sign them for seLinux as needed -- RPM does not need to ignore packages it is not to able to check, the underlying 'filesystem' packger needs to package to accomodate the changes which seLinux brings - at least one of these directory paths (/proc) and I suspect the others are not in scope to it any more The packager needs to not include them (now) improperly in light of the new Context checking rules added for SELinux, which are now emitting errors when SELinux is enabled Very similar problem at: $ rpm -qV selinux-policy-targeted ........C /etc/selinux/targeted/modules/active $ As far as I can see, the problem is related with bug #193488 and should be resolved, when SELinux functionality is removed from rpm -V. This is just another reason for updating to latest RPM 4.4.7 when available :) Proposed patch to remove verification as discussed has been presented for upstream discussion. |