Bug 207157

Summary: rpm is not setting the correct context on the locale directories
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: rpmAssignee: Panu Matilainen <pmatilai>
Status: CLOSED WORKSFORME QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-04 06:55:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daniel Walsh 2006-09-19 19:02:48 UTC 
Description of problem:

After a fresh install running fixfiles check reveals the following problems

/sbin/setfiles:  relabeling /usr/share/locale/ka from system_u:object_r:usr_t:s0
to system_u:object_r:locale_t:s0
/sbin/setfiles:  relabeling /usr/share/locale/ka/LC_MESSAGES from
system_u:object_r:usr_t:s0 to system_u:object_r:locale_t:s0
...

Seems rpm is not setting the context when it creates directories "lazily"
At least this is what Jeremy suggested.
Comment 1 Jeff Johnson 2006-10-05 01:48:58 UTC 
Perhaps. The code that sets contexts on "orphan" directories is rather
straightforward however.

A reproducer with -vv --fsmdebug should be a rather easy way to establish
whether rpm is setting file contexts correctly or not.

I claim Jeremy hasn't a clue. Want to bet?

Meanwhile, this patch is relevant for those (like me) who don't wish to run SELinux:
@@ -1276,7 +1337,12 @@
 /*@-compdef@*/
     rpmts ts = fsmGetTs(fsm);
 /*@=compdef@*/
-    rpmsx sx = rpmtsREContext(ts); 
+    rpmsx sx = NULL;
+       
+    /* XXX Set file contexts on non-packaged dirs iff selinux enabled. */
+    if (ts != NULL && rpmtsSELinuxEnabled(ts) == 1 &&
+      !(rpmtsFlags(ts) & RPMTRANS_FLAG_NOCONTEXTS))
+       sx = rpmtsREContext(ts);
     
     fsm->path = NULL;
     
@@ -1305,7 +1371,8 @@
        fsm->path = dn;
 
        /* Assume '/' directory exists, "mkdir -p" for others if non-existent */
-       for (i = 1, te = dn + 1; *te != '\0'; te++, i++) {
+       (void) urlPath(dn, (const char **)&te);
+       for (i = 1, te++; *te != '\0'; te++, i++) {
            if (*te != '/')
                /*@innercontinue@*/ continue;
Comment 2 Jeff Johnson 2007-04-11 01:47:07 UTC 
No additional info == NOTABUG
Comment 3 Red Hat Bugzilla 2007-08-21 05:26:39 UTC 
User pnasrat's account has been closed
Comment 4 Panu Matilainen 2007-08-22 06:34:16 UTC 
Reassigning to owner after bugzilla made a mess, sorry about the noise...
Comment 5 Panu Matilainen 2007-09-04 06:55:24 UTC 
Tested with rpm-4.4.2.2-0.1.fc8.rc1 (which has no selinux/directory handling
related changes over 4.4.2.1) and directories that aren't explicitly owned by
packages get correct context.

Works for me, if it doesn't for you I'll need a reproducer...