Bug 2115157

Summary: Added setting of seuser and selevel for completeness
Product: Red Hat Enterprise Linux 9 Reporter: Rich Megginson <rmeggins>
Component: rhel-system-rolesAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: Jakub Haruda <jharuda>
Severity: unspecified Docs Contact: Jan Fiala <jafiala>
Priority: unspecified    
Version: 9.1CC: gfialova, jharuda, nhosoi, plautrba, spetrosi
Target Milestone: rcKeywords: Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: role:selinux
Fixed In Version: rhel-system-roles-1.20.0-1.el9 Doc Type: Enhancement
Doc Text:
.Added setting of `seuser` and `selevel` to the `selinux` RHEL System Role Sometimes, it is necessary to set `seuser` and `selevel` parameters when setting SELinux context file system mappings. With this update, you can use the `seuser` and `selevel` optional arguments in `selinux_fcontext` to specify SELinux user and level in the SELinux context file system mappings.
 Story Points: ---
Clone Of:
: 2115162 (view as bug list) Environment:
Last Closed: 2022-11-15 10:24:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2115162    

Description Rich Megginson 2022-08-04 00:38:59 UTC 
When setting selinux_fcontexts, allow setting the seuser and selevel.  Also use restorecon -F to ensure labels are restored properly
Comment 2 Petr Lautrbach 2022-08-05 13:45:02 UTC 
2) verification instructions:

# cat > playbook.yml
---
- hosts: all
  become: true
  become_method: sudo
  become_user: root
  vars:
    # Map '/tmp/test_dir' and its subdirectories to the 'user_home_dir_t'
    # SELinux file type
    selinux_fcontexts:
      - { target: '/var/test_dir(/.*)?', setype: 'user_home_dir_t', ftype: 'd' }
      - { target: '/var/test_dir/user(/.*)?', setype: 'user_home_dir_t', ftype: 'd', seuser: 'user_u', selevel: 's0:c100' }
    # Restore SELinux file contexts in '/tmp/test_dir'
    selinux_restore_dirs:
      - /var/test_dir
  tasks:
  - name: execute the role and catch errors
    include_role:
      name: linux-system-roles.selinux

# mkdir -p /var/test_dir/user
# ls -dZ /var/test_dir/{,user}
unconfined_u:object_r:var_t:s0 /var/test_dir/  unconfined_u:object_r:var_t:s0 /var/test_dir/user

# ansible-playbook -c local -i localhost, playbook.yml
...
PLAY RECAP ************************************************************************************************************localhost:
ok=9    changed=3    unreachable=0    failed=0    skipped=16   rescued=0    ignored=0



Before the change is applied there no change in user part - it still unconfined_u:

# ls -dZ /var/test_dir/{,user}
unconfined_u:object_r:user_home_dir_t:s0 /var/test_dir/  unconfined_u:object_r:user_home_dir_t:s0 /var/test_dir/user

With the change applied:

# ls -dZ /var/test_dir/{,user}
system_u:object_r:user_home_dir_t:s0 /var/test_dir/  user_u:object_r:user_home_dir_t:s0:c100 /var/test_dir/user

unconfined_u is replaced with system_u and there's s0:c100 instead of s0
Comment 15 errata-xmlrpc 2022-11-15 10:24:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:8117