Bug 480266

Summary: "semanage translation -a | -d" changes setrans.conf mode
Product: [Fedora] Fedora Reporter: Murray McAllister <mmcallis>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, jkubin, mgrepl, vdanen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-04-13 15:21:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Murray McAllister 2009-01-16 03:25:39 UTC 
Description of problem:
Fix for bug #460971 appears incomplete. Denials no longer occur, but the mode of "/etc/selinux/targeted/setrans.conf" is still changed to 600.


Version-Release number of selected component (if applicable):
policycoreutils-2.0.57-14.fc10.i386
selinux-policy-3.5.13-38.fc10.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch


How reproducible:
Always.

Steps to Reproduce:
Adding:
$ ls -l /etc/selinux/targeted/setrans.conf 
-rw-r--r-- 1 root root 598 2009-01-16 13:17 /etc/selinux/targeted/setrans.conf
$ sudo semanage translation -a -T Secret s0:c1
$ ls -l /etc/selinux/targeted/setrans.conf 
-rw------- 1 root root 611 2009-01-16 13:17 /etc/selinux/targeted/setrans.conf

Deleting:
$ sudo chmod 644 /etc/selinux/targeted/setrans.conf
$ sudo semanage translation -d s0:c1
$ ls -l /etc/selinux/targeted/setrans.conf 
-rw------- 1 root root 598 2009-01-16 13:19 /etc/selinux/targeted/setrans.conf


Additional info:
"strace semanage translation -a -T Secret s0:c1" contains at the end:

open("/etc/selinux/targeted/setrans.confkcqVEp", O_RDWR|O_CREAT|O_EXCL|O_LARGEFILE|O_NOFOLLOW, 0600) = 3
fcntl64(3, F_GETFD)                     = 0
fcntl64(3, F_SETFD, FD_CLOEXEC)         = 0
write(3, "#\n# Multi-Category Security trans"..., 611) = 611
close(3)                                = 0
rename("/etc/selinux/targeted/setrans.confkcqVEp", "/etc/selinux/targeted/setrans.conf") = 0

This is all I could find that would change the mode to 600. Is this expected behavior?
Comment 1 Daniel Walsh 2009-04-13 15:21:19 UTC 
Fixed in policycoreutils-2.0.62-9.fc11