Bug 532565
Summary: | matchpathcon_filespec_add: conflicting specifications for /sbin/e4fsck and /sbin/fsck.ext4dev | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Kevin Graham <kgraham> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 5.4 | CC: | dwalsh, esandeen, mmalik, syeghiay |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-271.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-03-30 07:50:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Kevin Graham
2009-11-02 19:54:14 UTC
Does this only show up for e4fsprogs? I'd expect e2fsprogs to behave exactly the same way: # ls -li /sbin/e?fsck /sbin/fsck.ext* | sort -n 14403933 -rwxr-xr-x 3 root root 1129200 Sep 30 2008 /sbin/e2fsck 14403933 -rwxr-xr-x 3 root root 1129200 Sep 30 2008 /sbin/fsck.ext2 14403933 -rwxr-xr-x 3 root root 1129200 Sep 30 2008 /sbin/fsck.ext3 14404149 -rwxr-xr-x 3 root root 317960 Sep 12 2008 /sbin/e4fsck 14404149 -rwxr-xr-x 3 root root 317960 Sep 12 2008 /sbin/fsck.ext4 14404149 -rwxr-xr-x 3 root root 317960 Sep 12 2008 /sbin/fsck.ext4dev It sounds like we probably just need to teach the policy about the hardlinks in this package. dwalsh...? -Eric Add a -Z # ls -liZ /sbin/e?fsck /sbin/fsck.ext* | sort -n re comment 1 -- guessing the contents of bug 286211 call it out (I don't have access to it), but /sbin/e2fsck is called out in file_contexts (as should e4fsck, presumably): /sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0 ...presumably to address the conflict between: /sbin/.* system_u:object_r:sbin_t:s0 ...and the hard links referenced as: /sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0 Miroslav you need to add /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) to fstools.fc Thanks Daniel. -Eric Fixed in selinux-policy-2.4.6-264.el5 The same conflict on other files: # rpm -q selinux-policy selinux-policy-2.4.6-270.el5.noarch # ls -li /sbin/mke4fs /sbin/mkfs.ext4* 32964672 -rwxr-xr-x 3 root root 211620 Jul 14 2009 /sbin/mke4fs 32964672 -rwxr-xr-x 3 root root 211620 Jul 14 2009 /sbin/mkfs.ext4 32964672 -rwxr-xr-x 3 root root 211620 Jul 14 2009 /sbin/mkfs.ext4dev # ls -Z /sbin/mke4fs /sbin/mkfs.ext4* -rwxr-xr-x root root system_u:object_r:fsadm_exec_t /sbin/mke4fs -rwxr-xr-x root root system_u:object_r:fsadm_exec_t /sbin/mkfs.ext4 -rwxr-xr-x root root system_u:object_r:fsadm_exec_t /sbin/mkfs.ext4dev # restorecon -Rv /sbin/ restorecon reset /sbin/mke4fs context system_u:object_r:fsadm_exec_t:s0->system_u:object_r:sbin_t:s0 restorecon reset /sbin/mkfs.ext4 context system_u:object_r:sbin_t:s0->system_u:object_r:fsadm_exec_t:s0 When restorecon meets /sbin/mke4fs, it changes the context to sbin_t. When restorecon meets /sbin/mkfs.ext4, it changes the context back to fsadm_exec_t. Looks like we need /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) Yes, I need to add this label. Fixed in selinux-policy-2.4.6-271.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html |