Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Anaconda sets wrong(at lest different) selinux context on /etc/sysconfig/iptables file|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Raghu Udiyar <rudiyar>|
|Component:||anaconda||Assignee:||Brian Lane <bcl>|
|Status:||CLOSED ERRATA||QA Contact:||Release Test Team <release-test-team>|
|Fixed In Version:||anaconda-188.8.131.52-1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2011-07-21 02:54:48 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Raghu Udiyar 2010-11-29 05:00:46 EST
Description of problem: /etc/sysconfig/iptables has a selinux context of etc_t on a fresh rhel5.5 install. But the upon a restorecon or selinux relabel this changes to etc_runtime_t Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: # cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.5 (Tikanga) # ls -Z /etc/sysconfig/iptables -rw------- root root system_u:object_r:etc_t /etc/sysconfig/iptables # restorecon /etc/sysconfig/iptables # ls -Z /etc/sysconfig/iptables -rw------- root root system_u:object_r:etc_runtime_t /etc/sysconfig/iptables Actual results: The context changes Expected results: The context should not change and be either etc_t or etc_runtime_t Additional info:
Comment 1 Martin Gracik 2010-11-29 10:45:09 EST
Didn't you update the selinux-policy-targeted package after installation? Anaconda sets the context depending on what selinux gives us, so this may be caused because of a different selinux-policy-targeted package in the install.img and in the installed system.
Comment 2 Raghu Udiyar 2010-11-30 02:37:08 EST
I have tested this on a fresh RHEL5.5 installation. I've ran no updates after the installation. The policy sets "etc_runtime_t" : # semanage fcontext -l | grep iptables [..] /etc/sysconfig/iptables regular file system_u:object_r:etc_runtime_t:s0 [..] Maybe, the install.img contains an older package then the same package it's installing on the system.
Comment 3 Chris Lumens 2010-11-30 10:59:51 EST
> Maybe, the install.img contains an older package then the same package it's > installing on the system. That's what I am wondering, too. The install.img will contain whatever was in the tree at the time the install.img was composed. So really the only time the above situation would happen is if new packages were put into the tree without generating new images. Can you attach /var/log/anaconda.log and /var/log/anaconda.syslog to this bug report, just so we can verify there's nothing suspect in there?
Comment 6 Chris Lumens 2010-12-07 15:56:32 EST
Okay, it looks like anaconda just needs to set the label on /etc/sysconfig/iptables on rhel5-branch. On rhel6-branch and master we relabel the entire /etc/sysconfig directory but we are a little more selective on RHEL5, which is why we are seeing problems here.
Comment 7 RHEL Product and Program Management 2011-02-01 12:06:22 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Comment 9 Alexander Todorov 2011-05-11 10:09:32 EDT
Tested with RHEL5.7-Server-20110430.2 and the result is a PASS. After install: # ls -lZ /etc/sysconfig/iptables -rw------- root root system_u:object_r:etc_runtime_t /etc/sysconfig/iptables # restorecon /etc/sysconfig/iptables # ls -lZ /etc/sysconfig/iptables -rw------- root root system_u:object_r:etc_runtime_t /etc/sysconfig/iptables
Comment 10 errata-xmlrpc 2011-07-21 02:54:48 EDT
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0984.html