Bug 658084

Summary: Anaconda sets wrong(at lest different) selinux context on /etc/sysconfig/iptables file
Product: Red Hat Enterprise Linux 5 Reporter: Raghu Udiyar <rudiyar>
Component: anacondaAssignee: Brian Lane <bcl>
Status: CLOSED ERRATA QA Contact: Release Test Team <release-test-team>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: atodorov, jstodola
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: anaconda-11.1.2.227-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-21 02:54:48 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Attachments:
Description Flags
anaconda.log
none
anaconda.syslog none

Description Raghu Udiyar 2010-11-29 05:00:46 EST
Description of problem:

/etc/sysconfig/iptables has a selinux context of etc_t on a fresh rhel5.5 install.

But the upon a restorecon or selinux relabel this changes to etc_runtime_t

Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.5 (Tikanga)
# ls -Z /etc/sysconfig/iptables
-rw-------  root root system_u:object_r:etc_t          /etc/sysconfig/iptables
# restorecon /etc/sysconfig/iptables
# ls -Z /etc/sysconfig/iptables
-rw-------  root root system_u:object_r:etc_runtime_t  /etc/sysconfig/iptables
  
Actual results:

The context changes

Expected results:

The context should not change and be either etc_t or etc_runtime_t
Additional info:
Comment 1 Martin Gracik 2010-11-29 10:45:09 EST
Didn't you update the selinux-policy-targeted package after installation?

Anaconda sets the context depending on what selinux gives us, so this may be caused because of a different selinux-policy-targeted package in the install.img and in the installed system.
Comment 2 Raghu Udiyar 2010-11-30 02:37:08 EST
I have tested this on a fresh RHEL5.5 installation. I've ran no updates after the installation.

The policy sets "etc_runtime_t" :

# semanage fcontext -l | grep iptables

[..]
/etc/sysconfig/iptables                            regular file       system_u:object_r:etc_runtime_t:s0 
[..]

Maybe, the install.img contains an older package then the same package it's installing on the system.
Comment 3 Chris Lumens 2010-11-30 10:59:51 EST
> Maybe, the install.img contains an older package then the same package it's
> installing on the system.

That's what I am wondering, too.  The install.img will contain whatever was in the tree at the time the install.img was composed.  So really the only time the above situation would happen is if new packages were put into the tree without generating new images.

Can you attach /var/log/anaconda.log and /var/log/anaconda.syslog to this bug report, just so we can verify there's nothing suspect in there?
Comment 4 Raghu Udiyar 2010-12-02 03:34:25 EST
Created attachment 464186 [details]
anaconda.log
Comment 5 Raghu Udiyar 2010-12-02 03:35:41 EST
Created attachment 464187 [details]
anaconda.syslog
Comment 6 Chris Lumens 2010-12-07 15:56:32 EST
Okay, it looks like anaconda just needs to set the label on /etc/sysconfig/iptables on rhel5-branch.  On rhel6-branch and master we relabel the entire /etc/sysconfig directory but we are a little more selective on RHEL5, which is why we are seeing problems here.
Comment 7 RHEL Product and Program Management 2011-02-01 12:06:22 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 9 Alexander Todorov 2011-05-11 10:09:32 EDT
Tested with RHEL5.7-Server-20110430.2 and the result is a PASS.
After install:
# ls -lZ /etc/sysconfig/iptables
-rw-------  root root system_u:object_r:etc_runtime_t  /etc/sysconfig/iptables
# restorecon /etc/sysconfig/iptables
# ls -lZ /etc/sysconfig/iptables
-rw-------  root root system_u:object_r:etc_runtime_t  /etc/sysconfig/iptables
Comment 10 errata-xmlrpc 2011-07-21 02:54:48 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0984.html