Bug 701402

Summary: /usr/sbin/genhomedircon mangles contexts in /etc/selinux
Product: [Fedora] Fedora Reporter: Valdis Kletnieks <valdis.kletnieks>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-03 15:36:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Valdis Kletnieks 2011-05-02 19:40:48 UTC 
Description of problem:
Trying to figure out why multiple runs of restorecon and fixfiles kept repeating:

restorecon reset /etc/selinux/mls/modules/active/base.pp context user_u:object_r:selinux_config_t:s0->system_u:object_r:semanage_store_t:s0

(For example only - it tossed 334 basically identical complaints.)

Finally tracked it down to genhomedircon as called by fixfiles:

# restorecon -R /etc/selinux
# ls -lZ /etc/selinux/mls/modules/active/base.pp
-rw-------. root root system_u:object_r:semanage_store_t:s0 /etc/selinux/mls/modules/active/base.pp
# /usr/sbin/genhomedircon 
# ls -lZ /etc/selinux/mls/modules/active/base.pp
-rw-------. root root user_u:object_r:selinux_config_t:s0 /etc/selinux/mls/modules/active/base.pp

at which point 334 files have had their contexts changed, and fixfiles continues on and flags them all as needing fixing.

Probably needs to add a call to 'restorecon -R /etc/selinux' in the genhomedircon script - that seems to fix the issue here..

Version-Release number of selected component (if applicable):
policycoreutils-2.0.86-7.fc16.x86_64

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2011-05-03 15:36:10 UTC 
You are running in permissive mode on a system logged in as user_u and modifying policy, that is why things are getting mislabeled.

You are only supposed to be running semanage on an MLS box as the user sysadm_t.

You need to setup your login as staff_t and then newrole to sysadm_t when you run as root.  Or setup sudo with TYPE=sysadm_t ROLE=sysadm_r which will change your staff_t user to a sysadm_t admin.