Bug 736153

Fixed in selinux-policy- 2.0.83-19.14

I'm correcting "Fixed In Version" field. More info in Changelog at https://brewweb.devel.redhat.com/buildinfo?buildID=179639.

Yes

This bug is causing regressions (currently 2) but I really don't like this behaviour change:

See please:
https://bugzilla.redhat.com/show_bug.cgi?id=741430
https://bugzilla.redhat.com/show_bug.cgi?id=743222

Dan why do we need this fix. Is some customer behind this? Thanks!

Yes this fix was for MLS machines and soon will be needed for Targetd/Containers.

The idea is we want restorecon to fix the "type" portion of the label but not the level or the user, unless -F is given.  The current behaviour does not allow us to label a users homedirectory correctly if they are running at a level higher then s0.

I believe this bug should be set back to ASSIGNED and we should discuss it
before including into RHEL 6.2. I have a couple of questions on my mind:

Does the change just move a part of previous default functionality to -F option? 
Is there a new functionality added to the -F option?
Could we keep the previous functionality and add a new option to take care of the requirement for labeling homedirs you've mentioned in previous comment?

The short summary is, that the new version of restorecon changes default
behaviour when used without -F option. With the new version one has to use -F
to get the same results as before. This is causing regressions as mentioned in
the previous comment in system scripts counting on the previous behaviour (not
mentioning possible issues in customer scripts).

OLD behaviour withOUT -F:
$ chcon -u staff_u -t shadow_t -l s0:c1 test ; ls -Z test ; restorecon -vv test
; ls -Z test
-rw-rw-r--. estragon estragon staff_u:object_r:shadow_t:s0:c1  test
restorecon reset /home/estragon/test context
staff_u:object_r:shadow_t:s0:c1->unconfined_u:object_r:user_home_t:s0
-rw-rw-r--. estragon estragon unconfined_u:object_r:user_home_t:s0 test

NEW behaviour withOUT -F:
# chcon -u staff_u -t shadow_t -l s0:c1 test ; ls -Z test ; restorecon -vv test
; ls -Z test
-rw-r--r--. root root staff_u:object_r:shadow_t:s0:c1  test
restorecon reset /root/test context
staff_u:object_r:shadow_t:s0:c1->staff_u:object_r:admin_home_t:s0:c1
-rw-r--r--. root root staff_u:object_r:admin_home_t:s0:c1 test

----

OLD behaviour WITH -F:
$ chcon -u staff_u -t shadow_t -l s0:c1 test ; ls -Z test ; restorecon -Fvv
test ; ls -Z test
-rw-rw-r--. estragon estragon staff_u:object_r:shadow_t:s0:c1  test
restorecon reset /home/estragon/test context
staff_u:object_r:shadow_t:s0:c1->unconfined_u:object_r:user_home_t:s0
-rw-rw-r--. estragon estragon unconfined_u:object_r:user_home_t:s0 test

NEW behaviour WITH -F:
# chcon -u staff_u -t shadow_t -l s0:c1 test ; ls -Z test ; restorecon -Fvv
test ; ls -Z test
-rw-r--r--. root root staff_u:object_r:shadow_t:s0:c1  test
restorecon reset /root/test context
staff_u:object_r:shadow_t:s0:c1->system_u:object_r:admin_home_t:s0
-rw-r--r--. root root system_u:object_r:admin_home_t:s0 test

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1637.html