Bug 746003

Summary: reservesys does not preserve selinux context of /etc/motd
Product: [Retired] Beaker Reporter: Jan Hutař <jhutar>
Component: testsAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: unspecified    
Version: 0.6CC: bpeck, dcallagh, dwalsh, llim, mcsontos, rmancy, stl, xjia
Target Milestone: 0.15.4   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: SELinux
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-17 22:38:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 545868    

Description Jan Hutař 2011-10-13 15:36:02 UTC 
Description of problem:
When I reserve RHEL5 system and then tries to fix SELinux contexts across /etc, I see two issues with motd caused by Beaker.


Version-Release number of selected component (if applicable):
beah-0.6.34-2.el5


How reproducible:
1 of 1


Steps to Reproduce:
1. Reserve RHEL5-Server-U7 system
2. # restorecon -vRn /etc | grep motd


Actual results:
There should be no output.


Expected results:
restorecon reset /etc/motd context root:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
restorecon reset /etc/motd.orig context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
Comment 1 Nick Coghlan 2012-10-17 04:39:25 UTC 
Bulk reassignment of issues as Bill has moved to another team.
Comment 2 Dan Callaghan 2012-10-29 05:46:41 UTC 
Both the /distribution/reservesys and /distribution/install tasks fiddle with /etc/motd and don't preserve SELinux context.
Comment 4 Dan Callaghan 2014-01-21 06:57:04 UTC 
On Gerrit: http://gerrit.beaker-project.org/2716
Comment 5 Nick Coghlan 2014-01-21 08:33:29 UTC 
Dan,

We have an SELinux glitch in Beaker that has been there for a while, which is that /etc/motd doesn't have the right context on (at least) RHEL5U7.

The original /etc/motd in Beaker provisioned systems is created by a line like this:

    FILE=/etc/motd
    echo "** ** ** **" > $FILE

After that, we just append the rest of the message to it. The system reservation task then moves that original file aside, and creates a new one, again with a shell pipe.

These are the two files that Jan indicates have an incorrect SELinux context in the report above.

Do shell pipes in older versions of RHEL set the SELinux context correctly? If not, that would explain the incorrect contexts for these files.

If that is the case, would doing "touch $FILE" before appending to it via a pipe solve the problem? Or will we need to do an explicit restorecon to ensure we get a correct context all the way back to the dim dark early days of RHEL's SELinux support when it wasn't integrate directly into any of the core utilities?
Comment 6 Daniel Walsh 2014-01-21 16:51:03 UTC 
The SELinux context is based on the label of the object that created it and the containing directory.

In this case the init script is running as initrc_t and the directory (/etc) is labeled etc_t.

We have a rule in policy that says if a process running as initrc_t creates a file in a directory labeled etc_t, it will create it as etc_runtime_t.

sesearch -T -s initrc_t -t etc_t -c file | grep runtime
   type_transition initrc_t etc_t : file etc_runtime_t; 

The script that you have creating the file should just run restorecon and then you will not have the problem.

FILE=/etc/motd
echo "** ** ** **" > $FILE
restorecon $FILE
Comment 7 Nick Coghlan 2014-01-22 00:37:15 UTC 
Thanks Dan, we can do that.
Comment 10 Dan Callaghan 2014-02-17 22:38:57 UTC 
distribution-reservesys-3.4-3 has been released.