Bug 803846

Summary:	Context depends on rules order
Product:	Red Hat Enterprise Linux 6	Reporter:	Forrest Taylor <ftaylor>
Component:	policycoreutils	Assignee:	Petr Lautrbach <plautrba>
Status:	CLOSED WONTFIX	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	6.2	CC:	djuran, dwalsh, edgar.hoch, eparis, jbrindle, jpazdziora, ksrot, mgrepl, mmalik, mueller, parsonsa, plautrba, rcyriac, sdsmall
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	678577	Environment:
Last Closed:	2016-11-02 17:08:50 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:	678577
Bug Blocks:

Description Forrest Taylor 2012-03-15 18:33:38 UTC

+++ This bug was initially created as a clone of Bug #678577 +++

Description of problem:
SELinux context of my directory depends on the order in which I add "semanage fcontext" rules. I believe it should not depend on that (it should use best match instead).

# mkdir /shared/samba -p
# semanage fcontext -a -t public_content_t "/shared(/.*)?"
# semanage fcontext -a -t samba_share_t "/shared/samba(/.*)?"
# restorecon -FvvR /shared/
restorecon reset /shared context unconfined_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /shared/samba context unconfined_u:object_r:default_t:s0->system_u:object_r:samba_share_t:s0
#
# semanage fcontext -d "/shared(/.*)?"
# semanage fcontext -d "/shared/samba(/.*)?"
# semanage fcontext -l | grep /shared
# restorecon -FvvR /shared/
restorecon reset /shared context system_u:object_r:public_content_t:s0->system_u:object_r:default_t:s0
restorecon reset /shared/samba context system_u:object_r:samba_share_t:s0->system_u:object_r:default_t:s0
#
# # add rules in reverse order
# semanage fcontext -a -t samba_share_t "/shared/samba(/.*)?"
# semanage fcontext -a -t public_content_t "/shared(/.*)?"
# restorecon -FvvR /shared/
restorecon reset /shared context system_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
restorecon reset /shared/samba context system_u:object_r:default_t:s0->system_u:object_r:public_content_t:s0
# # wrong context on /shared/samba

Version-Release number of selected component (if applicable):
policycoreutils-2.0.83-33.10.fc14.x86_64
libselinux-2.0.96-6.fc14.1.x86_64
checkpolicy-2.0.23-2.fc14.x86_64
polkit-desktop-policy-0.98-4.fc14.noarch
selinux-policy-3.9.7-29.fc14.noarch
libselinux-python-2.0.96-6.fc14.1.x86_64
policycoreutils-python-2.0.83-33.10.fc14.x86_64
selinux-policy-targeted-3.9.7-29.fc14.noarch
libselinux-utils-2.0.96-6.fc14.1.x86_64

How reproducible:
always

Steps to Reproduce:
1. run the code in the description
  
Actual results:
final directory context depends on the order in which the rules were added

Expected results:
final directory context is determined by best matching rule

Additional info:
Also affects RHEL 6.0

--- Additional comment from dwalsh on 2011-02-18 09:50:39 EST ---

Is this something we want to fix?  Shouldn't file context local use the same algorythm file_context uses?

--- Additional comment from sds.gov on 2011-02-18 09:58:28 EST ---

Background reading:
http://marc.info/?l=selinux&m=121154579506667&w=2

You'd need to take it up as an upstream selinux issue, but there is no fully general way to decide "best matching rules" so long as we support arbitrary regexes in the pathname fields.  We'd have to go to a more restricted syntax (e.g. file name globs) for more determinism.

--- Additional comment from sds.gov on 2011-02-18 10:04:23 EST ---

Oh, and just to clarify:  last matching rule wins has always been the documented behavior for setfiles.

--- Additional comment from kparal on 2011-02-18 10:28:11 EST ---

As for the "last matching rule" - if it is clearly documented this way, well, alright (nothing's perfect, I guess). But how should I know which rule was defined last? "semanage fcontext -l" can't be used for that:

# semanage fcontext -a -t samba_share_t "/shared/samba(/.*)?"
# ...months pass by...
# semanage fcontext -a -t public_content_t "/shared(/.*)?"
# ...months pass by...
# semanage fcontext -l | grep /shared
/shared(/.*)?                                      all files          system_u:object_r:public_content_t:s0 
/shared/samba(/.*)?                                all files          system_u:object_r:samba_share_t:s0 

As a system administrator I would be confused because from the "semanage fcontext -l" output everything seems ok (but it's not).

--- Additional comment from sds.gov on 2011-02-18 11:07:56 EST ---

I'm guessing that semanage fcontext is just walking a hash table rather than dumping the file contents.

I agree that we can do better here, but we have to be careful to avoid breaking existing setups.  It would be simple enough to change libsemanage to invoke semanage_fc_sort on the file_contexts.local contents before writing them to the file.  This is already done for file_contexts in order to provide sane ordering among entries in different policy modules, and uses a set of heuristics.  However, if any admin were relying on the prior behavior, this could switch his labeling.

--- Additional comment from sds.gov on 2011-02-18 11:14:36 EST ---

I guess what we could do is to introduce yet another /etc/selinux/semanage.conf option to control whether or not file_contexts.local gets sorted (default to off, to match current behavior), and then change libsemanage to apply semanage_fc_sort if this option is enabled.  Then Dan could turn it on in Fedora and/or RHEL and if someone squawks, they can turn it off in their local config.

--- Additional comment from edgar.hoch.de on 2011-11-29 12:42:51 EST ---

Is there something new or changed in Fedora 15 or 16 about this problem?

I think that it would be the best if
- more specific rules should match before less specific,
  e.g. if there exists a rule for /a/b(/.*) and one for /a/b/c(/.*), then the last one should be applied
- local added rules should overwrite system rules.

--- Additional comment from dwalsh on 2011-11-29 14:49:59 EST ---

That is the way it is supposed to work.

--- Additional comment from sds.gov on 2011-11-29 14:59:13 EST ---

Original bug was that file_contexts.local is not sorted by semanage_fc_sort, unlike file_contexts (i.e. the module .fc files).  So you can get a different result depending on the order in which you invoke semanage fcontext -a commands. I think that is still true; I haven't seen a patch for that.

--- Additional comment from dwalsh on 2011-11-29 15:04:39 EST ---

Me either.  Moving this to F16.

Comment 3 RHEL Program Management 2012-07-10 08:39:29 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 4 RHEL Program Management 2012-07-11 01:55:40 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 5 RHEL Program Management 2012-08-14 22:00:47 UTC

This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 6 Karel Srot 2012-08-23 09:46:09 UTC

Hi Dan,
how is this supposed to be fixed, exactly? Are you going to add new semanage.conf option that was mentioned in the upstream bug? I am afraid that if file_contexts.local gets sorted by default it could break customer setup.

Comment 14 Thomas Mueller 2015-07-14 09:30:46 UTC

seems still to be the case that file_contexts.local rules follow the "last match wins" rule with RHEL 6.6. 

* semanage fcontext --list does not necessarly show the right order 
* I can't find documentation about the expected behaviour in RHEL ("man semanage", googling)
* https://fedoraproject.org/wiki/SELinux/ManagingFileContext describes something different than RHEL6 does.

Bit of a confiusing situation. One can easily produce unexpected results if you have multiple rules in a folder and its subdirectories.

Comment 16 Petr Lautrbach 2016-01-07 14:21:09 UTC

(In reply to Thomas Mueller from comment #14)
> seems still to be the case that file_contexts.local rules follow the "last
> match wins" rule with RHEL 6.6. 

Right.
 
> * semanage fcontext --list does not necessarly show the right order 

'semanage fcontext -l' was changed in rhel-6.7 to show rules in the order they were added, see https://rhn.redhat.com/errata/RHBA-2015-2098.html. This far from ideal but at least somehow follows the logic.


> * I can't find documentation about the expected behaviour in RHEL ("man
> semanage", googling)
> * https://fedoraproject.org/wiki/SELinux/ManagingFileContext describes
> something different than RHEL6 does.

I've updated the page and added the following 2 points:

*if A is a local contexts added by 'semanage fcontext -a' and B is not, B is less specific than A
* if A and B are both local contexts added by 'semanage fcontext -a', the last added context is the most specific 


> Bit of a confiusing situation. One can easily produce unexpected results if
> you have multiple rules in a folder and its subdirectories.


I completely agree. Unfortunately we don't have any solution for this now.

Comment 17 Petr Lautrbach 2016-11-02 17:08:50 UTC

Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information.

This issue is being tracked in Red Hat Enterprise Linux version 7.