| Summary: | Context depends on rules order | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Forrest Taylor <ftaylor> |
| Component: | policycoreutils | Assignee: | Petr Lautrbach <plautrba> |
| Status: | CLOSED WONTFIX | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2 | CC: | djuran, dwalsh, edgar.hoch, eparis, jbrindle, jpazdziora, ksrot, mgrepl, mmalik, mueller, parsonsa, plautrba, rcyriac, sdsmall |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 678577 | Environment: | |
| Last Closed: | 2016-11-02 17:08:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 678577 | ||
| Bug Blocks: | |||
|
Description
Forrest Taylor
2012-03-15 18:33:38 UTC
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Hi Dan, how is this supposed to be fixed, exactly? Are you going to add new semanage.conf option that was mentioned in the upstream bug? I am afraid that if file_contexts.local gets sorted by default it could break customer setup. seems still to be the case that file_contexts.local rules follow the "last match wins" rule with RHEL 6.6.
* semanage fcontext --list does not necessarly show the right order
* I can't find documentation about the expected behaviour in RHEL ("man semanage", googling)
* https://fedoraproject.org/wiki/SELinux/ManagingFileContext describes something different than RHEL6 does.
Bit of a confiusing situation. One can easily produce unexpected results if you have multiple rules in a folder and its subdirectories.
(In reply to Thomas Mueller from comment #14) > seems still to be the case that file_contexts.local rules follow the "last > match wins" rule with RHEL 6.6. Right. > * semanage fcontext --list does not necessarly show the right order 'semanage fcontext -l' was changed in rhel-6.7 to show rules in the order they were added, see https://rhn.redhat.com/errata/RHBA-2015-2098.html. This far from ideal but at least somehow follows the logic. > * I can't find documentation about the expected behaviour in RHEL ("man > semanage", googling) > * https://fedoraproject.org/wiki/SELinux/ManagingFileContext describes > something different than RHEL6 does. I've updated the page and added the following 2 points: *if A is a local contexts added by 'semanage fcontext -a' and B is not, B is less specific than A * if A and B are both local contexts added by 'semanage fcontext -a', the last added context is the most specific > Bit of a confiusing situation. One can easily produce unexpected results if > you have multiple rules in a folder and its subdirectories. I completely agree. Unfortunately we don't have any solution for this now. Red Hat Enterprise Linux version 6 is entering the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information. This issue is being tracked in Red Hat Enterprise Linux version 7. |