Bug 814904

Summary: Selinux does not keep the context
Product: [Fedora] Fedora Reporter: Japplo <martincd>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dwalsh, martin_, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-23 17:41:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Japplo 2012-04-21 07:34:09 UTC 
Description of problem:
Selinux does not keep the context of some QT SDK files

Version-Release number of selected component (if applicable):
policycoreutils-2.1.11-5.fc17.x86_64

How reproducible:
In Fedora 15+16+17 try to restore the default file SELinux security contexts. Restorecon shows a reset. Try it again, Restorecon will also show a reset again.

Steps to Reproduce:
1.download QT SDK (http://qt.nokia.com/downloads)
2.install QT SDK for example to /opt/qtsdk/
3.restorecon -R -v /opt/qtsdk/
  
Actual results:
restorecon -R -v /opt/qtsdk/
restorecon reset /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids context system_u:object_r:usr_t:s0->system_u:object_r:var_lib_t:s0

restorecon -R -v /opt/qtsdk/
restorecon reset /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids context system_u:object_r:usr_t:s0->system_u:object_r:var_lib_t:s0
Comment 1 Daniel Walsh 2012-04-22 11:53:03 UTC 
So you are saying the restorecon is actully not setting the file context.

ls -lZ /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids

Does the following report an error?

# chcon -t var_lib_t /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids
Comment 2 Japplo 2012-04-22 12:26:23 UTC 
It seems, that the file context is OK but restorecon shows a reset:


# ls -lZ /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids
-rw-r--r--. japplo japplo system_u:object_r:var_lib_t:s0   /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids

# restorecon -R -v /opt/qtsdk/ | grep "usbutils/usb.ids"
restorecon reset /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids context system_u:object_r:usr_t:s0->system_u:object_r:var_lib_t:s0

# chcon -t var_lib_t /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids

# restorecon -R -v /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/ | grep "usbutils/usb.ids"

Thanks japplo
Comment 3 Daniel Walsh 2012-04-23 15:29:30 UTC 
Is this file hard linked somewhere else?  IE if the Inode is in bodth /var/lib and in another directory under /opt, restorecon could be changing the label twice.  Once to var_lib_t and once to usr_t, depending on the path to the inode.
Comment 4 Japplo 2012-04-23 17:41:19 UTC 
ls -i /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/
805828 usb.ids

find / -inum 805828
/opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/usr/share/misc/usb.ids
/opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids

OK, thanks, you are right.
Comment 5 Japplo 2012-06-10 22:45:53 UTC 
But how can I overcome the relabeling issue?
Comment 6 Miroslav Grepl 2012-06-11 09:32:08 UTC 
You need to have the same labeling for both files. You will need to use the "semanage" tool to add labeling.
Comment 7 Daniel Walsh 2012-06-11 13:43:43 UTC 
semanage fcontext -a -t var_lib_t /opt/qtsdk/Madde/sysroots/harmattan_sysroot_10.2011.34-1_slim/var/lib/usbutils/usb.ids
Comment 8 Japplo 2012-06-11 19:30:45 UTC 
ok, many thanks