Bug 971425

Summary: File context not working correctly on RHEL7
Product: Red Hat Enterprise Linux 7 Reporter: Michal Trunecka <mtruneck>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: ebenes, eparis, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libselinux-2.1.13-21.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:09:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 893599    

Description Michal Trunecka 2013-06-06 13:24:45 UTC 
Description of problem:

By default, following simulated SCL man page directory has man_t type:

# matchpathcon /opt/rh/collection-xyz/root/usr/local/share/man/man9
/opt/rh/collection-xyz/root/usr/local/share/man/man9	system_u:object_r:man_t:s0

With the file context equivalency, it has usr_t despite the fact that dir in original path has mnt_t

# semanage fcontext -l | grep "/opt/rh/collection-xyz/root = /"'
# matchpathcon /usr/local/share/man/man9
/usr/local/share/man/man9x	system_u:object_r:man_t:s0
# matchpathcon /opt/rh/collection-xyz/root/usr/local/share/man/man9x
/opt/rh/collection-xyz/root/usr/local/share/man/man9x	system_u:object_r:usr_t:s0


Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-48.el7.noarch


Additional information: 
Here is the list of files with inconsistent contexts after installation "filesystem" and "setup" rpms into simulated SCL directory in /opt:

:: [   FAIL   ] :: /usr/local/share/man and /opt/rh/collection-xyz/root/usr/local/share/man are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man9 and /opt/rh/collection-xyz/root/usr/local/share/man/man9 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man1 and /opt/rh/collection-xyz/root/usr/local/share/man/man1 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man1x and /opt/rh/collection-xyz/root/usr/local/share/man/man1x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man2 and /opt/rh/collection-xyz/root/usr/local/share/man/man2 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man2x and /opt/rh/collection-xyz/root/usr/local/share/man/man2x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man3 and /opt/rh/collection-xyz/root/usr/local/share/man/man3 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man3x and /opt/rh/collection-xyz/root/usr/local/share/man/man3x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man4 and /opt/rh/collection-xyz/root/usr/local/share/man/man4 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man4x and /opt/rh/collection-xyz/root/usr/local/share/man/man4x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man5 and /opt/rh/collection-xyz/root/usr/local/share/man/man5 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man5x and /opt/rh/collection-xyz/root/usr/local/share/man/man5x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man6 and /opt/rh/collection-xyz/root/usr/local/share/man/man6 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man6x and /opt/rh/collection-xyz/root/usr/local/share/man/man6x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man7 and /opt/rh/collection-xyz/root/usr/local/share/man/man7 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man7x and /opt/rh/collection-xyz/root/usr/local/share/man/man7x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man8 and /opt/rh/collection-xyz/root/usr/local/share/man/man8 are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man8x and /opt/rh/collection-xyz/root/usr/local/share/man/man8x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/man9x and /opt/rh/collection-xyz/root/usr/local/share/man/man9x are labelled differently 
:: [   FAIL   ] :: /usr/local/share/man/mann and /opt/rh/collection-xyz/root/usr/local/share/man/mann are labelled differently 
:: [   FAIL   ] :: /usr/local/etc and /opt/rh/collection-xyz/root/usr/local/etc are labelled differently 
:: [   FAIL   ] :: /usr/local/lib64 and /opt/rh/collection-xyz/root/usr/local/lib64 are labelled differently 
:: [   FAIL   ] :: /usr/local/libexec and /opt/rh/collection-xyz/root/usr/local/libexec are labelled differently 
:: [   FAIL   ] :: /usr/lib64 and /opt/rh/collection-xyz/root/usr/lib64 are labelled differently 
:: [   FAIL   ] :: /usr/lib64/X11 and /opt/rh/collection-xyz/root/usr/lib64/X11 are labelled differently 
:: [   FAIL   ] :: /usr/lib64/games and /opt/rh/collection-xyz/root/usr/lib64/games are labelled differently 
:: [   FAIL   ] :: /usr/lib64/pm-utils and /opt/rh/collection-xyz/root/usr/lib64/pm-utils are labelled differently 
:: [   FAIL   ] :: /usr/lib64/pm-utils/module.d and /opt/rh/collection-xyz/root/usr/lib64/pm-utils/module.d are labelled differently 
:: [   FAIL   ] :: /usr/lib64/pm-utils/power.d and /opt/rh/collection-xyz/root/usr/lib64/pm-utils/power.d are labelled differently 
:: [   FAIL   ] :: /usr/lib64/pm-utils/sleep.d and /opt/rh/collection-xyz/root/usr/lib64/pm-utils/sleep.d are labelled differently 
:: [   FAIL   ] :: /usr/lib64/sse2 and /opt/rh/collection-xyz/root/usr/lib64/sse2 are labelled differently 
:: [   FAIL   ] :: /usr/lib64/tls and /opt/rh/collection-xyz/root/usr/lib64/tls are labelled differently
Comment 1 Daniel Walsh 2013-10-03 14:25:21 UTC 
We have to make the libselinux matching functions recursive  At least apply the local ones first then apply the distro ones second.
Comment 2 Daniel Walsh 2013-10-03 14:26:56 UTC 
*** Bug 914166 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Walsh 2013-10-04 19:35:23 UTC 
Fixed in libselinux-2.1.13-21.el7
Comment 5 Ludek Smid 2014-06-13 11:09:22 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.