RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1082676 - Using /etc/selinux/fixfiles_exclude_dirs messes up the context on filesystem
Summary: Using /etc/selinux/fixfiles_exclude_dirs messes up the context on filesystem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1094654
TreeView+ depends on / blocked
 
Reported: 2014-03-31 15:25 UTC by Michal Trunecka
Modified: 2015-03-05 11:05 UTC (History)
4 users (show)

Fixed In Version: policycoreutils-2.2.5-13.el7
Doc Type: Known Issue
Doc Text:
Due to a bug in the fixfiles scripts, if the exclude_dirs file is defined to exclude directories from relabeling, running the fixfiles restore command applies incorrect labels on numerous files on the system.
Clone Of:
Environment:
Last Closed: 2015-03-05 11:05:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Wrongly labeled files (755.08 KB, text/plain)
2014-03-31 15:25 UTC, Michal Trunecka 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0477 0 normal SHIPPED_LIVE policycoreutils bug fix update 2015-03-05 15:44:15 UTC

Description Michal Trunecka 2014-03-31 15:25:16 UTC 
Created attachment 880821 [details]
Wrongly labeled files

Description of problem:

Using /etc/selinux/fixfiles_exclude_dirs to exclude dirs from relabeling by fixfiles will cause that 'fixfiles restore' causes that a lot of files has assigned wrong context.

I'm attaching the list of files wrongly labeled.

### The contexts are correct before and after 'fixfiles restore':
# fixfiles verify /run
# fixfiles restore
# fixfiles verify /run
#

### But they are not ok while using /etc/selinux/fixfiles_exclude_dirs
# echo "/opt" > /etc/selinux/fixfiles_exclude_dirs
# fixfiles verify /run
# fixfiles restore
# fixfiles verify /run
/run/cups
/run/cups/certs
/run/pluto
/run/cron.reboot
/run/blkid
/run/blkid/blkid.tab
.....
....
..


Version-Release number of selected component (if applicable):
policycoreutils-2.2.5-8.el7.x86_64
Comment 1 Miroslav Grepl 2014-04-01 08:41:43 UTC 
Ok, nice catch. Basically the problem is with file_context.XXX file. 

If exclude_dirs file is defined then the file_context.XXX is used for setfiles but substitution files are not used because of file_context.XXX.
Comment 2 Miroslav Grepl 2014-04-01 09:12:40 UTC 
(In reply to Miroslav Grepl from comment #1)
> Ok, nice catch. Basically the problem is with file_context.XXX file. 
> 
> If exclude_dirs file is defined then the file_context.XXX is used for
> setfiles but substitution files are not used because of file_context.XXX.

# setfiles /tmp/file_contexts.JovCpO6ONO /run

stat("/tmp/file_contexts.JovCpO6ONO", {st_mode=S_IFREG|0644, st_size=351111, ...}) = 0
open("/tmp/file_contexts.JovCpO6ONO.subs_dist", O_RDONLY) = -1 ENOENT (No such file or directory)
Comment 3 Miroslav Grepl 2014-04-01 10:12:36 UTC 
Easy fix could be something like

--- /sbin/fixfiles.old  2014-04-01 04:31:45.217000000 -0400
+++ /sbin/fixfiles      2014-04-01 06:07:02.273000000 -0400
@@ -137,6 +137,8 @@
     FC=/etc/security/selinux/file_contexts
 fi

+FC_SUB_DIST=${FC}.subs_dist
+
 #
 # Log to either syslog or a LOGFILE
 #
@@ -244,6 +246,8 @@
                logit "skipping the directory ${p}"
        done
 FC=$TEMPFCFILE
+/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
 fi
 if [ ! -z "$RPMFILES" ]; then
     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@@ -266,7 +270,7 @@
     return
 fi
 echo "Cleaning up labels on /tmp"
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist

 UNDEFINED=`get_undefined_type` || exit $?
 UNLABELED=`get_unlabeled_type` || exit $?
Comment 4 Daniel Walsh 2014-04-01 21:35:26 UTC 
Wouldn't you want to copy the .subs file also?  In case the user had made any subs?
Comment 5 Miroslav Grepl 2014-04-02 10:22:16 UTC 
Oops. Yes, .subs file is also needed.
Comment 6 Miroslav Grepl 2014-06-09 13:38:54 UTC 
Updated patch which we have in rawhide.

 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5c29eb9..75d3c8d 100755
+index 5c29eb9..097152f 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -116,6 +116,7 @@ exclude_dirs() {
@@ -695712,6 +695712,36 @@ index 5c29eb9..75d3c8d 100755
  FORCEFLAG=""
  DIRS=""
  RPMILES=""
+@@ -137,6 +138,9 @@ else
+     FC=/etc/security/selinux/file_contexts
+ fi
+ 
++FC_SUB_DIST=${FC}.subs_dist
++FC_SUB=${FC}.subs
++
+ #
+ # Log to either syslog or a LOGFILE
+ #
+@@ -243,6 +247,10 @@ then
+       logit "skipping the directory ${p}"
+   done
+ FC=$TEMPFCFILE
++/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
++/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
++/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs &>/dev/null || exit
++/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit
+ fi
+ if [ ! -z "$RPMFILES" ]; then
+     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
+@@ -264,7 +272,7 @@ if [ ${OPTION} != "Relabel" ]; then
+     return
+ fi
+ echo "Cleaning up labels on /tmp"
+-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
++rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs
+ 
+ UNDEFINED=`get_undefined_type` || exit $?
+ UNLABELED=`get_unlabeled_type` || exit $?
Comment 7 Miroslav Grepl 2014-09-29 08:04:14 UTC 
commit 0d571e36878fb42fc9e024bc52a6fa439d707d2c
Author: Miroslav Grepl <mgrepl>
Date:   Fri May 16 15:14:37 2014 +0200

    Make fixfiles_exclude_dirs working if there is a substituion for the given directory
Comment 15 Milos Malik 2015-01-30 09:26:20 UTC 
This bug is fixed. The problem found and described in BZ#1186640 will be addressed separately.
Comment 17 errata-xmlrpc 2015-03-05 11:05:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0477.html
Note You need to log in before you can comment on or make changes to this bug.