Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 1082676 - Using /etc/selinux/fixfiles_exclude_dirs messes up the context on filesystem
Using /etc/selinux/fixfiles_exclude_dirs messes up the context on filesystem
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 1094654
  Show dependency treegraph
 
Reported: 2014-03-31 11:25 EDT by Michal Trunecka
Modified: 2015-03-05 06:05 EST (History)
4 users (show)

See Also:
Fixed In Version: policycoreutils-2.2.5-13.el7
Doc Type: Known Issue
Doc Text:
Due to a bug in the fixfiles scripts, if the exclude_dirs file is defined to exclude directories from relabeling, running the fixfiles restore command applies incorrect labels on numerous files on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-03-05 06:05:19 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Wrongly labeled files (755.08 KB, text/plain)
2014-03-31 11:25 EDT, Michal Trunecka
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0477 normal SHIPPED_LIVE policycoreutils bug fix update 2015-03-05 10:44:15 EST

  None (edit)
Description Michal Trunecka 2014-03-31 11:25:16 EDT
Created attachment 880821 [details]
Wrongly labeled files

Description of problem:

Using /etc/selinux/fixfiles_exclude_dirs to exclude dirs from relabeling by fixfiles will cause that 'fixfiles restore' causes that a lot of files has assigned wrong context.

I'm attaching the list of files wrongly labeled.

### The contexts are correct before and after 'fixfiles restore':
# fixfiles verify /run
# fixfiles restore
# fixfiles verify /run
#

### But they are not ok while using /etc/selinux/fixfiles_exclude_dirs
# echo "/opt" > /etc/selinux/fixfiles_exclude_dirs
# fixfiles verify /run
# fixfiles restore
# fixfiles verify /run
/run/cups
/run/cups/certs
/run/pluto
/run/cron.reboot
/run/blkid
/run/blkid/blkid.tab
.....
....
..


Version-Release number of selected component (if applicable):
policycoreutils-2.2.5-8.el7.x86_64
Comment 1 Miroslav Grepl 2014-04-01 04:41:43 EDT
Ok, nice catch. Basically the problem is with file_context.XXX file. 

If exclude_dirs file is defined then the file_context.XXX is used for setfiles but substitution files are not used because of file_context.XXX.
Comment 2 Miroslav Grepl 2014-04-01 05:12:40 EDT
(In reply to Miroslav Grepl from comment #1)
> Ok, nice catch. Basically the problem is with file_context.XXX file. 
> 
> If exclude_dirs file is defined then the file_context.XXX is used for
> setfiles but substitution files are not used because of file_context.XXX.

# setfiles /tmp/file_contexts.JovCpO6ONO /run

stat("/tmp/file_contexts.JovCpO6ONO", {st_mode=S_IFREG|0644, st_size=351111, ...}) = 0
open("/tmp/file_contexts.JovCpO6ONO.subs_dist", O_RDONLY) = -1 ENOENT (No such file or directory)
Comment 3 Miroslav Grepl 2014-04-01 06:12:36 EDT
Easy fix could be something like

--- /sbin/fixfiles.old  2014-04-01 04:31:45.217000000 -0400
+++ /sbin/fixfiles      2014-04-01 06:07:02.273000000 -0400
@@ -137,6 +137,8 @@
     FC=/etc/security/selinux/file_contexts
 fi

+FC_SUB_DIST=${FC}.subs_dist
+
 #
 # Log to either syslog or a LOGFILE
 #
@@ -244,6 +246,8 @@
                logit "skipping the directory ${p}"
        done
 FC=$TEMPFCFILE
+/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
 fi
 if [ ! -z "$RPMFILES" ]; then
     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@@ -266,7 +270,7 @@
     return
 fi
 echo "Cleaning up labels on /tmp"
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist

 UNDEFINED=`get_undefined_type` || exit $?
 UNLABELED=`get_unlabeled_type` || exit $?
Comment 4 Daniel Walsh 2014-04-01 17:35:26 EDT
Wouldn't you want to copy the .subs file also?  In case the user had made any subs?
Comment 5 Miroslav Grepl 2014-04-02 06:22:16 EDT
Oops. Yes, .subs file is also needed.
Comment 6 Miroslav Grepl 2014-06-09 09:38:54 EDT
Updated patch which we have in rawhide.

 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5c29eb9..75d3c8d 100755
+index 5c29eb9..097152f 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -116,6 +116,7 @@ exclude_dirs() {
@@ -695712,6 +695712,36 @@ index 5c29eb9..75d3c8d 100755
  FORCEFLAG=""
  DIRS=""
  RPMILES=""
+@@ -137,6 +138,9 @@ else
+     FC=/etc/security/selinux/file_contexts
+ fi
+ 
++FC_SUB_DIST=${FC}.subs_dist
++FC_SUB=${FC}.subs
++
+ #
+ # Log to either syslog or a LOGFILE
+ #
+@@ -243,6 +247,10 @@ then
+       logit "skipping the directory ${p}"
+   done
+ FC=$TEMPFCFILE
++/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
++/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
++/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs &>/dev/null || exit
++/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit
+ fi
+ if [ ! -z "$RPMFILES" ]; then
+     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
+@@ -264,7 +272,7 @@ if [ ${OPTION} != "Relabel" ]; then
+     return
+ fi
+ echo "Cleaning up labels on /tmp"
+-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
++rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs
+ 
+ UNDEFINED=`get_undefined_type` || exit $?
+ UNLABELED=`get_unlabeled_type` || exit $?
Comment 7 Miroslav Grepl 2014-09-29 04:04:14 EDT
commit 0d571e36878fb42fc9e024bc52a6fa439d707d2c
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Fri May 16 15:14:37 2014 +0200

    Make fixfiles_exclude_dirs working if there is a substituion for the given directory
Comment 15 Milos Malik 2015-01-30 04:26:20 EST
This bug is fixed. The problem found and described in BZ#1186640 will be addressed separately.
Comment 17 errata-xmlrpc 2015-03-05 06:05:19 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0477.html

Note You need to log in before you can comment on or make changes to this bug.