Bug 1082676 - Using /etc/selinux/fixfiles_exclude_dirs messes up the context on filesystem
Summary: Using /etc/selinux/fixfiles_exclude_dirs messes up the context on filesystem
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1094654
TreeView+ depends on / blocked
 
Reported: 2014-03-31 15:25 UTC by Michal Trunecka
Modified: 2015-03-05 11:05 UTC (History)
4 users (show)

Fixed In Version: policycoreutils-2.2.5-13.el7
Doc Type: Known Issue
Doc Text:
Due to a bug in the fixfiles scripts, if the exclude_dirs file is defined to exclude directories from relabeling, running the fixfiles restore command applies incorrect labels on numerous files on the system.
Clone Of:
Environment:
Last Closed: 2015-03-05 11:05:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Wrongly labeled files (755.08 KB, text/plain)
2014-03-31 15:25 UTC, Michal Trunecka
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0477 0 normal SHIPPED_LIVE policycoreutils bug fix update 2015-03-05 15:44:15 UTC

Description Michal Trunecka 2014-03-31 15:25:16 UTC
Created attachment 880821 [details]
Wrongly labeled files

Description of problem:

Using /etc/selinux/fixfiles_exclude_dirs to exclude dirs from relabeling by fixfiles will cause that 'fixfiles restore' causes that a lot of files has assigned wrong context.

I'm attaching the list of files wrongly labeled.

### The contexts are correct before and after 'fixfiles restore':
# fixfiles verify /run
# fixfiles restore
# fixfiles verify /run
#

### But they are not ok while using /etc/selinux/fixfiles_exclude_dirs
# echo "/opt" > /etc/selinux/fixfiles_exclude_dirs
# fixfiles verify /run
# fixfiles restore
# fixfiles verify /run
/run/cups
/run/cups/certs
/run/pluto
/run/cron.reboot
/run/blkid
/run/blkid/blkid.tab
.....
....
..


Version-Release number of selected component (if applicable):
policycoreutils-2.2.5-8.el7.x86_64

Comment 1 Miroslav Grepl 2014-04-01 08:41:43 UTC
Ok, nice catch. Basically the problem is with file_context.XXX file. 

If exclude_dirs file is defined then the file_context.XXX is used for setfiles but substitution files are not used because of file_context.XXX.

Comment 2 Miroslav Grepl 2014-04-01 09:12:40 UTC
(In reply to Miroslav Grepl from comment #1)
> Ok, nice catch. Basically the problem is with file_context.XXX file. 
> 
> If exclude_dirs file is defined then the file_context.XXX is used for
> setfiles but substitution files are not used because of file_context.XXX.

# setfiles /tmp/file_contexts.JovCpO6ONO /run

stat("/tmp/file_contexts.JovCpO6ONO", {st_mode=S_IFREG|0644, st_size=351111, ...}) = 0
open("/tmp/file_contexts.JovCpO6ONO.subs_dist", O_RDONLY) = -1 ENOENT (No such file or directory)

Comment 3 Miroslav Grepl 2014-04-01 10:12:36 UTC
Easy fix could be something like

--- /sbin/fixfiles.old  2014-04-01 04:31:45.217000000 -0400
+++ /sbin/fixfiles      2014-04-01 06:07:02.273000000 -0400
@@ -137,6 +137,8 @@
     FC=/etc/security/selinux/file_contexts
 fi

+FC_SUB_DIST=${FC}.subs_dist
+
 #
 # Log to either syslog or a LOGFILE
 #
@@ -244,6 +246,8 @@
                logit "skipping the directory ${p}"
        done
 FC=$TEMPFCFILE
+/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
+/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
 fi
 if [ ! -z "$RPMFILES" ]; then
     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
@@ -266,7 +270,7 @@
     return
 fi
 echo "Cleaning up labels on /tmp"
-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
+rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist

 UNDEFINED=`get_undefined_type` || exit $?
 UNLABELED=`get_unlabeled_type` || exit $?

Comment 4 Daniel Walsh 2014-04-01 21:35:26 UTC
Wouldn't you want to copy the .subs file also?  In case the user had made any subs?

Comment 5 Miroslav Grepl 2014-04-02 10:22:16 UTC
Oops. Yes, .subs file is also needed.

Comment 6 Miroslav Grepl 2014-06-09 13:38:54 UTC
Updated patch which we have in rawhide.

 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5c29eb9..75d3c8d 100755
+index 5c29eb9..097152f 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -116,6 +116,7 @@ exclude_dirs() {
@@ -695712,6 +695712,36 @@ index 5c29eb9..75d3c8d 100755
  FORCEFLAG=""
  DIRS=""
  RPMILES=""
+@@ -137,6 +138,9 @@ else
+     FC=/etc/security/selinux/file_contexts
+ fi
+ 
++FC_SUB_DIST=${FC}.subs_dist
++FC_SUB=${FC}.subs
++
+ #
+ # Log to either syslog or a LOGFILE
+ #
+@@ -243,6 +247,10 @@ then
+       logit "skipping the directory ${p}"
+   done
+ FC=$TEMPFCFILE
++/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
++/bin/cp -p ${FC_SUB_DIST} ${TEMPFCFILE}.subs_dist &>/dev/null || exit
++/bin/cp -p ${TEMPFCFILE} ${TEMPFCFILE}.subs &>/dev/null || exit
++/bin/cp -p ${FC_SUB} ${TEMPFCFILE}.subs &>/dev/null || exit
+ fi
+ if [ ! -z "$RPMFILES" ]; then
+     for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
+@@ -264,7 +272,7 @@ if [ ${OPTION} != "Relabel" ]; then
+     return
+ fi
+ echo "Cleaning up labels on /tmp"
+-rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE
++rm -rf /tmp/gconfd-* /tmp/pulse-* /tmp/orbit-* $TEMPFCFILE ${TEMPFCFILE}.subs_dist ${TEMPFCFILE}.subs
+ 
+ UNDEFINED=`get_undefined_type` || exit $?
+ UNLABELED=`get_unlabeled_type` || exit $?

Comment 7 Miroslav Grepl 2014-09-29 08:04:14 UTC
commit 0d571e36878fb42fc9e024bc52a6fa439d707d2c
Author: Miroslav Grepl <mgrepl>
Date:   Fri May 16 15:14:37 2014 +0200

    Make fixfiles_exclude_dirs working if there is a substituion for the given directory

Comment 15 Milos Malik 2015-01-30 09:26:20 UTC
This bug is fixed. The problem found and described in BZ#1186640 will be addressed separately.

Comment 17 errata-xmlrpc 2015-03-05 11:05:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0477.html


Note You need to log in before you can comment on or make changes to this bug.