Description of problem: restorecon -rv /var/cache relabels all files under /var/cache/rhn/satsync from spacewalk_cache_t -> var_t For the following paths, the rule(s) is already defined as spacewalk_cache_t: /var/cache/rhn /var/cache/rhn/reposync /var/cache/rhn/repodata So only /var/cache/rhn/satsync path is missing Version-Release number of selected component (if applicable): 5.7 5.6 How reproducible: 100% Steps to Reproduce: 1. # restorecon -rv /var/cache restorecon reset /var/cache/rhn/satsync context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 restorecon reset /var/cache/rhn/satsync/errata context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 ... restorecon reset /var/cache/rhn/satsync/channels context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 ... Actual results: correct fcontext is set only during creation, then selinux rules doesn't override var_t Expected results: selinux fcontext rules are defined, restorecon does no harm
Well, it the other way round - /var/cache/rhn/satsync is explicitly set to var_t in spacewalk-selinux but files has been created with wrong context (inherited from /var/cache/rhn -> /var/cache/rhn/satsync -> /var/cache/rhn/satsync/* at creation time). So we need to create /var/cache/rhn/satsync with vat_t and all (sub) files/dirs will inherit correct context. Fixed in spacewalk master by commit 79e7d08f5f6d6481a172b3a37210fa9158771133 1170616 - create (and label) /var/cache/rhn/satsync so all files under it are created with correct filecontext
Additional Makefile fix in spacewalk master commit 03685e0ec495488559c51827850e066ff4906618
Backported to SATELLITE-5.7 as commit 4d53035743b196c789e94b01514049ca74c5627a 1170616 - create (and label) /var/cache/rhn/satsync so all files under it are created with correct filecontext
VERIFIED. spacewalk-backend-2.3.3-23.el6sat.noarch SELinux context of /var/cache/rhn/satsync was set to var_t already before the fix. # semanage fcontext -l | grep /var/cache/rhn/satsync /var/cache/rhn/satsync(/.*)? all files system_u:object_r:var_t:s0 But now this directory is created during rpm install with correct context, so it won't be labelled differently (as inherited from upper directory) # ll -dZ /var/cache/rhn/satsync drwxr-xr-x. root root unconfined_u:object_r:var_t:s0 /var/cache/rhn/satsync Finally, filecontext restore has nothing to do here: FIX: # restorecon -rv /var/cache/rhn/satsync <empy> vs. REPRODUCER: # restorecon -rv /var/cache/rhn/satsync restorecon reset /var/cache/rhn/satsync context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 restorecon reset /var/cache/rhn/satsync/errata context unconfined_u:object_r:spacewalk_cache_t:s0->unconfined_u:object_r:var_t:s0 ...
Reveriffied with spacewalk-java-2.3.8-96.el6sat.noarch ll -dZ /var/cache/rhn/satsync drwxr-xr-x. root root system_u:object_r:var_t:s0 /var/cache/rhn/satsync /var/cache/rhn/satsync(/.*)? all files system_u:object_r:var_t:s0
With the release of Red Hat Satellite 5.7 on January 12th 2015 this bug is being moved to a Closed Current Release state. The Satellite 5.7 GA Errata: - https://rhn.redhat.com/errata/RHSA-2015-0033.html Satellite 5.7 Release Notes: - https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html-single/Release_Notes/index.html Satellite Customer Portal Blog announcement for release: - https://access.redhat.com/blogs/1169563/posts/1315743 Cliff