Description of problem: selinux contexts on files like /etc/passwd are incorrect after upgrade. Version-Release number of selected component (if applicable): Started with the fedora 21 atomic image from 20141203 and upgraded to: -bash-4.3# atomic status TIMESTAMP (UTC) ID OSNAME REFSPEC * 2015-01-02 03:42:21 3a4a44bc82 fedora-atomic fedora-atomic:fedora-atomic/f21/x86_64/docker-host 2014-12-03 01:30:09 ba7ee9475c fedora-atomic fedora-atomic:fedora-atomic/f21/x86_64/docker-host How reproducible: Always Steps to Reproduce: 1. Download image and boot and follow output below: -bash-4.3# atomic status TIMESTAMP (UTC) ID OSNAME REFSPEC * 2014-12-03 01:30:09 ba7ee9475c fedora-atomic fedora-atomic:fedora-atomic/f21/x86_64/docker-host -bash-4.3# rpm -q rpm-ostree rpm-ostree-2014.104-3.fc21.x86_64 -bash-4.3# ls -Z /etc/passwd -rw-rw-r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd -bash-4.3# -bash-4.3# atomic upgrade Updating from: fedora-atomic:fedora-atomic/f21/x86_64/docker-host 695 metadata, 3205 content objects fetched; 140527 KiB transferred in 157 seconds Copying /etc changes: 26 modified, 4 removed, 39 added Transaction complete; bootconfig swap: yes deployment count change: 1 Changed: NetworkManager-1:0.9.10.0-14.git20140704.fc21.x86_64 NetworkManager-glib-1:0.9.10.0-14.git20140704.fc21.x86_64 ....<snip>.... util-linux-2.25.2-2.fc21.x86_64 Added: flannel-0.1.0-8.gita7b435a.fc21.x86_64 Updates prepared for next boot; run "systemctl reboot" to start a reboot -bash-4.3#reboot AFTER REBOOT -bash-4.3# atomic status TIMESTAMP (UTC) ID OSNAME REFSPEC * 2015-01-02 03:42:21 3a4a44bc82 fedora-atomic fedora-atomic:fedora-atomic/f21/x86_64/docker-host 2014-12-03 01:30:09 ba7ee9475c fedora-atomic fedora-atomic:fedora-atomic/f21/x86_64/docker-host -bash-4.3# ls -Z /etc/shadow ----------. root root unconfined_u:object_r:etc_t:s0 /etc/shadow -bash-4.3# -bash-4.3# echo foopass | passwd --stdin root Changing password for user root. passwd: Authentication token manipulation error -bash-4.3# -bash-4.3# restorecon -Rv /etc/ restorecon reset /etc/locale.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0 restorecon reset /etc/shadow- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0 restorecon reset /etc/localtime context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0 restorecon reset /etc/.updated context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:etc_runtime_t:s0 restorecon reset /etc/hostname context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:hostname_etc_t:s0 restorecon reset /etc/ssh/ssh_host_rsa_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0 restorecon reset /etc/ssh/ssh_host_rsa_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0 restorecon reset /etc/ssh/ssh_host_ecdsa_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0 restorecon reset /etc/ssh/ssh_host_ecdsa_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0 restorecon reset /etc/ssh/ssh_host_ed25519_key context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0 restorecon reset /etc/ssh/ssh_host_ed25519_key.pub context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:sshd_key_t:s0 restorecon reset /etc/group context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0 restorecon reset /etc/adjtime context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:adjtime_t:s0 restorecon reset /etc/gshadow- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0 restorecon reset /etc/group- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0 restorecon reset /etc/gshadow context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0 restorecon reset /etc/hosts context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:net_conf_t:s0 restorecon reset /etc/passwd context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0 restorecon reset /etc/passwd- context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:passwd_file_t:s0 restorecon reset /etc/shadow context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:shadow_t:s0 restorecon reset /etc/resolv.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:net_conf_t:s0 restorecon reset /etc/vconsole.conf context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:locale_t:s0
Should be fixed by https://bugzilla.gnome.org/show_bug.cgi?id=742289 This regression has been sitting around a while. There were two factors conspiring to hide it: 1) Modern SELinux (RHEL7 era) supports kernel filename-based labeling defaults, so if e.g. you create "sysctl.conf" in a directory of type etc_t, it's labeled system_conf_t. So many of the labels were right due to that. 2) All of *my* Atomic usage is ssh pubkey based, I don't use passwords, so the permissions on /etc/shadow didn't matter.
Building for rawhide in http://koji.fedoraproject.org/koji/taskinfo?taskID=8520347 I'd like to wait until the patch has review upstream before submitting to F21 updates.
ostree-2014.13-2.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/ostree-2014.13-2.fc21
I accidentally cloned 11178208 from 164058. This was a mistake.
Package ostree-2014.13-2.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ostree-2014.13-2.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-0285/ostree-2014.13-2.fc21 then log in and leave karma (feedback).
ostree-2014.13-2.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
To correctly clean up from this issue: 1) "atomic upgrade" to the latest (2015-01-14 or newer) 2) reboot 3) restorecon -R -v /etc/