Bug 1200181 - semanage unable to add new file context
Summary: semanage unable to add new file context
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: libsemanage
Version: 21
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-09 23:10 UTC by Mark Montague
Modified: 2015-12-02 17:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-02 09:55:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Mark Montague 2015-03-09 23:10:37 UTC 
Description of problem:

I've installed a local policy for PHP-FPM based off of https://github.com/prometheanfire/selinux-modules but with the types changed from phpfpm_* to phpfcgi_* to avoid conflicting with the Fedora policy type alias of phpfpm_t for httpd_t

Not all the file contexts can be included in the local policy's .fc file because they conflict with file contexts defined in other policy modules, so I set them via file_contexts.local.  As an example, the following works without problem to override the type on the php-fpm executable under both Fedora 20 and Fedora 21:

semanage fcontext -a -t phpfcgi_exec_t /usr/sbin/php-fpm

However, starting with Fedora 21 the following no longer works although it worked fine in Fedora 20 and previous:

semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm(/.*)?"

Under Fedora 21 the second command results in the error

libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory

Note, however that both of the following work fine under Fedora 21:

semanage fcontext -a -t phpfcgi_var_run_t "/var/run/php-fpm"
mkdir /var/run/test-directory
semanage fcontext -a -t phpfcgi_var_run_t "/var/run/test-directory(/.*)?"

This leads me to think that the problem may be with overriding file contexts containing wildcards rather than defining new file contexts.



Version-Release number of selected component (if applicable):

libsemanage-2.3-6.fc21.x86_64


How reproducible:

Always.


Steps to Reproduce:

1. Create a file "bug-test.te" containing the three lines
policy_module(bug_test, 1.0)
type bug_test_t;
files_pid_file(bug_test_t)
2. Compile the bug-test.te policy and install it via "semodule -i bug_test.pp"
3. Run the command
semanage fcontext -a -t bug_test_t "/var/run/php-fpm(/.*)?"

Actual results (Fedora 21):

[root@ice bug-test]# rpm -q -a | grep selinux
libselinux-devel-2.3-5.fc21.x86_64
rpm-plugin-selinux-4.12.0.1-4.fc21.x86_64
selinux-policy-3.13.1-105.3.fc21.noarch
selinux-policy-devel-3.13.1-105.3.fc21.noarch
libselinux-python-2.3-5.fc21.x86_64
libselinux-utils-2.3-5.fc21.x86_64
libselinux-2.3-5.fc21.x86_64
selinux-policy-targeted-3.13.1-105.3.fc21.noarch
[root@ice bug-test]# cat bug_test.te 
policy_module(bug_test, 1.0)
type bug_test_t;
files_pid_file(bug_test_t)
[root@ice bug-test]# make
cat: /selinux/mls: No such file or directory
Compiling targeted bug_test module
/usr/bin/checkmodule:  loading policy configuration from tmp/bug_test.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bug_test.mod
Creating targeted bug_test.pp policy package
rm tmp/bug_test.mod.fc tmp/bug_test.mod
[root@ice bug-test]# semodule -i bug_test.pp
[root@ice bug-test]# ls -ldZ /var/run/php-fpm
drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm
[root@ice bug-test]# semanage fcontext -a -t bug_test_t "/var/run/php-fpm(/.*)?"
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
OSError: No such file or directory
[root@ice bug-test]# semanage export | grep bug_test
[root@ice bug-test]# 


Expected results (Fedora 20):

[root@fire bug-test]# rpm -q -a | grep selinux
libselinux-2.2.1-6.fc20.x86_64
selinux-policy-3.12.1-196.fc20.noarch
libselinux-utils-2.2.1-6.fc20.x86_64
libselinux-devel-2.2.1-6.fc20.x86_64
libselinux-python-2.2.1-6.fc20.x86_64
selinux-policy-targeted-3.12.1-196.fc20.noarch
libselinux-debuginfo-2.2.1-6.fc20.x86_64
selinux-policy-devel-3.12.1-196.fc20.noarch
[root@fire bug-test]# cat bug_test.te 
policy_module(bug_test, 1.0)
type bug_test_t;
files_pid_file(bug_test_t)
[root@fire bug-test]# make
cat: /selinux/mls: No such file or directory
Compiling targeted bug_test module
/usr/bin/checkmodule:  loading policy configuration from tmp/bug_test.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/bug_test.mod
Creating targeted bug_test.pp policy package
rm tmp/bug_test.mod.fc tmp/bug_test.mod
[root@fire bug-test]# semodule -i bug_test.pp
[root@fire bug-test]# ls -ldZ /var/run/php-fpm
drwxr-xr-x. root root system_u:object_r:httpd_var_run_t:s0 /var/run/php-fpm
[root@fire bug-test]# semanage fcontext -a -t bug_test_t "/var/run/php-fpm(/.*)?"
[root@fire bug-test]# semanage export | grep bug_test
fcontext -a -f a -t bug_test_t '/var/run/php-fpm(/.*)?'
[root@fire bug-test]# 


Additional info:

Local SELinux configuration from the Fedora 21 system:

[root@ice ~]# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -0 abrt_upload_watch_anon_write
boolean -m -0 auditadm_exec_content
boolean -m -0 boinc_execmem
boolean -m -0 cron_userdomain_transition
boolean -m -1 daemons_dump_core
boolean -m -0 dbadm_exec_content
boolean -m -1 deny_execmem
boolean -m -1 deny_ptrace
boolean -m -0 entropyd_use_audio
boolean -m -0 gluster_export_all_rw
boolean -m -0 gssd_read_tmp
boolean -m -0 guest_exec_content
boolean -m -0 httpd_builtin_scripting
boolean -m -1 httpd_can_network_connect
boolean -m -0 kerberos_enabled
boolean -m -0 logadm_exec_content
boolean -m -0 logging_syslogd_use_tty
boolean -m -0 nfs_export_all_ro
boolean -m -0 nfs_export_all_rw
boolean -m -0 openvpn_can_network_connect
boolean -m -0 openvpn_enable_homedirs
boolean -m -1 polyinstantiation_enabled
boolean -m -0 postfix_local_write_mail_spool
boolean -m -0 postgresql_selinux_unconfined_dbadm
boolean -m -0 postgresql_selinux_users_ddl
boolean -m -0 privoxy_connect_any
boolean -m -0 secadm_exec_content
boolean -m -0 selinuxuser_direct_dri_enabled
boolean -m -0 selinuxuser_execmod
boolean -m -0 selinuxuser_execstack
boolean -m -0 spamd_enable_home_dirs
boolean -m -0 squid_connect_any
boolean -m -0 telepathy_tcp_connect_generic_network_ports
boolean -m -0 unconfined_chrome_sandbox_transition
boolean -m -0 unconfined_login
boolean -m -0 unconfined_mozilla_plugin_transition
boolean -m -0 virt_use_usb
boolean -m -0 xend_run_blktap
boolean -m -0 xend_run_qemu
boolean -m -0 xguest_connect_network
boolean -m -0 xguest_exec_content
boolean -m -0 xguest_mount_media
boolean -m -0 xguest_use_bluetooth
login -a -s guest_u -r 's0' __default__
login -a -s staff_u -r 's0' markmont
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -a -L s0 -r s0-s0:c0.c1023 -R 'staff_r unconfined_r system_r' staff_u
fcontext -a -f a -t iptables_exec_t '/etc/systemd/ipset'
fcontext -a -f a -t initrc_exec_t '/etc/systemd/selinux-lockdown'
fcontext -a -f a -t tmp_t '/tmp/tmp-inst'
fcontext -a -f a -t selinux_config_t '/var/lib/config(/.*)?'
fcontext -a -f a -t tmp_t '/var/tmp/tmp-inst'
module -d permissivedomains
module -d unconfined
module -d unlabelednet
[root@ice ~]#
Comment 1 Fedora End Of Life 2015-11-04 13:14:53 UTC 
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 2 Fedora End Of Life 2015-12-02 09:55:31 UTC 
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.