Bug 1269989 - result of how selinux fcontexts with regexps work depends on adding order
result of how selinux fcontexts with regexps work depends on adding order
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils (Show other bugs)
7.3
All Linux
medium Severity unspecified
: rc
: ---
Assigned To: Vit Mojzis
Dalibor Pospíšil
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-08 13:40 EDT by Rafał Mielnik
Modified: 2018-02-01 12:13 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-01 12:13:13 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Github SELinuxProject/selinux/issues/40 None None None 2017-06-29 07:40 EDT

  None (edit)
Description Rafał Mielnik 2015-10-08 13:40:08 EDT
Description of problem:

the order of adding the regexp fcontext rules shouldn't matter but it looks like it actually does matter

Version-Release number of selected component (if applicable):

selinux-policy-3.13.1-23.el7_1.18.noarch

How reproducible:


Steps to Reproduce:

1. semanage fcontext -a -t httpd_log_t '/tmp/selinux/log(/.*)?'
semanage fcontext -a -t var_log_t '/tmp/selinux(/.*)?'

2. mkdir /tmp/selinux/log -p
touch /tmp/selinux/log/file
restorecon -Rv /tmp/selinux/

3. semanage fcontext -d -t var_log_t '/tmp/selinux(/.*)?'
semanage fcontext -d -t httpd_log_t '/tmp/selinux/log(/.*)?'
semanage fcontext -a -t var_log_t '/tmp/selinux(/.*)?'
semanage fcontext -a -t httpd_log_t '/tmp/selinux/log(/.*)?'

4. rm -rf /tmp/selinux/
mkdir /tmp/selinux/log -p
touch /tmp/selinux/log/file

5. restorecon -Rv /tmp/selinux/

Actual results:

restorecon reset /tmp/selinux context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:var_log_t:s0
restorecon reset /tmp/selinux/log context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:var_log_t:s0
restorecon reset /tmp/selinux/log/file context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:var_log_t:s0

and after removing and adding the rules in different order:

restorecon reset /tmp/selinux context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:var_log_t:s0
restorecon reset /tmp/selinux/log context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_log_t:s0
restorecon reset /tmp/selinux/log/file context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_log_t:s0

Expected results:

both ways should be:

restorecon reset /tmp/selinux context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:var_log_t:s0
restorecon reset /tmp/selinux/log context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_log_t:s0
restorecon reset /tmp/selinux/log/file context
unconfined_u:object_r:user_tmp_t:s0->unconfined_u:object_r:httpd_log_t:s0

Additional info:
Comment 2 Miroslav Grepl 2015-10-12 04:07:35 EDT
We have some fixes related to a context order in policycoreutils.
Comment 4 Vit Mojzis 2018-02-01 12:13:13 EST
Thank you for taking the time to report this issue to us. We appreciate the feedback and use reports such as this one to guide our efforts at improving our products. That being said, this particular issue is well documented and there is not a clear consensus about a better solution ( please see https://bugzilla.redhat.com/show_bug.cgi?id=678577 ). 
The issue will be tracked in Fedora bug mentioned above. Closing as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.