1271338 – oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory

Bug 1271338 - oo-restorecon -v -a does not add selinux MCS labels to files under hidden directory

Summary: oo-restorecon -v -a does not add selinux MCS labels to files under hidden di...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Containers
Sub Component:
Version:	2.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Timothy Williams
QA Contact:	Chao Yang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-13 17:02 UTC by Ryan Howe
Modified:	2019-09-12 09:05 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openshift-origin-node-util-1.38.5.1-1.el6op
Doc Type:	Bug Fix
Doc Text:	When restoring SELinux labels, the action was performed on a directory, which does not include hidden files. This caused SELinux labels to not be properly restored on hidden files within a gear directory if they were incorrect. This bug fix ensures that the SELinux label change is performed on all files within a directory, rather than the directory. As a result, hidden files in a gear now have the proper SELinux labels set when they are incorrect.
Clone Of:
Environment:
Last Closed:	2015-12-17 17:11:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2666	0	normal	SHIPPED_LIVE	Important: Red Hat OpenShift Enterprise 2.2.8 security, bug fix, and enhancement update	2015-12-17 22:07:54 UTC

Description Ryan Howe 2015-10-13 17:02:58 UTC

Description of problem:
 oo-restorecon -v -a  does not add selinux MCS labels to files under hidden directory 

example:   .env/* 

Version-Release number of selected component (if applicable):
v2.2.x

How reproducible:
100%

Steps to Reproduce:
1. mv /var/lib/openshift/<gearUUID>
2. lose selinux attributes 
3. run oo-restorecon -v -a 

Actual results:

# oo-restorecon -v -a
chcon -l s0:c86,c118 -R /var/lib/openshift/55f8844b8d24b7a8e50000a8/*
restorecon -R /var/lib/openshift/5602de3b8d24b7872c000878/
chcon -l s0:c82,c817 -R /var/lib/openshift/5602de3b8d24b7872c000878/*


# ls -lhaRZ .env/
.env/:
drwxr-x---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 .
drwxr-x---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 ..
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 GEM_HOME
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 HISTFILE
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 HOME
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0:c82,c817 JAVA_OPTS_EXT
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 JENKINS_PASSWORD
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 JENKINS_URL
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 JENKINS_USERNAME
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 OPENSHIFT_APP_DNS
-rw-r--r--. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 OPENSHIFT_APP_NAME
-rw-r--r--. root 5602de3b8d24b7872c000878 

.env/user_vars:
drwxrwx---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 .
drwxr-x---. root 5602de3b8d24b7872c000878 system_u:object_r:openshift_var_lib_t:s0 ..


Expected results:

All attribute get restored. 


Additional info:

Comment 2 Josep 'Pep' Turro Mauri 2015-10-13 17:27:06 UTC

Haven't tested but this should hopefully help:

https://github.com/openshift/origin-server/pull/6273

Comment 7 Johnny Liu 2015-11-18 07:35:49 UTC

Verified this bug with openshift-origin-node-util-1.38.5.1-1.el6op.noarch, and PASS.


# touch .env/bb

# ll -Z .env/bb
-rw-r--r--. root root unconfined_u:object_r:openshift_var_lib_t:s0 .env/bb

# oo-restorecon -v -a 
restorecon -R /var/lib/openshift/jialiu-python33app-1/
chcon -l s0:c6,c673 -R /var/lib/openshift/jialiu-python33app-1/

# ll -Z .env/bb
-rw-r--r--. root root unconfined_u:object_r:openshift_var_lib_t:s0:c6,c673 .env/bb

Comment 9 errata-xmlrpc 2015-12-17 17:11:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2666.html

Note You need to log in before you can comment on or make changes to this bug.