Bug 1282709 - Files in /etc/cockpit not given correct labels by restorecon
Files in /etc/cockpit not given correct labels by restorecon
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2015-11-17 03:27 EST by Stef Walter
Modified: 2015-11-20 08:32 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-20 08:30:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2015-11-17 03:27:08 EST
Description of problem:

The files in /etc/cockpit are not given correct labels by restorecon. All files in /etc/cockpit should be readable by cockpit-ws

Version-Release number of selected component (if applicable):


How reproducible:

Every time.

Steps to Reproduce:
1. Follow these instructions: http://cockpit-project.org/guide/latest/https.html and place a certificate in /etc/cockpit/ws-certs.d/test.cert
2. systemctl restart cockpit

Actual results:

SELinux is preventing cockpit-ws from read access on the file /etc/cockpit/ws-certs.d/test.cert.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that cockpit-ws should be allowed read access on the test.cert file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep cockpit-ws /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cockpit_ws_t:s0
Target Context                unconfined_u:object_r:svirt_sandbox_file_t:s0:c242
Target Objects                /etc/cockpit/ws-certs.d/test.cert [ file ]
Source                        cockpit-ws
Source Path                   cockpit-ws
Port                          <Unknown>
Host                          falcon.thewalter.lan
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-154.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     falcon.thewalter.lan
Platform                      Linux falcon.thewalter.lan 4.2.0-300.fc23.x86_64
                              #1 SMP Fri Sep 4 13:27:08 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-11-17 09:25:15 CET
Last Seen                     2015-11-17 09:25:15 CET
Local ID                      a117b190-ee96-4244-a335-6ff3c37ffbaf

Raw Audit Messages
type=AVC msg=audit(1447748715.516:2111): avc:  denied  { read } for  pid=24424 comm="cockpit-ws" name="test.cert" dev="sda1" ino=2253606 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=unconfined_u:object_r:svirt_sandbox_file_t:s0:c242,c945 tclass=file permissive=0

Hash: cockpit-ws,cockpit_ws_t,svirt_sandbox_file_t,file,read

Additional info:

The following command has no effect.

$ sudo restorecon -rv /etc/cockpit
Comment 1 Stef Walter 2015-11-17 03:59:44 EST
The following command seems to set the right file context type:

sudo chcon -t etc_t /etc/cockpit/ws-certs.d/*.cert
Comment 2 Stef Walter 2015-11-17 04:18:44 EST
Upstream workaround for this bug: https://github.com/cockpit-project/cockpit/pull/3173
Comment 3 Daniel Walsh 2015-11-20 08:30:59 EST
Try to use -F

restorecon -rv F /etc/cockpit

The problem is you are mv'ing content from a container to /etc

Since the content is svirt_sandbox_file_t, this label could be placed anywhere on a system.  We don't want restorecon to relabel this content by default, so you need to --force it.

File types that do not get relabeled by restorecon by default are listed in 

man restorecon
       -F     Force reset of context to match  file_context  for  customizable
              files,  and  the  default file context, changing the user, role,
              range portion as well as the type.
Comment 4 Daniel Walsh 2015-11-20 08:32:20 EST
BTW, If you copied this file it would not have gotten this label.

mv -Z might help, but it might get confused since you are probably mv'ing to /hosts/etc/cockpit

Note You need to log in before you can comment on or make changes to this bug.