Bug 1291601 - Updating selinux-policy{,-targeted} destroys all local fcontext configuration
Updating selinux-policy{,-targeted} destroys all local fcontext configuration
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 1288696 1294301 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-15 04:05 EST by Jamie Nguyen
Modified: 2016-01-04 08:48 EST (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-22 17:03:47 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jamie Nguyen 2015-12-15 04:05:59 EST
Updating or downgrading selinux-policy destroys all local fcontext configuration.

Steps to reproduce
------------------

The same thing happens for both updating (as below) or downgrading.

# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.13.1-152.fc23
selinux-policy-targeted-3.13.1-152.fc23

# semanage fcontext -a -t bin_t /srv/bin(/.*)?"

# semanage fcontext --list --locallist
/srv/bin(/.*)?    all files    system_u:object_r:bin_t:s0

# dnf update -y selinux\*

# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.13.1-157.fc23
selinux-policy-targeted-3.13.1-157.fc23

# semanage fcontext --list --locallist
(no output)

Expected behaviour
------------------

Local fcontext configuration should be untouched after updating or downgrading selinux-policy and selinux-policy-targeted.
Comment 1 Jamie Nguyen 2015-12-15 04:08:19 EST
I tested this on my desktop (Fedora 23 "Workstation") as well as a fresh VM with a minimal netinstall of Fedora 23 "Server". In both cases, local fcontext configuration is lost.
Comment 2 Petr Lautrbach 2015-12-15 04:52:11 EST
It should be already fixed in selinux-policy-3.13.1-155.fc23, see https://bugzilla.redhat.com/show_bug.cgi?id=1279621
Comment 3 Lukas Vrabec 2015-12-15 04:59:08 EST
It's still broken.
Comment 4 Petr Lautrbach 2015-12-15 05:05:58 EST
(In reply to Petr Lautrbach from comment #2)
> It should be already fixed in selinux-policy-3.13.1-155.fc23, see
> https://bugzilla.redhat.com/show_bug.cgi?id=1279621

It's apparently not the same problem. 

But I'm not able to reproduce it on my own:

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-152.fc23.noarch

# semanage fcontext --list --locallist          

# semanage fcontext -a -t bin_t "/srv/bin(/.*)?"

# semanage fcontext --list --locallist          
SELinux fcontext                                   type               Context

/srv/bin(/.*)?                                     all files          system_u:object_r:bin_t:s0 

# dnf update selinux-policy
...

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-157.fc23.noarch

# semanage fcontext --list --locallist
SELinux fcontext                                   type               Context

/srv/bin(/.*)?                                     all files          system_u:object_r:bin_t:s0
Comment 5 Jamie Nguyen 2015-12-15 06:09:18 EST
This procedure should be 100% reproducible using the Fedora Cloud image. These are the exact steps I ran:

# cd /var/lib/libvirt/images

# wget https://download.fedoraproject.org/pub/fedora/linux/releases/23/Cloud/x86_64/Images/Fedora-Cloud-Base-23-20151030.x86_64.raw.xz

# xz -d Fedora-Cloud-Base-23-20151030.x86_64.raw.xz

# virt-customize \
      --add Fedora-Cloud-Base-23-20151030.x86_64.raw \
      --root-password password:1234 \
      --run-command "systemctl mask cloud-init.service"

# virt-install --name f23 --ram 2048 \
      --disk /var/lib/libvirt/images/Fedora-Cloud-Base-23-20151030.x86_64.raw \
      --os-variant fedora22 --import

(In virt-viewer.)
Login: root
Password: 1234

# rpm -q selinux-policy
selinux-policy-3.13.1-152.fc23

# dnf install -y policycoreutils-python-utils

# semanage fcontext -a -t bin_t "/srv/bin(/.*)?"

# semanage fcontext --list --locallist
/srv/bin(/.*)?    all files    system_u:object_r:bin_t:s0

# dnf update -y selinux\*

# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.13.1-157.fc23

# semanage fcontext --list --locallist
(no output)
Comment 6 Petr Lautrbach 2015-12-15 09:03:22 EST
The problem was introduced in a commit a345bb5a250d7d745d1e1c9e9bd2c0b9c711d013 where /etc/selinux/targeted/contexts/files/file_contexts.local lost '%config(noreplace)' flag. The following patch shoudl fix it:

--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -227,9 +227,9 @@ rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/modules/active/policy.kern \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.bin \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs* \
-%verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
+%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
 %verify(not md5 size mtime) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local.bin \
-# %ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
+%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
 %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs \
 %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.subs_dist \
 %{_sysconfdir}/selinux/%1/booleans.subs_dist \
Comment 7 Lukas Vrabec 2015-12-15 10:20:17 EST
*** Bug 1288696 has been marked as a duplicate of this bug. ***
Comment 8 Lukas Vrabec 2015-12-15 10:33:42 EST
Patch applied. 
Tested on Fedora 23.


Thank you.
Comment 9 Fedora Update System 2015-12-16 06:06:38 EST
selinux-policy-3.13.1-158.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac
Comment 10 Fedora Update System 2015-12-17 05:29:05 EST
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-eb32da49ac
Comment 11 Fedora Update System 2015-12-22 17:03:38 EST
selinux-policy-3.13.1-158.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Lukas Vrabec 2016-01-04 08:48:03 EST
*** Bug 1294301 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.