Bug 1308704 - SELinux file contexts for TripleO ISO
Summary: SELinux file contexts for TripleO ISO
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: pre-dev-freeze
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-15 19:36 UTC by Thom Carlin
Modified: 2017-08-17 10:54 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-17 10:54:44 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1308698 0 unspecified CLOSED SELinux file contexts for RHCI ISO 2021-02-22 00:41:40 UTC

Internal Links: 1308698

Description Thom Carlin 2016-02-15 19:36:38 UTC 
Description of problem:

"restorecon" should not have to change the type portion of the security context.

Version-Release number of selected component (if applicable):

TP2 RC9

How reproducible:

Believe 100%

Steps to Reproduce:
1. Install TripleO ISO
2. Log in to run launch-fusor-undercloud-installer
3. restorecon -RFvv /

Actual results:

Type portion of security context changes for some files

Expected results:

No type portion changes

Additional info:

Edited List:
* restorecon reset /dev/shm/pulse-shm-* context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:user_tmpfs_t:s0
* restorecon reset /run/netns/qdhcp-* context system_u:object_r:proc_t:s0->system_u:object_r:ifconfig_var_run_t:s0 <- Not sure about this one
* restorecon reset /run/user/0/gvfs context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:fusefs_t:s0
* restorecon reset /run/user/0/keyring-<string> context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:gkeyringd_tmp_t:s0 (and contents)
* restorecon reset /etc/sysconfig/network context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0
* restorecon reset /root/.config context system_u:object_r:admin_home_t:s0->system_u:object_r:config_home_t:s0 (and contents)
* restorecon reset /root/.Xauthority context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0
* restorecon reset /var/lib/heat-cfntools/cfn-init-data context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:var_lib_t:s0
* restorecon reset /var/log/yum.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:rpm_log_t:s0
Comment 6 Thom Carlin 2016-08-05 20:48:55 UTC 
In QCI 1.0:
type=AVC msg=audit(1470268404.190:354): avc:  denied  { create } for  pid=10341 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1470281262.458:1948): avc:  denied  { dac_override } for  pid=20052 comm="ovs-vsctl" capability=1  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability
Comment 7 Thom Carlin 2016-08-08 15:41:42 UTC 
Per QCI developers, switching to RHEL
Comment 11 Milos Malik 2017-08-17 07:21:01 UTC 
Is it still relevant? Do you still see mislabeled files when running restorecon in this scenario?
Comment 12 Thom Carlin 2017-08-17 10:52:02 UTC 
No, this is no longer needed
Comment 13 Lukas Vrabec 2017-08-17 10:54:44 UTC 
Thanks Thom
Note You need to log in before you can comment on or make changes to this bug.