Bug 1308704 - SELinux file contexts for TripleO ISO
SELinux file contexts for TripleO ISO
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
Unspecified Unspecified
low Severity low
: pre-dev-freeze
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2016-02-15 14:36 EST by Thom Carlin
Modified: 2017-08-17 06:54 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-17 06:54:44 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Thom Carlin 2016-02-15 14:36:38 EST
Description of problem:

"restorecon" should not have to change the type portion of the security context.

Version-Release number of selected component (if applicable):


How reproducible:

Believe 100%

Steps to Reproduce:
1. Install TripleO ISO
2. Log in to run launch-fusor-undercloud-installer
3. restorecon -RFvv /

Actual results:

Type portion of security context changes for some files

Expected results:

No type portion changes

Additional info:

Edited List:
* restorecon reset /dev/shm/pulse-shm-* context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:user_tmpfs_t:s0
* restorecon reset /run/netns/qdhcp-* context system_u:object_r:proc_t:s0->system_u:object_r:ifconfig_var_run_t:s0 <- Not sure about this one
* restorecon reset /run/user/0/gvfs context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:fusefs_t:s0
* restorecon reset /run/user/0/keyring-<string> context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:gkeyringd_tmp_t:s0 (and contents)
* restorecon reset /etc/sysconfig/network context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:etc_t:s0
* restorecon reset /root/.config context system_u:object_r:admin_home_t:s0->system_u:object_r:config_home_t:s0 (and contents)
* restorecon reset /root/.Xauthority context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:xauth_home_t:s0
* restorecon reset /var/lib/heat-cfntools/cfn-init-data context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:var_lib_t:s0
* restorecon reset /var/log/yum.log context unconfined_u:object_r:var_log_t:s0->system_u:object_r:rpm_log_t:s0
Comment 6 Thom Carlin 2016-08-05 16:48:55 EDT
In QCI 1.0:
type=AVC msg=audit(1470268404.190:354): avc:  denied  { create } for  pid=10341 comm="gdm-session-wor" name=".cache" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1470281262.458:1948): avc:  denied  { dac_override } for  pid=20052 comm="ovs-vsctl" capability=1  scontext=system_u:system_r:openvswitch_t:s0 tcontext=system_u:system_r:openvswitch_t:s0 tclass=capability
Comment 7 Thom Carlin 2016-08-08 11:41:42 EDT
Per QCI developers, switching to RHEL
Comment 11 Milos Malik 2017-08-17 03:21:01 EDT
Is it still relevant? Do you still see mislabeled files when running restorecon in this scenario?
Comment 12 Thom Carlin 2017-08-17 06:52:02 EDT
No, this is no longer needed
Comment 13 Lukas Vrabec 2017-08-17 06:54:44 EDT
Thanks Thom

Note You need to log in before you can comment on or make changes to this bug.