Hide Forgot
+++ This bug was initially created as a clone of Bug #1381296 +++ Description of problem: * there are many scripts which can create /var/run/pcp directory * unfortunately SELinux policy is not able to confine all of them * result is that /var/run/pcp gets created with an incorrect label * if the directory was owned by some of pcp* packages, it would be created by rpm/yum during the RPM installation and it would be labeled correctly Version-Release number of selected component (if applicable): pcp-3.11.3-4.el7.x86_64 How reproducible: * always Steps to Reproduce: # ls -dZ /var/run/pcp/ ls: cannot access /var/run/pcp/: No such file or directory # yum -y -q install pcp\* # ls -dZ /var/run/pcp/ drwxrwxr-x. pcp pcp unconfined_u:object_r:var_run_t:s0 /var/run/pcp/ # restorecon -Rv /var/run/pcp/ restorecon reset /var/run/pcp context unconfined_u:object_r:var_run_t:s0->unconfined_u:object_r:pcp_var_run_t:s0 # Actual results: # rpm -qf /var/run/pcp/ file /var/run/pcp is not owned by any package # Expected results: * /var/run/pcp is owned by some pcp* package
The situation changed a bit since the bug was filed: # rpm -qa pcp\* pcp-3.11.8-3.el7.x86_64 pcp-conf-3.11.8-3.el7.x86_64 pcp-libs-3.11.8-3.el7.x86_64 pcp-selinux-3.11.8-3.el7.x86_64 # rpm -qf /var/run/pcp pcp-3.11.8-3.el7.x86_64 # The /var/run/pcp directory does not exist after installation of above-mentioned packages. After the start of pmcd or pmproxy or pmwebd service the /var/run/pcp directory is present, but it is labeled incorrectly: # ls -dZ /var/run/pcp drwxrwxr-x. pcp pcp system_u:object_r:var_run_t:s0 /var/run/pcp # If the directory was created during the pcp* packages installation, it would be labeled correctly by yum or rpm.
| The /var/run/pcp directory does not exist after installation of | above-mentioned packages. FWLIW, I just did a rpm erase, rm -fr /var/run/pcp, and fresh rpm install and that directory *does* exist. Bizarre. It must be tempfs related somehow. No matter - Lukas has come up with another way to fix this ... we'll want to backport his recent commit: commit fb56481639ff5b73792a20d34dff3ac4e191a907 Author: Lukas Berk <lberk> Date: Thu Apr 6 15:36:18 2017 -0400 RHBZ: 1381301 restore context to pcp_var_run_t after pmcd start pmcd makes /var/run/pcp on the fly, which, gives /var/run/pcp var_run_t context (despite the default policy being pcp_var_rum_t). If the command exists, just run restorecon on the directory after we make it.
Reproduced against pcp-3.11.3-4.el7 and verified against pcp-3.11.8-4.el7.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:1968