Bug 1395778 - file_contexts.local not present even though it should be
Summary: file_contexts.local not present even though it should be
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Keywords:
: 1391009 1419929 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-16 16:07 UTC by David Haines
Modified: 2019-04-28 13:48 UTC (History)
32 users (show)

(edit)
Clone Of: 1381112
(edit)
Last Closed: 2017-08-01 16:16:12 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1883 normal SHIPPED_LIVE policycoreutils bug fix update 2017-08-01 17:53:54 UTC

Description David Haines 2016-11-16 16:07:47 UTC
+++ This bug was initially created as a clone of Bug #1381112 +++

Description of problem:
'yum provides /etc/selinux/targeted/contexts/files/file_contexts.local' erroneously indicates that selinux-policy-targeted-3.13.1-102.el7_3.4.noarch contains the file_contexts.local referred to.

The following shows how this was stumbled upon:
# audit2allow -a
[Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local'


Version-Release number of selected component (if applicable):

3.13.1-102.el7_3.4

How reproducible:
- Install selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
- Run audit2allow -a

Comment 2 Simon Sekidde 2016-11-17 13:44:20 UTC
David, 

I am unable to reproduce this error

[root@localhost ~]# lsb_release -d; getenforce; rpm -q selinux-policy-targeted; rpm -q policycoreutils-python; audit2allow -a
Description:	Red Hat Enterprise Linux Server release 7.3 (Maipo)
Enforcing
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
policycoreutils-python-2.5-8.el7.x86_64


[root@localhost ~]#

Comment 8 Simon Sekidde 2016-12-08 21:39:11 UTC
David, 

Are you still seeing this problem with the latest selinux-policy packages?

Comment 9 Steven Haigh 2016-12-15 13:16:03 UTC
I just did a clean new install of 7.3 from the DVD ISO media - then a yum -y update.

Packaged installed is:
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch

I see:
# audit2allow -a /var/log/audit/audit.log 
[Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local'

A reinstall via 'yum reinstall selinux-policy-targeted' didn't fix the issue.

Fixed via:
# touch /etc/selinux/targeted/contexts/files/file_contexts.local

audit2allow now works as expected - however this should probably be fixed in the package installation.

Comment 10 Matthias Saou 2016-12-22 11:34:50 UTC
I can confirm the same issue, affecting only clean installs of RHEL 7.3 (not systems updated from prior releases).

The problem, as described, is that the /etc/selinux/targeted/contexts/files/file_contexts.local file does not exist anymore on a new system, and the audit2allow command fails because of that. "touch"ing the file does indeed fix it.

This is with :
selinux-policy-3.13.1-102.el7_3.7.noarch
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch

I have dug a bit into the rpm changes, comparing 3.13.1-60.el7 (RHEL 7.2) with selinux-policy-3.13.1-102.el7_3.7 (RHEL 7.3), and the problem is that this file used to be included empty, but is now referenced as %ghost and no longer included. This change broke audit2allow, since apparently it needs the file and doesn't automatically create it if missing.

selinux-policy-3.13.1-60.el7 spec :

[...]
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.bin \
%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/files/file_contexts.local \
[...]

selinux-policy-3.13.1-102.el7_3.7 spec :

[...]
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.local \
%ghost %{_sysconfdir}/selinux/%1/contexts/files/*.local.bin \
[...]

The file needs to be set back to %config(noreplace), or audit2allow modified to create the file when it's missing.

Comment 11 Lukas Vrabec 2017-02-08 14:42:49 UTC
*** Bug 1419929 has been marked as a duplicate of this bug. ***

Comment 12 Giovanni Tirloni 2017-02-11 01:31:05 UTC
Experiencing the same issue with updated packages:

policycoreutils-2.5-11.el7_3.x86_64
policycoreutils-python-2.5-11.el7_3.x86_64
selinux-policy-3.13.1-102.el7_3.13.noarch
selinux-policy-targeted-3.13.1-102.el7_3.13.noarch

Comment 18 Petr Lautrbach 2017-03-29 13:46:31 UTC
*** Bug 1391009 has been marked as a duplicate of this bug. ***

Comment 20 billtang 2017-04-19 21:29:15 UTC
I am experiencing the same issue with redhat 7.3 (kernel-3.10.0-514.16.1.el7.x86_64):

policycoreutils-python-2.5-11.el7_3.x86_64
policycoreutils-2.5-11.el7_3.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
selinux-policy-3.13.1-102.el7_3.16.noarch

Is there a work around?

[root@host-1 ~]# audit2allow -a
[Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local'

Comment 21 billtang 2017-04-19 21:36:09 UTC
I am experiencing the same issue with redhat 7.3 (kernel-3.10.0-514.16.1.el7.x86_64):

policycoreutils-python-2.5-11.el7_3.x86_64
policycoreutils-2.5-11.el7_3.x86_64
selinux-policy-targeted-3.13.1-102.el7_3.16.noarch
selinux-policy-3.13.1-102.el7_3.16.noarch


[root@host-1 ~]# audit2allow -a
[Errno 2] No such file or directory: '/etc/selinux/targeted/contexts/files/file_contexts.local'



workaround appears to be creating a zero length file
[root@host-1 ~]# touch /etc/selinux/targeted/contexts/files/file_contexts.local

Comment 22 Strahil Nikolov 2017-05-11 13:50:59 UTC
Hello,

I can confirm that a fresh install of RHEL 7.3 is missing the file.
Also the "sepolicy manpage" command fails until a zero lenght file is created.

Comment 23 Tom Seewald 2017-05-13 04:02:10 UTC
I can confirm the workaround in comment 21 has resolved the problem on my machines.

Comment 24 errata-xmlrpc 2017-08-01 16:16:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1883


Note You need to log in before you can comment on or make changes to this bug.