Bug 1398427 - semanage fcontext -m returns "OSError: No such file or directory" and fails to alter contexts
Summary: semanage fcontext -m returns "OSError: No such file or directory" and fails t...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils
Version: 7.3
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: Dalibor Pospíšil
Mirek Jahoda
URL:
Whiteboard:
: 1396902 1401699 (view as bug list)
Depends On:
Blocks: 1387497 1402006
TreeView+ depends on / blocked
 
Reported: 2016-11-24 20:11 UTC by Kyle Walker
Modified: 2018-06-25 09:40 UTC (History)
14 users (show)

Fixed In Version: policycoreutils-2.5-12.el7
Doc Type: Bug Fix
Doc Text:
Previously, the "semanage fcontext -m" operation returned "OSError: No such file or directory" and failed to modify the target file context. A patch has been applied, and the exception is handled correctly. As a result, it is possible to modify the file context with the "semanage fcontext -m" command.
Clone Of:
: 1402006 (view as bug list)
Environment:
Last Closed: 2017-08-01 16:16:12 UTC
fkrska: needinfo+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1883 normal SHIPPED_LIVE policycoreutils bug fix update 2017-08-01 17:53:54 UTC
Red Hat Bugzilla 1594720 None None None 2019-10-22 08:07:27 UTC
Red Hat Knowledge Base (Solution) 2779831 None None None 2016-11-25 17:57:05 UTC

Internal Links: 1594720

Description Kyle Walker 2016-11-24 20:11:31 UTC
Description of problem:
 The semanage fcontext -m operation returns "OSError: No such file or directory" and fails to modify the target file context.

Version-Release number of selected component (if applicable):
 libsemanage-2.5-4.el7.x86_64

How reproducible:
 Easily

Steps to Reproduce:
1. Verify an example base file context:
	$ semanage fcontext -l | grep vasd

2. Attempt to change that context:
	$ semanage fcontext -m -t httpd_config_t "/var/opt/quest/vas/vasd(/.*)?"

3. Verify the context hasn't changed:
	$ semanage fcontext -l | grep vasd

Actual results:
/var/opt/quest/vas/vasd(/.*)?                      all files          system_u:object_r:var_auth_t:s0 


Expected results:
/var/opt/quest/vas/vasd(/.*)?                      all files          system_u:object_r:httpd_config_t:s0 


Additional info:

Comment 1 Kyle Walker 2016-11-24 20:28:20 UTC
Correction, the Version-Release number should be:

	policycoreutils-python-2.5-9.el7.x86_64


This issue is present following the 7.3 rebase of libsemanage due to the following upstream commit.

	Properly build the swig exception file even if the headers are missing

	During build if the headers are not installed in the system path, the
	generated swig exception (.i) file might be empty.

	https://github.com/SELinuxProject/selinux/commit/9792099fd7847266377df151e7738f9b38ffc18d


Prior to the above commit, the following codepath acted as expected:

/usr/lib/python2.7/site-packages/seobject/__init__.py
<snip>
class fcontextRecords(semanageRecords):
<snip>
        def __modify(self, target, setype, ftype, serange, seuser):
<snip>
                (rc, exists) = semanage_fcontext_exists(self.sh, k)
                if rc < 0:
                        raise ValueError(_("Could not check if file context for %s is defined") % target)
                if not exists:
                       (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
                       if not exists:
                              raise ValueError(_("File context for %s is not defined") % target)

                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
                if rc < 0:
                       (rc, fcontext) = semanage_fcontext_query(self.sh, k)
                       if rc < 0:
                              raise ValueError(_("Could not query file context for %s") % target)


The semanage_fcontext_query_local() operation would return -1, and it would fall through to the secondary semanage_fcontext_query(). However, with the upstream commit included, the first "file_contexts.local" lookup returns an "OSError" python exception.

Kyle Walker
Software Maintenance Engineer - SEG
North America

Comment 4 Milos Malik 2016-11-25 07:04:41 UTC
semanage fcontext -m ... should return similar error message as is returned when you try to delete the fcontext pattern:

# semanage fcontext -d -t httpd_log_t "/var/opt/quest/vas/vasd(/.*)?"
ValueError: File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be deleted

For example:
File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be modified

Comment 5 Kyle Walker 2016-11-25 13:19:11 UTC
(In reply to Milos Malik from comment #4)
> semanage fcontext -m ... should return similar error message as is returned
> when you try to delete the fcontext pattern:
> 
> # semanage fcontext -d -t httpd_log_t "/var/opt/quest/vas/vasd(/.*)?"
> ValueError: File context for /var/opt/quest/vas/vasd(/.*)? is defined in
> policy, cannot be deleted
> 
> For example:
> File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot
> be modified

Can you elaborate as to why this is the case? I mean, it doesn't do that anyways. Beyond that, it seems well beyond sub-optimal to cause base policy fcontexts to be impossible to alter.

- Kyle Walker

Comment 6 Milos Malik 2016-11-25 13:33:09 UTC
I always thought that fcontext patterns defined in policy cannot be changed, but I would appreciate if they could be overriden locally via semanage.

Comment 7 Petr Lautrbach 2016-11-29 09:36:46 UTC
Kyle, thanks for the investigation. I was wrong this problem.

The patch. It looks good to me and I'd like to resend it upstream if you agree.

Comment 9 Kyle Walker 2016-11-29 13:28:09 UTC
Petr,

Sounds good to me! Unless you would like me to push the patch upstream myself. Either way works for me.

- Kyle Walker

Comment 18 James W. Mills 2016-12-12 17:47:51 UTC
*** Bug 1401699 has been marked as a duplicate of this bug. ***

Comment 19 Laurent Bigonville 2016-12-30 16:24:14 UTC
I are you sure this is fully fixed?

On a centos, when doing semanage fcontext -m -t httpd_config_t "/var/opt/quest/vas/vasd(/.*)?"

I get: "ValueError: File context for /var/opt/quest/vas/vasd(/.*)? is not defined"

Comment 20 Petr Lautrbach 2017-01-02 08:36:26 UTC
What version do you use? This is supposed to be fixed in policycoreutils-2.5-11.el7_3 which hasn't been released yet.

Comment 21 Laurent Bigonville 2017-01-02 22:05:00 UTC
Argh, nevermind, the package has not been updated yet in CentOS

Comment 23 James W. Mills 2017-01-27 16:15:05 UTC
I have verified this is fixed on Atomic Host 7.3.2 with policycoreutils-python-2.5-11.el7_3.x86_64


# semanage fcontext -a -t svirt_sandbox_file_t "/var/lib/kubelet(/.*)?"
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
[root@atomic-7 ~]# echo $?
0


Thanks!
~james

Comment 24 Milos Malik 2017-02-01 09:34:14 UTC
This bug should go through regular QE testing. Switching back to ON_QA.

Comment 26 Petr Lautrbach 2017-03-03 11:27:28 UTC
*** Bug 1396902 has been marked as a duplicate of this bug. ***

Comment 27 errata-xmlrpc 2017-08-01 16:16:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1883


Note You need to log in before you can comment on or make changes to this bug.