1398427 – semanage fcontext -m returns "OSError: No such file or directory" and fails to alter contexts

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1398427 - semanage fcontext -m returns "OSError: No such file or directory" and fails to alter contexts

Summary: semanage fcontext -m returns "OSError: No such file or directory" and fails t...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	Dalibor Pospíšil
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Duplicates (2):	1396902 1401699 (view as bug list)
Depends On:
Blocks:	1387497 1402006
TreeView+	depends on / blocked

Reported:	2016-11-24 20:11 UTC by Kyle Walker
Modified:	2020-09-10 09:59 UTC (History)
CC List:	14 users (show)
Fixed In Version:	policycoreutils-2.5-12.el7
Doc Type:	Bug Fix
Doc Text:	Previously, the "semanage fcontext -m" operation returned "OSError: No such file or directory" and failed to modify the target file context. A patch has been applied, and the exception is handled correctly. As a result, it is possible to modify the file context with the "semanage fcontext -m" command.
Clone Of:
Clones:	1402006 (view as bug list)
Environment:
Last Closed:	2017-08-01 16:16:12 UTC
Target Upstream Version:
Embargoed:
Flags:	fkrska: needinfo+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1594720	1	None	None	None	2021-01-20 06:05:38 UTC
Red Hat Knowledge Base (Solution)	2779831	0	None	None	None	2016-11-25 17:57:05 UTC
Red Hat Product Errata	RHBA-2017:1883	0	normal	SHIPPED_LIVE	policycoreutils bug fix update	2017-08-01 17:53:54 UTC

Internal Links: 1594720

Description Kyle Walker 2016-11-24 20:11:31 UTC

Description of problem:
 The semanage fcontext -m operation returns "OSError: No such file or directory" and fails to modify the target file context.

Version-Release number of selected component (if applicable):
 libsemanage-2.5-4.el7.x86_64

How reproducible:
 Easily

Steps to Reproduce:
1. Verify an example base file context:
	$ semanage fcontext -l | grep vasd

2. Attempt to change that context:
	$ semanage fcontext -m -t httpd_config_t "/var/opt/quest/vas/vasd(/.*)?"

3. Verify the context hasn't changed:
	$ semanage fcontext -l | grep vasd

Actual results:
/var/opt/quest/vas/vasd(/.*)?                      all files          system_u:object_r:var_auth_t:s0 


Expected results:
/var/opt/quest/vas/vasd(/.*)?                      all files          system_u:object_r:httpd_config_t:s0 


Additional info:

Comment 1 Kyle Walker 2016-11-24 20:28:20 UTC

Correction, the Version-Release number should be:

	policycoreutils-python-2.5-9.el7.x86_64


This issue is present following the 7.3 rebase of libsemanage due to the following upstream commit.

	Properly build the swig exception file even if the headers are missing

	During build if the headers are not installed in the system path, the
	generated swig exception (.i) file might be empty.

	https://github.com/SELinuxProject/selinux/commit/9792099fd7847266377df151e7738f9b38ffc18d


Prior to the above commit, the following codepath acted as expected:

/usr/lib/python2.7/site-packages/seobject/__init__.py
<snip>
class fcontextRecords(semanageRecords):
<snip>
        def __modify(self, target, setype, ftype, serange, seuser):
<snip>
                (rc, exists) = semanage_fcontext_exists(self.sh, k)
                if rc < 0:
                        raise ValueError(_("Could not check if file context for %s is defined") % target)
                if not exists:
                       (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
                       if not exists:
                              raise ValueError(_("File context for %s is not defined") % target)

                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
                if rc < 0:
                       (rc, fcontext) = semanage_fcontext_query(self.sh, k)
                       if rc < 0:
                              raise ValueError(_("Could not query file context for %s") % target)


The semanage_fcontext_query_local() operation would return -1, and it would fall through to the secondary semanage_fcontext_query(). However, with the upstream commit included, the first "file_contexts.local" lookup returns an "OSError" python exception.

Kyle Walker
Software Maintenance Engineer - SEG
North America

Comment 4 Milos Malik 2016-11-25 07:04:41 UTC

semanage fcontext -m ... should return similar error message as is returned when you try to delete the fcontext pattern:

# semanage fcontext -d -t httpd_log_t "/var/opt/quest/vas/vasd(/.*)?"
ValueError: File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be deleted

For example:
File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot be modified

Comment 5 Kyle Walker 2016-11-25 13:19:11 UTC

(In reply to Milos Malik from comment #4)
> semanage fcontext -m ... should return similar error message as is returned
> when you try to delete the fcontext pattern:
> 
> # semanage fcontext -d -t httpd_log_t "/var/opt/quest/vas/vasd(/.*)?"
> ValueError: File context for /var/opt/quest/vas/vasd(/.*)? is defined in
> policy, cannot be deleted
> 
> For example:
> File context for /var/opt/quest/vas/vasd(/.*)? is defined in policy, cannot
> be modified

Can you elaborate as to why this is the case? I mean, it doesn't do that anyways. Beyond that, it seems well beyond sub-optimal to cause base policy fcontexts to be impossible to alter.

- Kyle Walker

Comment 6 Milos Malik 2016-11-25 13:33:09 UTC

I always thought that fcontext patterns defined in policy cannot be changed, but I would appreciate if they could be overriden locally via semanage.

Comment 7 Petr Lautrbach 2016-11-29 09:36:46 UTC

Kyle, thanks for the investigation. I was wrong this problem.

The patch. It looks good to me and I'd like to resend it upstream if you agree.

Comment 9 Kyle Walker 2016-11-29 13:28:09 UTC

Petr,

Sounds good to me! Unless you would like me to push the patch upstream myself. Either way works for me.

- Kyle Walker

Comment 18 James W. Mills 2016-12-12 17:47:51 UTC

*** Bug 1401699 has been marked as a duplicate of this bug. ***

Comment 19 Laurent Bigonville 2016-12-30 16:24:14 UTC

I are you sure this is fully fixed?

On a centos, when doing semanage fcontext -m -t httpd_config_t "/var/opt/quest/vas/vasd(/.*)?"

I get: "ValueError: File context for /var/opt/quest/vas/vasd(/.*)? is not defined"

Comment 20 Petr Lautrbach 2017-01-02 08:36:26 UTC

What version do you use? This is supposed to be fixed in policycoreutils-2.5-11.el7_3 which hasn't been released yet.

Comment 21 Laurent Bigonville 2017-01-02 22:05:00 UTC

Argh, nevermind, the package has not been updated yet in CentOS

Comment 23 James W. Mills 2017-01-27 16:15:05 UTC

I have verified this is fixed on Atomic Host 7.3.2 with policycoreutils-python-2.5-11.el7_3.x86_64


# semanage fcontext -a -t svirt_sandbox_file_t "/var/lib/kubelet(/.*)?"
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
[root@atomic-7 ~]# echo $?
0


Thanks!
~james

Comment 24 Milos Malik 2017-02-01 09:34:14 UTC

This bug should go through regular QE testing. Switching back to ON_QA.

Comment 26 Petr Lautrbach 2017-03-03 11:27:28 UTC

*** Bug 1396902 has been marked as a duplicate of this bug. ***

Comment 27 errata-xmlrpc 2017-08-01 16:16:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1883

Note You need to log in before you can comment on or make changes to this bug.