Bug 1398913 - mkdir fails to label some directories when -p -Z options are used.
Summary: mkdir fails to label some directories when -p -Z options are used.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: coreutils
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kamil Dudka
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-27 09:42 UTC by Scott Shambarger
Modified: 2017-03-06 08:01 UTC (History)
8 users (show)

Fixed In Version: coreutils-8.26-1.fc26 coreutils-8.25-16.fc25 coreutils-8.25-8.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-03 21:51:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Scott Shambarger 2016-11-27 09:42:33 UTC 
Description of problem:
Creating multiple levels of directories together with mkdir -p -Z fails to set the SELinux context for all but the highest and lowest directories.

Version-Release number of selected component (if applicable):
coreutils-8.25-7.fc24.x86_64

How reproducible:
Always for any more than two directory levels.

Steps to Reproduce:
1. Create 3 or more directories together with (for eg) mkdir -p -Z a/b/c

Actual results:
mkdir: failed to set default creation context for 'a/b': No such file or directory
SELinux labels set on a and a/b/c, but not on a/b.

Expected results:
a/b should also be labeled.

Additional info:
Same problem all intermediary directories, eg mkdir -p -Z a/b/c/d fails to label a/b and a/b/c (but labels a and a/b/c/d).

NOTE: mkdir will usually correct the labels on existing directories, but fails to do so here as well.
Comment 1 Kamil Dudka 2016-11-28 09:33:14 UTC 
Confirmed.  Minimal example:

$ sudo semanage fcontext -a -t user_home_t    /tmp/a
$ sudo semanage fcontext -a -t mozilla_home_t /tmp/a/b
$ sudo semanage fcontext -a -t home_cert_t    /tmp/a/b/c

$ mkdir -Zp a/b/c
$ ls -1Zd a a/b a/b/c
unconfined_u:object_r:user_home_t:s0 a
unconfined_u:object_r:user_home_t:s0 a/b
unconfined_u:object_r:home_cert_t:s0 a/b/c

$ restorecon -R a
$ ls -1Zd a a/b a/b/c
   unconfined_u:object_r:user_home_t:s0 a
unconfined_u:object_r:mozilla_home_t:s0 a/b
   unconfined_u:object_r:home_cert_t:s0 a/b/c


Same problem with install(1):

$ rm -fr a
$ install -ZDd a/b/c
$ ls -1Zd a a/b a/b/c
unconfined_u:object_r:user_home_t:s0 a
unconfined_u:object_r:user_home_t:s0 a/b
unconfined_u:object_r:home_cert_t:s0 a/b/c
Comment 2 Kamil Dudka 2016-11-28 14:16:25 UTC 
This looks like a copy-paste error (duplicated at two places in the code):

--- a/src/install.c
+++ b/src/install.c
@@ -427,7 +427,7 @@ static int
 make_ancestor (char const *dir, char const *component, void *options)
 {
   struct cp_options const *x = options;
-  if (x->set_security_context && defaultcon (dir, S_IFDIR) < 0
+  if (x->set_security_context && defaultcon (component, S_IFDIR) < 0
       && ! ignorable_ctx_err (errno))
     error (0, errno, _("failed to set default creation context for %s"),
            quoteaf (dir));
--- a/src/mkdir.c
+++ b/src/mkdir.c
@@ -123,7 +123,7 @@ make_ancestor (char const *dir, char const *component, void *options)
 {
   struct mkdir_options const *o = options;

-  if (o->set_security_context && defaultcon (dir, S_IFDIR) < 0
+  if (o->set_security_context && defaultcon (component, S_IFDIR) < 0
       && ! ignorable_ctx_err (errno))
     error (0, errno, _("failed to set default creation context for %s"),
            quoteaf (dir));

I will submit a patch upstream once I have idea how to test this...
Comment 3 Kamil Dudka 2016-11-28 15:25:22 UTC 
(In reply to Kamil Dudka from comment #2)
> I will submit a patch upstream once I have idea how to test this...

I have not figured out how to reliably test this without having root access but submitted a patch upstream anyway:

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=25052
Comment 4 Kamil Dudka 2016-11-28 16:35:13 UTC 
upstream commit:

http://git.savannah.gnu.org/gitweb/?p=coreutils.git;a=commitdiff;h=d8104265
Comment 5 Fedora Update System 2017-03-02 10:52:12 UTC 
coreutils-8.25-8.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b21a847e7a
Comment 6 Fedora Update System 2017-03-02 10:52:23 UTC 
coreutils-8.25-16.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-24ce0b63c4
Comment 7 Fedora Update System 2017-03-03 04:53:22 UTC 
coreutils-8.25-16.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-24ce0b63c4
Comment 8 Fedora Update System 2017-03-03 05:24:04 UTC 
coreutils-8.25-8.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b21a847e7a
Comment 9 Scott Shambarger 2017-03-03 19:47:36 UTC 
Tested update, bug appears fixed.  Karma added.
Comment 10 Fedora Update System 2017-03-03 21:51:02 UTC 
coreutils-8.25-16.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2017-03-05 20:50:20 UTC 
coreutils-8.25-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Kamil Dudka 2017-03-06 08:01:05 UTC 
(In reply to Scott Shambarger from comment #9)
> Tested update, bug appears fixed.  Karma added.

Thanks for confirmation!
Note You need to log in before you can comment on or make changes to this bug.