Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1411371 - restorecon shows label conflict for /usr/sbin/ldconfig and its hardlink, `sln`
Summary: restorecon shows label conflict for /usr/sbin/ldconfig and its hardlink, `sln`
Keywords:
Status: CLOSED DUPLICATE of bug 1403012
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-09 15:02 UTC by Alan Jenkins
Modified: 2017-01-12 16:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-12 16:16:50 UTC
Type: Bug


Attachments (Terms of Use)

Description Alan Jenkins 2017-01-09 15:02:24 UTC
I thought `restorecon -Rv /` was a valid way to attempt a manual relabel.  It's not really, because it doesn't manage to skip `/sys/` and emits many warnings.

Anyway the other thing that happens, every time you run it, is this:

restorecon reset /usr/sbin/ldconfig context system_u:object_r:bin_t:s0->system_u:object_r:ldconfig_exec_t:s0
restorecon reset /usr/sbin/sln context system_u:object_r:ldconfig_exec_t:s0->system_u:object_r:bin_t:s0

i.e. there are conflicting labels applied to the same inode:

$ ls -l /usr/sbin/ldconfig
-rwxr-xr-x. 2 root root 1092984 Dec 24 01:03 /usr/sbin/ldconfig
$ ls -l /usr/sbin/sln
-rwxr-xr-x. 2 root root 1092984 Dec 24 01:03 /usr/sbin/sln


I remain very ignorant about SELinux, but I do not think this is a good thing.  

`sln` is owned by glibc-2.24-4.fc25.x86_64, and it passes `rpm --verify`.  Apparently it provides an equivalent of `ln -s`, as a statically linked program.  (So you can use it to sort out problems with dynamically linked libraries... presumably you also need a statically linked shell).  I do not know why a hardlink is used instead of a symbolic link.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-225.3.fc25.noarch

Expected results:
After the first invocation of e.g. `restorecon -Rv /usr`, I expected that subsequent invocations would not generate any output.

Additional info:
This should be a pretty clean system.  It's a recent install of Fedora 25 Workstation.

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      30

Comment 1 Alan Jenkins 2017-01-12 16:16:50 UTC
fixfiles actually detects this case:

filespec_add:  conflicting specifications for /usr/sbin/sln and /usr/sbin/ldconfig, using system_u:object_r:ldconfig_exec_t:s0.

*** This bug has been marked as a duplicate of bug 1403012 ***


Note You need to log in before you can comment on or make changes to this bug.