Bug 151870 - rpm should use matchpathcon for file context
Summary: rpm should use matchpathcon for file context
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm   
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact: Mike McLean
: 152611 156895 (view as bug list)
Depends On:
Blocks: FC4Blocker
TreeView+ depends on / blocked
Reported: 2005-03-23 02:37 UTC by Daniel Walsh
Modified: 2007-11-30 22:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-20 13:34:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Daniel Walsh 2005-03-23 02:37:46 UTC
Description of problem:

Many advances have been added to matchpathcon that rpm does not support.

Admins can do local customization of file_context and homdircontext are picked
up by latest matchpathcon.

Comment 3 Jeremy Katz 2005-04-27 22:14:58 UTC
*** Bug 152611 has been marked as a duplicate of this bug. ***

Comment 4 Sean Earp 2005-04-28 02:09:46 UTC
Since 152611 has been marked as a duplicate, I'll give a brief synopsis of the
other bug (which was marked as an FC4 Blocker) because this is not so much an
RFE as it is a serious problem.

With a clean install of FC4, the /home (and sub) directories are being set up
with the wrong security context:

#ls -ldZ /home

drwxr-xr-x  root     root     system_u:object_r:default_t      /home

After I restorecon it:

drwxr-xr-x  root     root     system_u:object_r:home_root_t    /home

The manifestation of this problem in the previous bug was that Flash would not
install properly in Firefox, as the installed files in the home directory had
the wrong context (to try it out, just head to a flash-enabled site and load
firefox through the presented option).  Flash will not work until you restorecon
your ~/.mozilla directory.

A clean install of FC4 should ship with the correct security context on the home
directory, as SELINUX is shipping enabled by default (IIRC).  Just my 2 cents...

-Sean :)

Comment 5 Daniel Walsh 2005-04-28 14:46:53 UTC
Yes basically in FC4  file context has been broken into two or more files.  By
default there is file_context and file_context.homedirs.  The /root and /home
are defined in the homedirs file.  Since RPM does not use matchpathcon it is
only reading file_context and defaulting those files to default_t.  Which causes
problems later when people add accounts.  Unconfined_t is not allowed to exec
and execmod sharedlibraries on homedirectories. 

Comment 6 Roy 2005-05-05 20:28:48 UTC
*** Bug 156895 has been marked as a duplicate of this bug. ***

Comment 7 Paul Nasrat 2005-05-06 12:13:56 UTC
rpm-4.4.1-18.1 should use matchpathcon everywhere.

Testing appreciated.

Comment 8 Stephen Smalley 2005-05-06 12:37:35 UTC
Currently running it on a machine with strict policy.
Question:  Is there a testsuite that covers certain aspects of rpm that are
likely to be problematic, e.g. chroot environments, emul prefixing, etc?  How
are they being handled now when using matchpathcon, since matchpathcon knows
nothing about them currently?  Does matchpatchcon need to incorporate a notion
of a variable root directory, or can we just assume that the caller will strip
the root prefix prior to invoking it?

Comment 9 Sean Earp 2005-05-20 03:31:00 UTC
I just did a clean install of FC4T3, and was able to install flash via Firefox
with no problems at all (this was broken with the older version of RPM).  This
bug can be fixed as far as I am concerned.  Thanks!


Comment 10 Sean Earp 2005-05-20 03:32:24 UTC
Whoops!  I meant "Marked as Fixed" (not fixed).



Comment 11 Bruce Brackbill 2006-03-28 06:21:49 UTC
this is still a bug in FC5 final

Comment 12 Daniel Walsh 2006-03-28 12:23:56 UTC
What are  you reporting is still a bug?  libflash being stalled with the wrong
security context?

Comment 13 Paul Nasrat 2006-03-28 13:12:16 UTC
Bruce - please give more details, codewise rpm is using matchpathcon.  What
exactly is the issue?

Comment 14 Bruce Brackbill 2006-03-28 17:55:48 UTC
Re: comment #12, flash is still NOT recognised even though it is installed.
Daniel I imagine that it is the wrong security context since disabling selinux
fixes the problem (please see the bug
https://bugzilla.mozilla.org/show_bug.cgi?id=331753 i reported ).  This bug may
be of interest also: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152611

Comment 15 Daniel Walsh 2006-03-28 19:21:51 UTC
So this is not a rpm problem, but a file context problem.  The problem is there
shared library is being installed in the users home dir and needs to be labeled
textrel_shlib_t or else it will blow up with a execmod error.

I have added a tool to fc5 call restorecond that might solve this problem.
Is this library always going to be in .mozilla/plugins/

Note You need to log in before you can comment on or make changes to this bug.