Bug 1625594 - selinux-policy-targeted specifies shorewall_etc_t for /etc/shorewall contents, but not shorewall6
Summary: selinux-policy-targeted specifies shorewall_etc_t for /etc/shorewall contents...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 28
Hardware: Unspecified
OS: Linux
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-09-05 09:49 UTC by J. Randall Owens
Modified: 2018-09-11 16:55 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.14.1-42.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-09-11 16:55:11 UTC
Type: Bug

Attachments (Terms of Use)

Description J. Randall Owens 2018-09-05 09:49:54 UTC
Description of problem:
I noticed that my /etc/shorewall dir & files were listed with shorewall_etc_t, but /etc/shorewall6 got plain etc_t. I'd think they should be the same.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.14.1-40.fc28.noarch, but I also found the same '/etc/shorewall(/.*)?	system_u:object_r:shorewall_etc_t:s0' line in rawhide, F27, CentOS 6 & 7. Not CentOS 5, at least, which doesn't even seem to have a shorewall_etc_t at all, not that it matters at this point.

How reproducible:

Steps to Reproduce:
1. dnf install selinux-policy-targeted shorewall shorewall6
2. ls -lZa /etc/shorewall*

Actual results:
/etc/shorewall & contents have shorewall_etc_t, /etc/shorewall6 & contents have just etc_t.

Expected results:
/etc/shorewall & /etc/shorewall6 and their contents have shorewall_etc_t.

Additional info:
All versions have the same line in /etc/selinux/targeted/contexts/files/file_contexts:

/etc/shorewall(/.*)?    system_u:object_r:shorewall_etc_t:s0

It should be as simple as making that 'shorewall6?(/.*)?'.

It looks like most of the rest of the contexts allow for shorewall6, except maybe the shorewall6-lite ones. I've never installed shorewall6?-lite, either one, so I don't know just what files it might need the contexts for. '/etc/shorewall-lite(/.*)?', '/sbin/shorewall-lite', '/usr/sbin/shorewall-lite', '/var/lib/shorewall-lite(/.*)?' look like they could use the same treatment.

If this filters down to the CentOS 6 release, there's also '/etc/rc\.d/init\.d/shorewall-lite' & '/etc/rc\.d/init\.d/shorewall', but not for shorewall6. Ironically, CentOS 7 uses systemd, but has '/etc/rc\.d/init\.d/shorewall.*' which would cover all of these.

Comment 1 Lukas Vrabec 2018-09-05 10:59:15 UTC
Yep, you're right.

Will be fixed in next version of selinux-policy. 


Comment 2 Fedora Update System 2018-09-06 21:56:31 UTC
selinux-policy-3.14.1-42.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 3 Fedora Update System 2018-09-07 17:11:58 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2d1b09d217

Comment 4 Fedora Update System 2018-09-11 16:55:11 UTC
selinux-policy-3.14.1-42.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.