Bug 1654823 - matchpathcon returning incorrect context after adding two unrelated fcontext entries
Summary: matchpathcon returning incorrect context after adding two unrelated fcontext ...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: libselinux
Version: 7.6
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2018-11-29 18:48 UTC by Ryan Blakley
Modified: 2019-09-02 15:56 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-02-27 13:48:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Ryan Blakley 2018-11-29 18:48:41 UTC
Description of problem: After adding two fcontext entries like /<directory> and /<directory>/* specifically in that order, causes matchpathcon to return the context from the entries for the root directory. The order of the entries have to be in the above order, there can be other entries in between or after as long as the order doesn't change.

Version-Release number of selected component (if applicable): 
* 14.1.el7

How reproducible: 
* Easy

Steps to Reproduce:
root@ryan-rhel7 ~ # semanage fcontext -a -f a -t default_t '/test'

root@ryan-rhel7 ~ # matchpathcon /
/	system_u:object_r:root_t:s0 <<<<

root@ryan-rhel7 ~ # semanage fcontext -a -f a -t default_t '/test/*'

root@ryan-rhel7 ~ # matchpathcon /
/	system_u:object_r:default_t:s0 <<<<

Actual results:
* Incorrect <context>_t

Expected results:
* Correct root_t context

Additional info:
* In testing I found that I could reproduce this bug up to Fedora 25, in Fedora 26 GA and beyond I can't reproduce the issue. 
* Also I wasn't able to narrow it down to a particular patch. I also am not sure if this is a matchpathcon bug, or if it's a bug in the policy package, but since it's seen via matchpathcon I set the component as libselinux, please correct the component if this is incorrect.

Comment 4 Zdenek Pytela 2019-02-27 13:48:42 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Note You need to log in before you can comment on or make changes to this bug.