Description of problem: The /usr/lib/fontconfig/cache directly is labeled as lib_t, but should be labeled as fonts_cache_t, same as /var/cache/fontconfig was before. [guest@localhost ~]$ ls -laZ /usr/lib/fontconfig/cache/ total 40 drwxr-xr-x. 2 root root system_u:object_r:lib_t:s0 4096 Dec 17 07:35 . drwxr-xr-x. 3 root root system_u:object_r:lib_t:s0 4096 Dec 17 07:35 .. -rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0 136 Dec 17 07:35 14f2600e-0a03-4bcf-ad84-39369899c767-le64.cache-7 -rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0 20904 Dec 17 07:35 6d2e07ad-8b0a-44cf-ad7a-4c0d0bc787a2-le64.cache-7 -rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0 200 Dec 17 07:35 CACHEDIR.TAG Either a missing piece of the core policy or /usr/lib/fontconfig/cache ought to be created with proper labeling. Version-Release number of selected component (if applicable): fontconfig-2.13.1-3.fc29.x86_64 selinux-policy-3.14.2-44.fc29.noarch selinux-policy-devel-3.14.2-44.fc29.noarch selinux-policy-targeted-3.14.2-44.fc29.noarch How reproducible: always
Similarly $HOME/.config/fontconfig/fonts.conf and $HOME/.config/fontconfig/conf.d/* for user_fonts_config_t and $HOME/.cache/fontconfig/* for user_fonts_cache_t
Hi, Thank you for reporting the issue. I am currently checking the possible ways of resolving as there are already rules for the per-application configuration directories. # semanage fcontext -l| grep /home.*fonts_cache_t /home/[^/]+/\.fontconfig(/.*)? all files unconfined_u:object_r:user_fonts_cache_t:s0 /home/[^/]+/\.fonts/auto(/.*)? all files unconfined_u:object_r:user_fonts_cache_t:s0 /home/[^/]+/\.fonts\.cache-.* regular file unconfined_u:object_r:user_fonts_cache_t:s0
I think all of them are deprecated paths to store fontconfig caches. those are still valid for backward compatibility but will be dropped in the future. though no ETA of dropping so far.
Created a PR, waiting for review: https://github.com/fedora-selinux/selinux-policy/pull/253
Another PR for a new interface: https://github.com/fedora-selinux/selinux-policy-contrib/pull/97
FEDORA-2019-096a80ef39 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39
selinux-policy-3.14.2-61.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39
FEDORA-2019-2eec328cc1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1
selinux-policy-3.14.2-62.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1
FEDORA-2019-8071724c9b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b
selinux-policy-3.14.2-63.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.