Bug 1659905 - Incorrect SELinux label of fontconfig cache directory
Summary: Incorrect SELinux label of fontconfig cache directory
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 29
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-17 07:45 UTC by Maciek Borzecki
Modified: 2019-08-18 01:56 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-18 01:56:37 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Maciek Borzecki 2018-12-17 07:45:36 UTC
Description of problem:

The /usr/lib/fontconfig/cache directly is labeled as lib_t, but should be labeled as fonts_cache_t, same as /var/cache/fontconfig was before.

[guest@localhost ~]$ ls -laZ /usr/lib/fontconfig/cache/
total 40
drwxr-xr-x. 2 root root system_u:object_r:lib_t:s0      4096 Dec 17 07:35 .
drwxr-xr-x. 3 root root system_u:object_r:lib_t:s0      4096 Dec 17 07:35 ..
-rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0   136 Dec 17 07:35 14f2600e-0a03-4bcf-ad84-39369899c767-le64.cache-7
-rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0 20904 Dec 17 07:35 6d2e07ad-8b0a-44cf-ad7a-4c0d0bc787a2-le64.cache-7
-rw-r--r--. 1 root root unconfined_u:object_r:lib_t:s0   200 Dec 17 07:35 CACHEDIR.TAG

Either a missing piece of the core policy or /usr/lib/fontconfig/cache ought to be created with proper labeling.

Version-Release number of selected component (if applicable):

fontconfig-2.13.1-3.fc29.x86_64
selinux-policy-3.14.2-44.fc29.noarch
selinux-policy-devel-3.14.2-44.fc29.noarch
selinux-policy-targeted-3.14.2-44.fc29.noarch

How reproducible:
always

Comment 1 Akira TAGOH 2018-12-17 09:13:16 UTC
Similarly $HOME/.config/fontconfig/fonts.conf and $HOME/.config/fontconfig/conf.d/* for user_fonts_config_t and $HOME/.cache/fontconfig/* for user_fonts_cache_t

Comment 2 Zdenek Pytela 2019-03-21 16:44:04 UTC
Hi,

Thank you for reporting the issue. I am currently checking the possible ways of resolving as there are already rules for the per-application configuration directories.

  # semanage fcontext -l| grep /home.*fonts_cache_t
/home/[^/]+/\.fontconfig(/.*)?                     all files          unconfined_u:object_r:user_fonts_cache_t:s0 
/home/[^/]+/\.fonts/auto(/.*)?                     all files          unconfined_u:object_r:user_fonts_cache_t:s0 
/home/[^/]+/\.fonts\.cache-.*                      regular file       unconfined_u:object_r:user_fonts_cache_t:s0

Comment 3 Akira TAGOH 2019-03-22 05:00:30 UTC
I think all of them are deprecated paths to store fontconfig caches. those are still valid for backward compatibility but will be dropped in the future. though no ETA of dropping so far.

Comment 4 Zdenek Pytela 2019-03-27 15:06:19 UTC
Created a PR, waiting for review:

https://github.com/fedora-selinux/selinux-policy/pull/253

Comment 5 Zdenek Pytela 2019-03-27 16:47:24 UTC
Another PR for a new interface:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/97

Comment 6 Fedora Update System 2019-06-18 11:33:10 UTC
FEDORA-2019-096a80ef39 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39

Comment 7 Fedora Update System 2019-06-19 04:13:59 UTC
selinux-policy-3.14.2-61.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-096a80ef39

Comment 8 Fedora Update System 2019-07-10 12:47:30 UTC
FEDORA-2019-2eec328cc1 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1

Comment 9 Fedora Update System 2019-07-11 03:10:56 UTC
selinux-policy-3.14.2-62.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-2eec328cc1

Comment 10 Fedora Update System 2019-07-19 08:08:48 UTC
FEDORA-2019-8071724c9b has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b

Comment 11 Fedora Update System 2019-07-20 03:41:53 UTC
selinux-policy-3.14.2-63.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-8071724c9b

Comment 12 Fedora Update System 2019-08-02 07:50:19 UTC
FEDORA-2019-b51794f502 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502

Comment 13 Fedora Update System 2019-08-03 02:02:21 UTC
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b51794f502

Comment 14 Fedora Update System 2019-08-18 01:56:37 UTC
selinux-policy-3.14.2-64.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.