Bug 175995 - unlabeled_t object within unlabeled_t directory not accessible by restorecon.
Summary: unlabeled_t object within unlabeled_t directory not accessible by restorecon.
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: policy
Version: rawhide
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-12-17 00:49 UTC by bkyoung
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-05 15:02:45 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description bkyoung 2005-12-17 00:49:40 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051202 Fedora/1.5-1 Firefox/1.5

Description of problem:
unlabeled_t object within unlabeled_t directory not accessible by restorecon.



Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.1.6-3

How reproducible:
Always

Steps to Reproduce:
root@flood serefpolicy-2.1.6]# semodule --list
swish	2.4.2
[root@flood serefpolicy-2.1.6]# semodule -i ./bnetd.pp -s targeted
[root@flood serefpolicy-2.1.6]# echo $?
0
[root@flood serefpolicy-2.1.6]# restorecon -R /var/lib/pvpgn
[root@flood serefpolicy-2.1.6]# ls -aldZ /var/lib/pvpgn
drwxr-xr-x  pvpgn    pvpgn    system_u:object_r:bnetd_var_lib_t /var/lib/pvpgn
[root@flood serefpolicy-2.1.6]# semodule -r bnetd
libsepol.sepol_genbools_array: boolean bnetd_disable_trans no longer in policy
[root@flood serefpolicy-2.1.6]# ls -aldZ /var/lib/pvpgn
drwxr-xr-x  pvpgn    pvpgn    system_u:object_r:unlabeled_t    /var/lib/pvpgn
[root@flood serefpolicy-2.1.6]# restorecon -R /var/lib/pvpgn
restorecon:  unable to read directory /var/lib/pvpgn
[root@flood serefpolicy-2.1.6]# restorecon /var/lib/pvpgn
[root@flood serefpolicy-2.1.6]# exit



Actual Results:  restorecon failed.

Expected Results:  retorecon should have succeeded.

Additional info:

BEGIN audit.log
type=AVC msg=audit(1134778414.325:351): avc:  granted  { load_policy } for  pid=8282 comm="load_policy" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security
type=SYSCALL msg=audit(1134778414.325:351): arch=40000003 syscall=4 success=yes exit=659839 a0=6 a1=b7f28000 a2=a117f a3=bfde1488 items=0 pid=8282 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="load_policy" exe="/usr/sbin/load_policy"
type=AVC msg=audit(1134778456.680:352): avc:  granted  { load_policy } for  pid=8315 comm="load_policy" scontext=root:system_r:unconfined_t:s0-s0:c0.c255 tcontext=system_u:object_r:security_t:s0 tclass=security
type=SYSCALL msg=audit(1134778456.680:352): arch=40000003 syscall=4 success=yes exit=654842 a0=6 a1=b7e72000 a2=9fdfa a3=bfc28f88 items=0 pid=8315 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="load_policy" exe="/usr/sbin/load_policy"
type=AVC msg=audit(1134778481.705:353): avc:  denied  { read } for  pid=8346 comm="restorecon" name="pvpgn" dev=dm-0 ino=1042470 scontext=root:system_r:restorecon_t:s0-s0:c0.c255 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1134778481.705:353): arch=40000003 syscall=5 success=no exit=-13 a0=82dd9e8 a1=18800 a2=0 a3=82dd9e8 items=1 pid=8346 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="restorecon" exe="/sbin/restorecon"
type=CWD msg=audit(1134778481.705:353):  cwd="/home/bkyoung/proj/policy/BUILD/serefpolicy-2.1.6"
type=PATH msg=audit(1134778481.705:353): item=0 name="/var/lib/pvpgn" flags=103  inode=1042470 dev=fd:00 mode=040755 ouid=502 ogid=502 rdev=00:00
END audit.log

Comment 1 Daniel Walsh 2006-01-02 17:24:00 UTC
Fixed in selinux-policy-2.1.6-21


Comment 3 Daniel Walsh 2006-05-05 15:02:45 UTC
Closing as these have been marked as modified, for a while.  Feel free to reopen
if not fixed


Note You need to log in before you can comment on or make changes to this bug.