Bug 176340 - restorecon reporting but not actually changing file contexts
restorecon reporting but not actually changing file contexts
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: policycoreutils (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2005-12-21 10:57 EST by Justin Filoseta
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-02 14:05:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
example restorecon problem (1.63 KB, text/plain)
2005-12-21 10:58 EST, Justin Filoseta
no flags Details

  None (edit)
Description Justin Filoseta 2005-12-21 10:57:00 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050324 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
The newer version of restorecon in policycoreutils-1.18.1-4.7.i386 appears to do everything correctly except actually change the attribute, as if the '-n' option was permanently on.

Attached is an example run of restorecon from 1.18.1-4.7.i386 and then from 1.18.1-4.i386. In the latter, file contexts are changed via lsetxattr that appears to be missing from the newer version.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. find a file that is incorrectly labeled
2. run restorecon on the file

Actual Results:  restorecon reports a label change but does not actually change its context as reported

Expected Results:  restorecon should report a label change and actually change its context as reported

Additional info:

This has reliably happened when policycoreutils has been updated on all test RHEL4 boxes (3). Although they are roughly the same hardware (dual opterons) kickstarted off of the same tree, so it is not a very diverse test.
Comment 1 Justin Filoseta 2005-12-21 10:58:51 EST
Created attachment 122492 [details]
example restorecon problem
Comment 2 Daniel Walsh 2005-12-21 12:48:51 EST
restorecon by default will not change the user section of the files context. 
You can do a restorecon -F to force this.

The only bug here is the --vv is showing something that is not really happening.

Comment 3 Justin Filoseta 2005-12-21 14:03:22 EST
That works, although it means the default operation of a command changed between
minor versions.

1.18.1-4.i386:   'restorecon /etc/file'
  changes the context of /etc/file
1.18.1-4.7.i386: 'restorecon /etc/file'
  does nothing
    ('restorecon -F /etc/file' required)
The man page does not list '-F' as an option, or mention that '-n' is now
default operation.

Thanks, that solves my problem. However the manpage, RedHat docs, and
'restorecon --help' should probably be updated.
Comment 4 Daniel Walsh 2006-01-02 14:05:33 EST
-n is not the default operation.  restorecon will not change SELinux User unless
a force is required.  The user section of the selinux context is not really used
in targeted policy.  This has been the default policy for  a long while.  I will
fix the -vv in the upstream and the man page is fixed in rawhide.  If we release
another version of policycoreutils in an update release I will put these changes in.

Note You need to log in before you can comment on or make changes to this bug.