Red Hat Bugzilla – Bug 176340
restorecon reporting but not actually changing file contexts
Last modified: 2007-11-30 17:07:22 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050324 Firefox/1.0.2 Fedora/1.0.2-1.3.1
Description of problem:
The newer version of restorecon in policycoreutils-1.18.1-4.7.i386 appears to do everything correctly except actually change the attribute, as if the '-n' option was permanently on.
Attached is an example run of restorecon from 1.18.1-4.7.i386 and then from 1.18.1-4.i386. In the latter, file contexts are changed via lsetxattr that appears to be missing from the newer version.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. find a file that is incorrectly labeled
2. run restorecon on the file
Actual Results: restorecon reports a label change but does not actually change its context as reported
Expected Results: restorecon should report a label change and actually change its context as reported
This has reliably happened when policycoreutils has been updated on all test RHEL4 boxes (3). Although they are roughly the same hardware (dual opterons) kickstarted off of the same tree, so it is not a very diverse test.
Created attachment 122492 [details]
example restorecon problem
restorecon by default will not change the user section of the files context.
You can do a restorecon -F to force this.
The only bug here is the --vv is showing something that is not really happening.
That works, although it means the default operation of a command changed between
1.18.1-4.i386: 'restorecon /etc/file'
changes the context of /etc/file
1.18.1-4.7.i386: 'restorecon /etc/file'
('restorecon -F /etc/file' required)
The man page does not list '-F' as an option, or mention that '-n' is now
Thanks, that solves my problem. However the manpage, RedHat docs, and
'restorecon --help' should probably be updated.
-n is not the default operation. restorecon will not change SELinux User unless
a force is required. The user section of the selinux context is not really used
in targeted policy. This has been the default policy for a long while. I will
fix the -vv in the upstream and the man page is fixed in rawhide. If we release
another version of policycoreutils in an update release I will put these changes in.