Bug 1792349 - Incorrect SELinux label of fontconfig cache directory
Summary: Incorrect SELinux label of fontconfig cache directory
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-01-17 14:39 UTC by Maciek Borzecki
Modified: 2020-01-17 15:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-17 15:20:59 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Maciek Borzecki 2020-01-17 14:39:01 UTC
This bug was initially created as a copy of Bug #1659905

I am copying this bug because: 

The problem applies to RHEL7 proper too. (Did not check RHEL8 though)

Description of problem:

The /usr/lib/fontconfig/cache directly is labeled as lib_t, but should be labeled as fonts_cache_t, same as /var/cache/fontconfig.

[rhel@rhel ~]$ ls -laZ /usr/lib/fontconfig/cache/
drwxr-xr-x. root root system_u:object_r:lib_t:s0       .
drwxr-xr-x. root root system_u:object_r:lib_t:s0       ..
-rw-r--r--. root root unconfined_u:object_r:lib_t:s0   776e7a64-712f-4148-9c8b-2448af60fcac-le64.cache-7
-rw-r--r--. root root unconfined_u:object_r:lib_t:s0   CACHEDIR.TAG
-rw-r--r--. root root unconfined_u:object_r:lib_t:s0   eccd1891-6f9d-473b-accc-f0d46cf01f0d-le64.cache-7

[rhel@rhel ~]$ sudo semanage fcontext --list |grep /fontconfig
/var/cache/fontconfig(/.*)?                        all files          system_u:object_r:fonts_cache_t:s0 

Either a missing piece of the core policy or /usr/lib/fontconfig/cache ought to be created with proper labeling.

Version-Release number of selected component (if applicable):

fontconfig-2.13.0-4.3.el7.x86_64
selinux-policy-3.13.1-252.el7_7.6.noarch
selinux-policy-targeted-3.13.1-252.el7_7.6.noarch

How reproducible:
always

Comment 2 Lukas Vrabec 2020-01-17 15:20:59 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Red Hat Enterprise Linux 7 is in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.


Note You need to log in before you can comment on or make changes to this bug.