Problem here is that nsswitch.conf has the wrong context?  Any idea how this
happened.  This file should have a context of etc_t?  Do you know of any
application that updates this file? 

restorecon /etc/nsswitch.conf should fix it.

It's managed by cfengine, which gets run by rc.local during the first boot of a
machine and copies it over from the server.  Hmm, I imagine cfegine is a
nightmare as far as selinux is concerned.  Would the ideal thing be for cfengine
to run restorecon (or the equivalent) on every file it updates?  Or should
contexts be preserved some other way?

Yes it should call restorecon, or better yet have restorcon built in.  As in
reality the files should get created with the correct context.

CFEngine needs to be made SELinux aware.

Daniel: cfengine is not part of Fedora Core, it is in extras.

Created attachment 147352 [details]
Patch to call restorecon after editing files

Here's a dumb patch to call restorecon on modified files, but there are
probably various other places in need of selinux-love. Seems to work for me,
but take care...

Hi Panu, thanks for the patch.

I'm going to work on linking cfengine against libselinux and calling the selinux
functions directly.

Created attachment 150363 [details]
selinux support for file copies and editfiles

I've created a patch to add selinux support to cfengine.  So far, it only
supports regular file copies and editfiles.  If the destination file exists,
its context will be used for the newly copied/edited file.  If the destination
file does not exist, the default context for the destination directory will be
used.

I've created an SRPM and some testing rpms for FC6 and EL4, they can be found
here: http://www.sheltren.com/cfengine/

I'd appreciate any testing or changes/additions.  If you patch the source
manually (patch is made against 2.1.22), you'll need to run autoconf/automake
and then use the '--enable-selinux' configure flag.  If you use the RPMs, this
will be done for you.

This has also been added to SVN upstream, but I thought I might get some
interested parties here to test it out.

Thanks, Dan Walsh, for your guidance with the libselinux functions.

Created attachment 152279 [details]
patch to configure.ac

I've been running 2.1.22-2 locally here on FC5 and FC6 without much issue. 
Haven't really dug into how accurate it is setting contexts though.  I do need
the attached patch to compile on current rawhide though.  Submitted upstream as
well.

Apparently this is in upstream svn already too.

Great, I would like to get this in as soon as we can.

Great, thanks for testing it out.  I'll add the autoconf patch, the SELinux
patch, and the "fedora release" patch (in #235922) and roll out a package for
rawhide soon.

Just built this for rawhide, also includes the autoconf patch, and patch to
detect latest fedora/redhat releases.

Here's a case the doesn't work:

editfiles:
   #Use hostname as dhcp client id
   { /etc/dhclient.conf
      AutoCreate
      # Try to get their assigned IP
      AppendIfNoSuchLine "send dhcp-client-identifier \"$(host)\";"
      # Let people use short names
      AppendIfNoSuchLine "append domain-name \" cora.nwra.com\";"
      # Try to always have a working name server
      AppendIfNoSuchLine "append domain-name-servers 65.125.157.180;"
   }

If /etc/dhclient.conf doesn't exist, it gets created with the wrong label:

[root@cynosure ppkeys]# rm /etc/dhclient.conf
rm: remove regular file `/etc/dhclient.conf'? y
[root@cynosure ppkeys]# cfagent -q
[root@cynosure ppkeys]# restorecon -r -v /etc
restorecon reset /etc/dhclient.conf context
user_u:object_r:etc_t:s0->system_u:object_r:dhcp_etc_t:s0

Hi Orion, thanks for catching that.  Yep, it looks like my patch is assuming
that the file exists for edits (copies should work fine for new files).

I'll work on the editfiles patch and rebuild.

You need the matchpathcon, setfscreatecon pair to do this.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've updated the patch so it should work with edits on non-existant files.
I don't have a box handy for testing at the moment, but I've built some
packages using the updated patch.  The (FC6 + SRPM) packages and patch
can be found here: http://www.sheltren.com/cfengine/ 

8e41d86945b260dffac29b6d1dce4d45f6e4024d  cfengine-2.1.22-4.fc6.i386.rpm
da8a5f968d3dec1c3da3292942991f44e34d3891  cfengine-2.1.22-4.fc6.src.rpm
7a35bde042b9d1e08466e44bceb3af6c5c574a7f  cfengine-2.1.22-4.fc6.x86_64.rpm

Orion, if you could give the updated RPM a try and let me know if it works
for you I'd appreciate it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGMAtDKe7MLJjUbNMRAgCGAJ9VvFy+p4/3u3JxMjPEFC2Sabgh/ACfdE+l
mgVsPE9GRy3IcEu/qa4rfvM=
=Ykdo
-----END PGP SIGNATURE-----

(In reply to comment #17)
> Orion, if you could give the updated RPM a try and let me know if it works
> for you I'd appreciate it.

Does not appear to work.

root@orizaba etc]# restorecon -v dhclient.conf
restorecon reset /etc/dhclient.conf context
root:object_r:etc_t:s0->system_u:object_r:dhcp_etc_t:s0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Orion, thanks for trying it out.  I've been traveling and
am finally able to access a machine to test on...

I've added a new patch which should fix the problem you were
having when using AutoCreate for editfiles.

You can find the patch and an updated SRPM here:
http://www.sheltren.com/cfengine/

6d1f5dea285c18441aa49231a9dfe012ef438661  cfengine-2.1.22-4.fc6.src.rpm

That worked for me, but let me know if you have any problems with it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFGQQaBKe7MLJjUbNMRAiyEAKCV64UB7dKUzn0guOJKEosqny2IIwCgx5qG
BYN06rlYnoqfKDzH620GnFg=
=ZlCG
-----END PGP SIGNATURE-----

This version works for me.

I've built some packages of 2.2.0 which include the latest selinux patch.  I
plan to push these to FC6 & 7 once the freeze is over for F7.  In the meantime,
people can grab the 2.2.0 packages for FC6 (and el4/el5) from here if they are
interested:
http://www.sheltren.com/cfengine/testing/