RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1885772 - /var/log/anaconda/hawkey.log created as rpm_log_t
Summary: /var/log/anaconda/hawkey.log created as rpm_log_t
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.3
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: rc
: 8.0
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1870493
TreeView+ depends on / blocked
 
Reported: 2020-10-06 21:11 UTC by Jan Stodola
Modified: 2022-01-25 20:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-25 19:24:43 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)

Description Jan Stodola 2020-10-06 21:11:07 UTC 
Description of problem:
/var/log/anaconda/hawkey.log is created as rpm_log_t - and restorecon wants to relabel it:


# rm /var/log/anaconda/hawkey.log
rm: remove regular empty file '/var/log/anaconda/hawkey.log'? y
# matchpathcon /var/log/anaconda/hawkey.log
/var/log/anaconda/hawkey.log    system_u:object_r:var_log_t:s0
# touch /var/log/anaconda/hawkey.log
# ls -lZ /var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root unconfined_u:object_r:rpm_log_t:s0 0 Oct  6 16:55 /var/log/anaconda/hawkey.log
# restorecon -nv /var/log/anaconda/hawkey.log
Would relabel /var/log/anaconda/hawkey.log from unconfined_u:object_r:rpm_log_t:s0 to unconfined_u:object_r:var_log_t:s0
# semanage fcontext -l | grep rpm_log_t
/var/log/hawkey.*                                  regular file       system_u:object_r:rpm_log_t:s0 
/var/log/up2date.*                                 regular file       system_u:object_r:rpm_log_t:s0 
/var/log/yum\.log.*                                regular file       system_u:object_r:rpm_log_t:s0 
#

Version-Release number of selected component (if applicable):
RHEL-8.3
selinux-policy-3.14.3-54.el8

How reproducible:
Always

Steps to Reproduce:
1. see above

Actual results:
# ls -lZ /var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root unconfined_u:object_r:rpm_log_t:s0 0 Oct  6 16:55 /var/log/anaconda/hawkey.log

Expected results:
# ls -lZ /var/log/anaconda/hawkey.log
-rw-r--r--. 1 root root unconfined_u:object_r:var_log_t:s0 0 Oct  6 16:55 /var/log/anaconda/hawkey.log
Comment 4 Zdenek Pytela 2022-01-19 20:09:33 UTC 
Jan,

I can see on all my vms with current RHEL release the labels correctly, can you confirm the issue is gone now?
Comment 5 Jan Stodola 2022-01-20 17:36:00 UTC 
I can still reproduce the problem on the latest RHEL-8.6 compose:

[root@localhost ~]# rpm -q selinux-policy
selinux-policy-3.14.3-86.el8.noarch
[root@localhost ~]# rm /var/log/anaconda/hawkey.log
rm: remove regular empty file '/var/log/anaconda/hawkey.log'? y
[root@localhost ~]# touch /var/log/anaconda/hawkey.log
[root@localhost ~]# restorecon -nv /var/log/anaconda/hawkey.log
Would relabel /var/log/anaconda/hawkey.log from unconfined_u:object_r:rpm_log_t:s0 to unconfined_u:object_r:var_log_t:s0
[root@localhost ~]#

The file is correctly labeled after the installation, because anaconda relabels /var/log/anaconda/ at the end of the installation - see bug 1870493.
Comment 6 Zdenek Pytela 2022-01-25 16:23:50 UTC 
(In reply to Jan Stodola from comment #5)
> I can still reproduce the problem on the latest RHEL-8.6 compose:
> 
> [root@localhost ~]# rpm -q selinux-policy
> selinux-policy-3.14.3-86.el8.noarch
> [root@localhost ~]# rm /var/log/anaconda/hawkey.log
> rm: remove regular empty file '/var/log/anaconda/hawkey.log'? y
> [root@localhost ~]# touch /var/log/anaconda/hawkey.log
> [root@localhost ~]# restorecon -nv /var/log/anaconda/hawkey.log
> Would relabel /var/log/anaconda/hawkey.log from
> unconfined_u:object_r:rpm_log_t:s0 to unconfined_u:object_r:var_log_t:s0
> [root@localhost ~]#
> 
> The file is correctly labeled after the installation, because anaconda
> relabels /var/log/anaconda/ at the end of the installation - see bug 1870493.

SELinux cannot take into account all possible scenarios. I don't think removing a packaged file is a valid scenario as it can be either relabeled using restorecon or restored using rpm/dnf reinstall.

Do you happen to have any other use case when this file gets a type different to the default one in file context database?
Comment 7 Jan Stodola 2022-01-25 17:23:20 UTC 
No, I do not have any other use case.

As mentioned in comment 5, anaconda "fixed" this problem for freshly installed systems by running restorecon at the end of the installation.
It's up to you to decide what to do with this bug, it is not a real problem for us any more.
Comment 8 Zdenek Pytela 2022-01-25 19:24:43 UTC 
Thank you for the confirmation, closing this bz then, but feel free to reopen it or create a new one in case of outstanding issue.
Note You need to log in before you can comment on or make changes to this bug.