Description of problem: Version-Release number of selected component (if applicable): glibc-2.32.9000-1.fc34.x86_64 glibc-common-2.32.9000-1.fc34.x86_64 glibc-devel-2.32.9000-1.fc34.x86_64 glibc-headers-x86-2.32.9000-1.fc34.noarch glibc-langpack-en-2.32.9000-1.fc34.x86_64 libselinux-3.1-2.fc33.x86_64 libselinux-utils-3.1-2.fc33.x86_64 policycoreutils-3.1-4.fc33.x86_64 policycoreutils-python-utils-3.1-4.fc33.noarch How reproducible: * always Steps to Reproduce: 0. get a Fedora rawhide machine # mkdir pokus # restorecon -D -rv pokus # getfattr -m . -d pokus security.sehash=0s+c0tpxQQaL0sCLwC+kcdtjrH1Ew= security.selinux="unconfined_u:object_r:admin_home_t:s0" # restorecon_xattr -d -v pokus specfiles SHA1 digest: ece3c6946c9fe7c940d4d3699787b6573eb942f1 calculated using the following specfile(s): /etc/selinux/targeted/contexts/files/file_contexts.subs_dist /etc/selinux/targeted/contexts/files/file_contexts.subs /etc/selinux/targeted/contexts/files/file_contexts.bin /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin /etc/selinux/targeted/contexts/files/file_contexts.local Segmentation fault (core dumped) # Actual results: [ 8772.694730] restorecon_xatt[7029]: segfault at 0 ip 00007f99e0772de4 sp 00007ffc579ae568 error 4 in libc-2.32.9000.so[7f99e063a000+14f000] [ 8772.694749] Code: 48 8d 74 16 f8 c5 fa 7e 0f c5 fa 7e 16 c5 e9 74 d1 c5 f9 d7 c2 2d ff ff 00 00 0f 85 06 ff ff ff c3 0f 1f 44 00 00 c5 fa 6f 16 <c5> e9 74 17 c5 f9 d7 c2 2d ff ff 00 00 0f 85 e9 fe ff ff 48 8d 7c Expected results: * no segfaults
The same issue is reproducible on Fedora 32 and Fedora 33 too.
systemd-coredump[2525]: Process 2523 (restorecon_xatt) of user 0 dumped core. Stack trace of thread 2523: #0 0x00007fd627a05da4 __memcmp_avx2_movbe (libc.so.6 + 0x15eda4) #1 0x00007fd627a8e937 add_xattr_entry (libselinux.so.1 + 0x1b937) #2 0x00007fd627a8fedc selinux_restorecon_xattr (libselinux.so.1 + 0x1cedc) #3 0x000055d700d5d455 main (restorecon_xattr + 0x1455) #4 0x00007fd6278cf1a2 __libc_start_main (libc.so.6 + 0x281a2) #5 0x000055d700d5d8fe _start (restorecon_xattr + 0x18fe) ^^^ seen in systemd journal
The same issue is reproducible with fc34 packages: # rpm -qa | grep -e libsepol -e libsemanage -e libselinux -e policycoreutils | sort libselinux-3.1-6.fc34.x86_64 libselinux-utils-3.1-6.fc34.x86_64 libsemanage-3.1-6.fc34.x86_64 libsepol-3.1-5.fc34.x86_64 policycoreutils-3.1-8.fc34.x86_64 policycoreutils-python-utils-3.1-8.fc34.noarch python3-libselinux-3.1-6.fc34.x86_64 python3-libsemanage-3.1-6.fc34.x86_64 python3-policycoreutils-3.1-8.fc34.noarch # This issue causes 5 segfaults during the run of following automated TC: * /CoreOS/policycoreutils/Sanity/restorecon_xattr
It doesn't Match and segfault on /tmp as "RAMFS and TMPFS filesystems do not support the security.sehash extended attribute and are automatically excluded from searches.", see restorecon_xattr(8) The problem seems to be in fact that it doesn't translate path to realpath. It works when an absolute filename is used: [root@localhost ~]# mkdir -p /root/tmp [root@localhost ~]# restorecon -D -v -r /root/tmp [root@localhost ~]# getfattr -e hex -n security.sehash /root/tmp getfattr: Removing leading '/' from absolute path names # file: root/tmp security.sehash=0xf9cd2da7141068bd2c08bc02fa471db63ac7d44c [root@localhost ~]# restorecon_xattr -D -v /root/tmp specfiles SHA1 digest: f4d64c73dea2b5146112467ef4523f726695ca7b calculated using the following specfile(s): /etc/selinux/targeted/contexts/files/file_contexts.subs_dist /etc/selinux/targeted/contexts/files/file_contexts.subs /etc/selinux/targeted/contexts/files/file_contexts.bin /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin /etc/selinux/targeted/contexts/files/file_contexts.local /root/tmp Deleted Digest: f9cd2da7141068bd2c08bc02fa471db63ac7d44c Match [root@localhost ~]# getfattr -e hex -n security.sehash /root/tmp /root/tmp: security.sehash: No such attribute So it works for "-D delete all security.sehash directory digest entries" For "-d delete all non-matching security.sehash directory digest entries" you need to change directory digest first: [root@localhost ~]# restorecon -D -v -r /root/tmp [root@localhost ~]# restorecon_xattr -d -v /root/tmp specfiles SHA1 digest: f4d64c73dea2b5146112467ef4523f726695ca7b calculated using the following specfile(s): /etc/selinux/targeted/contexts/files/file_contexts.subs_dist /etc/selinux/targeted/contexts/files/file_contexts.subs /etc/selinux/targeted/contexts/files/file_contexts.bin /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin /etc/selinux/targeted/contexts/files/file_contexts.local /root/tmp Digest: f9cd2da7141068bd2c08bc02fa471db63ac7d44c Match [root@localhost ~]# getfattr -e hex -n security.sehash /root/tmp getfattr: Removing leading '/' from absolute path names # file: root/tmp security.sehash=0xf9cd2da7141068bd2c08bc02fa471db63ac7d44c Digest matched and was not removed. [root@localhost ~]# semanage fcontext -a -t tmp_t /root/tmp [root@localhost ~]# restorecon_xattr -d -v /root/tmp specfiles SHA1 digest: 1aca8d310fe09a0ef05c6faae492f37471b9828e calculated using the following specfile(s): /etc/selinux/targeted/contexts/files/file_contexts.subs_dist /etc/selinux/targeted/contexts/files/file_contexts.subs /etc/selinux/targeted/contexts/files/file_contexts.bin /etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin /etc/selinux/targeted/contexts/files/file_contexts.local.bin /root/tmp Deleted Digest: f9cd2da7141068bd2c08bc02fa471db63ac7d44c No Match [root@localhost ~]# getfattr -e hex -n security.sehash /root/tmp /root/tmp: security.sehash: No such attribute Digest didn't match and was removed
This bug appears to have been reported against 'rawhide' during the Fedora 34 development cycle. Changing version to 34.
https://patchwork.kernel.org/project/selinux/patch/20210216141446.171306-1-plautrba@redhat.com/ https://patchwork.kernel.org/project/selinux/patch/20210216141446.171306-2-plautrba@redhat.com/
FEDORA-2021-68e2e3724f has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-68e2e3724f
FEDORA-2021-68e2e3724f has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-68e2e3724f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-68e2e3724f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-a03231a43e has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2021-68e2e3724f has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.