Bug 1919944
| Summary: | RFE: make fixfiles polyinstantiation aware | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | policycoreutils | Assignee: | Vit Mojzis <vmojzis> |
| Status: | CLOSED MIGRATED | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | medium | ||
| Version: | 8.3 | CC: | dwalsh, lvrabec, mjahoda, mmalik, plautrba, vmojzis, zpytela |
| Target Milestone: | rc | Keywords: | FutureFeature, MigratedToJIRA, Triaged |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-09-19 16:59:18 UTC | Type: | Story |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
(In reply to Renaud Métrich from comment #0) > Description of problem: > > fixfiles can do a number of operations, including deleting content in /tmp > and relabeling files in /var/tmp. > Unfortunately the tool is not polyinstantiation aware, which causes issues > when used in that content: > - /tmp-inst (or similar, as configured in /etc/security/namespace.conf) is > not cleaned up > > fullrelabel() { > echo "Cleaning out /tmp" > find /tmp/ -mindepth 1 -delete > restore Relabel > } > > > - /var/tmp/tmp-inst (or similar) is not relabeled properly > > find /var/tmp \( -context "*:${UNLABELED}*" -o -context > "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \; > There's an inconsistency between policy and default namespace.conf https://bugzilla.redhat.com/show_bug.cgi?id=1934444 For non-standard directories, I'd suggest to use equivalence to avoid unlabeled files: # semanage fcontext -a -e /var/tmp /var/tmp-inst > Please implement this functionality. Note that the target directories > (/tmp-inst and /var/tmp/tmp-inst) are to be read from > /etc/security/namespace.conf (and /etc/security/namespace.d/*) and not > hardcoded. > It would mean to implement parser of namespace.conf and also pam configuration parses to detect whether pam_namespace is in use. If it's possible please consider using tmpfiles.d - Configuration for creation, deletion and cleaning of volatile and temporary files, see 'man tmpfiles.d' for cleaning tmp directories. > Version-Release number of selected component (if applicable): > > policycoreutils-2.9-9.el8.x86_64 Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug. This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there. Due to differences in account names between systems, some fields were not replicated. Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information. To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer. You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like: "Bugzilla Bug" = 1234567 In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information. The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days |
Description of problem: fixfiles can do a number of operations, including deleting content in /tmp and relabeling files in /var/tmp. Unfortunately the tool is not polyinstantiation aware, which causes issues when used in that context: - /tmp-inst (or similar, as configured in /etc/security/namespace.conf) is not cleaned up fullrelabel() { echo "Cleaning out /tmp" find /tmp/ -mindepth 1 -delete restore Relabel } - /var/tmp/tmp-inst (or similar) is not relabeled properly find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \; Please implement this functionality. Note that the target directories (/tmp-inst and /var/tmp/tmp-inst) are to be read from /etc/security/namespace.conf (and /etc/security/namespace.d/*) and not hardcoded. Version-Release number of selected component (if applicable): policycoreutils-2.9-9.el8.x86_64