Bug 193489 - SELinux context of /proc, /selinux, /sys is always incorrect
Summary: SELinux context of /proc, /selinux, /sys is always incorrect
Keywords:
Status: CLOSED DUPLICATE of bug 193488
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Paul Nasrat
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks: FC6Target
TreeView+ depends on / blocked
 
Reported: 2006-05-29 17:56 UTC by Robert Scheck
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-26 19:50:23 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify (1.28 KB, text/x-patch)
2006-06-15 22:48 UTC, Daniel Walsh 		no flags Details
View All

Description Robert Scheck 2006-05-29 17:56:24 UTC 
Description of problem:
SELinux context of /proc, /selinux, /sys seems to be always incorrect when 
verifying using rpm:

# rpm -V filesystem
........C   /proc
........C   /selinux
........C   /sys
# 

Version-Release number of selected component (if applicable):
filesystem-2.3.7-1.2.1
selinux-policy-2.2.43-3

How reproducible:
Everytime, just do "rpm -qV filesystem"

Actual results:
Modified file context of /proc, /selinux, /sys...

Expected results:
Always correct file context for /proc, /selinux, /sys ;-)
Comment 1 Daniel Walsh 2006-05-30 12:48:16 UTC 
This is a  bug in libselinux, matchpatchon returns an error when it matches on
<<none>> which means the context could be anything.
Comment 2 Daniel Walsh 2006-06-15 22:48:10 UTC 
Created attachment 131010 [details]
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify

Basically certain directories either do not support context or the kernel
creates them so their is no "correct" label for those directories.  In this
case matchpathcon returns ENOENT, and rpm -V should just say it is ok.

This patch attempts to do ignore errors in rpm.  Sadly it does not work, but it
will give you an idea.
Comment 3 R P Herrold 2006-06-16 13:44:47 UTC 
How about a less intrusive approach; a proper packaging %files stanza, which
does not include them, rather than blaming RPM _or_ SELinux; %pre and %post are
sufficiently powerfuil to solve the need for their presence, and to sign them
for seLinux as needed

-- RPM does not need to ignore packages it is not to able to check, the
underlying 'filesystem' packger needs to package to accomodate the changes which
seLinux brings - at least one of these directory paths (/proc) and I suspect the
others are not in scope to it any more 

The packager needs to not include them (now) improperly in light of the new
Context checking rules added for SELinux, which are now emitting errors when
SELinux is enabled
Comment 4 Robert Scheck 2006-06-23 13:13:15 UTC 
Very similar problem at:

$ rpm -qV selinux-policy-targeted
........C   /etc/selinux/targeted/modules/active
$

As far as I can see, the problem is related with bug #193488 and should be 
resolved, when SELinux functionality is removed from rpm -V. This is just 
another reason for updating to latest RPM 4.4.7 when available :)
Comment 5 Paul Nasrat 2006-06-26 19:49:09 UTC 
Proposed patch to remove verification as discussed has been presented for
upstream discussion.
Comment 6 Paul Nasrat 2006-06-26 19:50:23 UTC 

*** This bug has been marked as a duplicate of 193488 ***
Note You need to log in before you can comment on or make changes to this bug.