Red Hat Bugzilla – Bug 193489
SELinux context of /proc, /selinux, /sys is always incorrect
Last modified: 2007-11-30 17:11:34 EST
Description of problem:
SELinux context of /proc, /selinux, /sys seems to be always incorrect when
verifying using rpm:
# rpm -V filesystem
Version-Release number of selected component (if applicable):
Everytime, just do "rpm -qV filesystem"
Modified file context of /proc, /selinux, /sys...
Always correct file context for /proc, /selinux, /sys ;-)
This is a bug in libselinux, matchpatchon returns an error when it matches on
<<none>> which means the context could be anything.
Created attachment 131010 [details]
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify
Basically certain directories either do not support context or the kernel
creates them so their is no "correct" label for those directories. In this
case matchpathcon returns ENOENT, and rpm -V should just say it is ok.
This patch attempts to do ignore errors in rpm. Sadly it does not work, but it
will give you an idea.
How about a less intrusive approach; a proper packaging %files stanza, which
does not include them, rather than blaming RPM _or_ SELinux; %pre and %post are
sufficiently powerfuil to solve the need for their presence, and to sign them
for seLinux as needed
-- RPM does not need to ignore packages it is not to able to check, the
underlying 'filesystem' packger needs to package to accomodate the changes which
seLinux brings - at least one of these directory paths (/proc) and I suspect the
others are not in scope to it any more
The packager needs to not include them (now) improperly in light of the new
Context checking rules added for SELinux, which are now emitting errors when
SELinux is enabled
Very similar problem at:
$ rpm -qV selinux-policy-targeted
As far as I can see, the problem is related with bug #193488 and should be
resolved, when SELinux functionality is removed from rpm -V. This is just
another reason for updating to latest RPM 4.4.7 when available :)
Proposed patch to remove verification as discussed has been presented for
*** This bug has been marked as a duplicate of 193488 ***