Bug 193489 - SELinux context of /proc, /selinux, /sys is always incorrect
SELinux context of /proc, /selinux, /sys is always incorrect
Status: CLOSED DUPLICATE of bug 193488
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
Mike McLean
Depends On:
Blocks: FC6Target
  Show dependency treegraph
Reported: 2006-05-29 13:56 EDT by Robert Scheck
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-26 15:50:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify (1.28 KB, text/x-patch)
2006-06-15 18:48 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Robert Scheck 2006-05-29 13:56:24 EDT
Description of problem:
SELinux context of /proc, /selinux, /sys seems to be always incorrect when 
verifying using rpm:

# rpm -V filesystem
........C   /proc
........C   /selinux
........C   /sys

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, just do "rpm -qV filesystem"

Actual results:
Modified file context of /proc, /selinux, /sys...

Expected results:
Always correct file context for /proc, /selinux, /sys ;-)
Comment 1 Daniel Walsh 2006-05-30 08:48:16 EDT
This is a  bug in libselinux, matchpatchon returns an error when it matches on
<<none>> which means the context could be anything.

Comment 2 Daniel Walsh 2006-06-15 18:48:10 EDT
Created attachment 131010 [details]
RPM Needs to ignore file/dir which matchpathcon returns ENOENT on verify

Basically certain directories either do not support context or the kernel
creates them so their is no "correct" label for those directories.  In this
case matchpathcon returns ENOENT, and rpm -V should just say it is ok.

This patch attempts to do ignore errors in rpm.  Sadly it does not work, but it
will give you an idea.
Comment 3 R P Herrold 2006-06-16 09:44:47 EDT
How about a less intrusive approach; a proper packaging %files stanza, which
does not include them, rather than blaming RPM _or_ SELinux; %pre and %post are
sufficiently powerfuil to solve the need for their presence, and to sign them
for seLinux as needed

-- RPM does not need to ignore packages it is not to able to check, the
underlying 'filesystem' packger needs to package to accomodate the changes which
seLinux brings - at least one of these directory paths (/proc) and I suspect the
others are not in scope to it any more 

The packager needs to not include them (now) improperly in light of the new
Context checking rules added for SELinux, which are now emitting errors when
SELinux is enabled
Comment 4 Robert Scheck 2006-06-23 09:13:15 EDT
Very similar problem at:

$ rpm -qV selinux-policy-targeted
........C   /etc/selinux/targeted/modules/active

As far as I can see, the problem is related with bug #193488 and should be 
resolved, when SELinux functionality is removed from rpm -V. This is just 
another reason for updating to latest RPM 4.4.7 when available :)
Comment 5 Paul Nasrat 2006-06-26 15:49:09 EDT
Proposed patch to remove verification as discussed has been presented for
upstream discussion.
Comment 6 Paul Nasrat 2006-06-26 15:50:23 EDT

*** This bug has been marked as a duplicate of 193488 ***

Note You need to log in before you can comment on or make changes to this bug.