Bug 1943635 - restorecon set wrong SELinux context on /var/lib/git/.ssh
Summary: restorecon set wrong SELinux context on /var/lib/git/.ssh
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-26 17:09 UTC by ivanov17
Modified: 2021-03-26 17:17 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)

Description ivanov17 2021-03-26 17:09:21 UTC
Description of problem:

When I try to restore SELinux contexts on /var/lib/git catalog, .ssh subdirectory is labeled as git_sys_content_t instead of labeling as ssh_home_t. It breaks access to .ssh/authorized_keys and because of that to git repositories.

# semanage fcontext -l | grep "/var/lib/git"
/var/lib/git(/.*)?                                 all files          system_u:object_r:git_sys_content_t:s0 
...

# semanage fcontext -l | grep "\.ssh"
...
/var/lib/[^/]+/\.ssh(/.*)?                         all files          system_u:object_r:ssh_home_t:s0
...

# sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

# uname -r
5.11.7-200.fc33.x86_64

Version-Release number of selected component (if applicable):

# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.14.6-35.fc33.noarch
selinux-policy-targeted-3.14.6-35.fc33.noarch

How reproducible: always

Steps to Reproduce:
1. mkdir /var/lib/git
2. mkdir /var/lib/git/.ssh
3. restorecon -rv /var/lib/git

Actual results:

# restorecon -rv /var/lib/git
Relabeled /var/lib/git from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:git_sys_content_t:s0
Relabeled /var/lib/git/.ssh from unconfined_u:object_r:ssh_home_t:s0 to unconfined_u:object_r:git_sys_content_t:s0

Expected results:

# restorecon -rv /var/lib/git
Relabeled /var/lib/git from unconfined_u:object_r:var_lib_t:s0 to unconfined_u:object_r:git_sys_content_t:s0

Additional info:

I got the same results with CentOS 8.3

# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.14.3-54.el8_3.2.noarch
selinux-policy-targeted-3.14.3-54.el8_3.2.noarch

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32

# uname -r
4.18.0-240.15.1.el8_3.x86_64


Note You need to log in before you can comment on or make changes to this bug.