2174329 – Incorrect RE patterns in file context specification

Bug 2174329 - Incorrect RE patterns in file context specification

Summary: Incorrect RE patterns in file context specification

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	39
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	2012772
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-01 07:30 UTC by Zdenek Pytela
Modified:	2023-08-16 08:14 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2012772
Environment:
Last Closed:
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Zdenek Pytela 2023-03-01 07:30:24 UTC

+++ This bug was initially created as a clone of Bug #2012772 +++

Description of problem:

Browsing the context database, I could find some unexpected patterns, which may confuse customers trying to add their own paths.

Example with "-":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/home/\-inst                                       directory          system_u:object_r:home_root_t:s0 
/usr/lib/NetworkManager/nm\-.*                     regular file       system_u:object_r:bin_t:s0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

These 3 patterns have a leading backslash prior to the dash, is that really needed? I don't think so.

Examples with "." (more an issue since "." means "any character)
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
[...]
/etc/cron.daily(/.*)?                              all files          system_u:object_r:bin_t:s0 
/etc/cron.hourly(/.*)?                             all files          system_u:object_r:bin_t:s0 
/etc/cron.minutely/openshift-facts                 regular file       system_u:object_r:openshift_cron_exec_t:s0 
/etc/cron.monthly(/.*)?                            all files          system_u:object_r:bin_t:s0 
/etc/cron.weekly(/.*)?                             all files          system_u:object_r:bin_t:s0 
[...]
/var/run/sssd.pid                                  regular file       system_u:object_r:sssd_var_run_t:s0 
/var/run/svnserve.pid                              regular file       system_u:object_r:svnserve_var_run_t:s0 
/var/run/syslog-ng.ctl                             regular file       system_u:object_r:syslogd_var_run_t:s0 
[...]
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

All the above patterns are wrong, the dot should be escaped (e.g. /etc/cron\.daily/...).
The following command shows most of the issues with "dot":

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# semanage fcontext -l | grep "[^\\/]\.[^\*\+]"
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Please fix the policy accordingly, we need to have something sane to not confuse customers.

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-67.el8_4.2.noarch

How reproducible:

N/A

--- Additional comment from Zdenek Pytela on 2022-06-14 20:03:27 CEST ---

This issue will be considered for the next RHEL minor version inclusion. What needs to be taken into account is that we are now in the middle of development cycle and we should try to avoid any kind of regression.

Comment 1 Fedora Release Engineering 2023-08-16 08:14:52 UTC

This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle.
Changing version to 39.

Note You need to log in before you can comment on or make changes to this bug.