Bug 2323878 - semodule appears to update policy files with wrong context
Summary: semodule appears to update policy files with wrong context
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 42
Hardware: Unspecified
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-05 15:22 UTC by Petr Lautrbach
Modified: 2025-04-01 14:29 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-41.26-2.fc41
Clone Of: 2316388
Environment:
Last Closed: 2025-04-01 14:29:54 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 2420 0 None Merged Label all semanage store files in /etc as semanage_store_t 2024-11-11 09:47:10 UTC

Description Petr Lautrbach 2024-11-05 15:22:40 UTC 
+++ This bug was initially created as a clone of Bug #2316388 +++

Original context and information in https://github.com/coreos/fedora-coreos-tracker/issues/1806

When running semodule -N --refresh on Fedora CoreOS we are seeing files get created that have the wrong file contexts:

```
root@cosa-devsh:~# restorecon -rvn /etc/selinux
root@cosa-devsh:~# semodule -N --refresh
root@cosa-devsh:~# restorecon -rvn /etc/selinux
Would relabel /etc/selinux/targeted/active/booleans.local from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0
...
...
```

I traced the Fedora CoreOS rawhide history and found this behavior was introduced in:

```
BISECT TEST RESULTS:
Last known good build: 42.20240911.91.0
First known bad build: 42.20240914.91.0
```

which had the following changeset:

```
ostree diff commit from: 3a8acb2a5b7971084404216fb7c1d0282f626c7186618c361aa4545fbe3493b8
ostree diff commit to:   766159d55230282690a7e11cbe836fe06b26c62d846f9ba256bd4e9489e9e7d3
Upgraded:
  bootc 0.1.15-1.fc42 -> 0.1.16-1.fc42
  conmon 2:2.1.12-2.fc41 -> 2:2.1.12-3.fc42
  container-selinux 2:2.232.1-2.fc41 -> 2:2.233.0-1.fc42
  crun 1.15-2.fc41 -> 1.17-1.fc42
  crun-wasm 1.15-2.fc41 -> 1.17-1.fc42
  curl 8.9.1-3.fc42 -> 8.10.0-1.fc42
  gnutls 3.8.7-2.fc42 -> 3.8.7-4.fc42
  kbd 2.6.4-4.fc41 -> 2.6.4-5.fc42
  kbd-legacy 2.6.4-4.fc41 -> 2.6.4-5.fc42
  kbd-misc 2.6.4-4.fc41 -> 2.6.4-5.fc42
  kernel 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  kernel-core 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  kernel-modules 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  kernel-modules-core 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42
  libcurl-minimal 8.9.1-3.fc42 -> 8.10.0-1.fc42
  libgcc 14.2.1-2.fc42 -> 14.2.1-3.fc42
  libldb 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  libselinux 3.7-5.fc41 -> 3.7-6.fc42
  libselinux-utils 3.7-5.fc41 -> 3.7-6.fc42
  libsemanage 3.7-2.fc41 -> 3.7-3.fc42
  libsepol 3.7-2.fc41 -> 3.7-3.fc42
  libsmbclient 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  libstdc++ 14.2.1-2.fc42 -> 14.2.1-3.fc42
  libwbclient 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  microcode_ctl 2:2.1-64.fc42 -> 2:2.1-65.fc42
  openssl 1:3.2.2-5.fc41 -> 1:3.2.2-8.fc42
  openssl-libs 1:3.2.2-5.fc41 -> 1:3.2.2-8.fc42
  rpm 4.19.93-1.fc42 -> 4.19.94-1.fc42
  rpm-libs 4.19.93-1.fc42 -> 4.19.94-1.fc42
  rpm-plugin-selinux 4.19.93-1.fc42 -> 4.19.94-1.fc42
  samba-client-libs 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  samba-common 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  samba-common-libs 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42
  selinux-policy 41.16-1.fc42 -> 41.17-1.fc42
  selinux-policy-targeted 41.16-1.fc42 -> 41.17-1.fc42
  zlib-ng-compat 2.1.7-2.fc41 -> 2.1.7-3.fc42
```

I realize that policycoreutils wasn't changed in that update so it's probably either the policy or selinux libraries so feel free to move this to the appropriate component.



Reproducible: Always

--- Additional comment from Petr Lautrbach on 2024-10-04 11:10:18 CEST ---

Most likely related to https://github.com/SELinuxProject/selinux/commit/d96f27bf7cb918cfd3123c5281381ef8b5196ac3

--- Additional comment from Dusty Mabe on 2024-10-30 20:14:26 CET ---

Hi Petr. Any updates on this?

--- Additional comment from Petr Lautrbach on 2024-11-05 16:19:23 CET ---

The problem seems to be in libsemanage which copies files from /active/ to /tmp/ and relabels them there. In standard system, this is not an issue as both locations translate to the same context, e.g.

root@localhost:~# matchpathcon /var/lib/selinux/targeted/active/booleans.local /var/lib/selinux/targeted/tmp/booleans.local
/var/lib/selinux/targeted/active/booleans.local system_u:object_r:semanage_store_t:s0
/var/lib/selinux/targeted/tmp/booleans.local    system_u:object_r:semanage_store_t:s0

But it differs on coreos where semanage-store is set to /etc/selinux :

root@localhost:~# matchpathcon /etc/selinux/targeted/active/booleans.local /etc/selinux/targeted/tmp/booleans.local
/etc/selinux/targeted/active/booleans.local     system_u:object_r:semanage_store_t:s0
/etc/selinux/targeted/tmp/booleans.local        system_u:object_r:selinux_config_t:s0


I see two possible solutions for this and I guess both should be applied:

1. add fcontext mapping for '/etc/selinux/(minimum|mls|targeted)/tmp(/.*)?'

this can be also used as a local workaround:

    root@localhost:~# semodule -N --refresh

    root@localhost:~# restorecon -rvn /etc/selinux | head
    Would relabel /etc/selinux/targeted/active/booleans.local from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0
    Would relabel /etc/selinux/targeted/active/file_contexts from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0
    Would relabel /etc/selinux/targeted/active/file_contexts.homedirs from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0

    root@localhost:~# restorecon -rF /etc/selinux

    root@localhost:~# semanage fcontext -a -t semanage_store_t '/etc/selinux/(minimum|mls|targeted)/tmp(/.*)?'

    root@localhost:~# semodule -N --refresh

    root@localhost:~# restorecon -rvn /etc/selinux | head

2. fix libsemanage to set files context on final destination after /tmp/ is renamed to /active/
Comment 1 Petr Lautrbach 2024-11-05 18:51:03 UTC 
https://github.com/fedora-selinux/selinux-policy/pull/2420
Comment 3 Fedora Update System 2024-11-14 22:09:49 UTC 
FEDORA-2024-bbef94e809 (selinux-policy-41.25-1.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-bbef94e809
Comment 4 Fedora Update System 2024-11-15 03:31:55 UTC 
FEDORA-2024-bbef94e809 has been pushed to the Fedora 41 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-bbef94e809`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-bbef94e809

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 5 Fedora Update System 2024-11-17 02:14:43 UTC 
FEDORA-2024-bbef94e809 (selinux-policy-41.25-1.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 6 Dusty Mabe 2024-11-18 20:27:31 UTC 
I think this is looking good. I only see one more set of files that get labeled incorrectly now:

```
[core@cosa-devsh ~]$ sudo restorecon -rvn /etc/selinux 
[core@cosa-devsh ~]$ sudo semodule -N --refresh
[core@cosa-devsh ~]$ sudo restorecon -rvn /etc/selinux 
Would relabel /etc/selinux/targeted/semanage.read.LOCK from unconfined_u:object_r:semanage_trans_lock_t:s0 to unconfined_u:object_r:selinux_config_t:s0
Would relabel /etc/selinux/targeted/semanage.trans.LOCK from unconfined_u:object_r:semanage_trans_lock_t:s0 to unconfined_u:object_r:selinux_config_t:s0
[core@cosa-devsh ~]$ 
[core@cosa-devsh ~]$ rpm -q selinux-policy libse
libseccomp        libselinux        libselinux-utils  libsemanage       libsepol          
[core@cosa-devsh ~]$ rpm -q selinux-policy libse
libseccomp        libselinux        libselinux-utils  libsemanage       libsepol          
[core@cosa-devsh ~]$ rpm -q selinux-policy libsemanage policycoreutils 
selinux-policy-41.25-1.fc41.noarch
libsemanage-3.7-2.fc41.x86_64
policycoreutils-3.7-3.fc41.x86_64
```

Should we open a separate issue?

Also, should the original bug be updated? https://bugzilla.redhat.com/show_bug.cgi?id=2316388
Comment 7 Dusty Mabe 2024-11-18 20:36:16 UTC 
ok maybe I spoke too soon.. on F41 I only see those two files with the wrong labels but in f42/rawhide I still see a lot of wrongly labeled stuff:

```
[core@cosa-devsh ~]$ sudo restorecon -rvn /etc/selinux                                                                                                                                                                                      
[core@cosa-devsh ~]$ sudo semodule -N --refresh                                                                                                                                                                                             
[core@cosa-devsh ~]$ sudo restorecon -rvn /etc/selinux                                                                                                                                                                                      
Would relabel /etc/selinux/targeted/semanage.read.LOCK from unconfined_u:object_r:semanage_trans_lock_t:s0 to unconfined_u:object_r:selinux_config_t:s0                                                                                     
Would relabel /etc/selinux/targeted/semanage.trans.LOCK from unconfined_u:object_r:semanage_trans_lock_t:s0 to unconfined_u:object_r:selinux_config_t:s0                                                                                    
Would relabel /etc/selinux/targeted/active/modules from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0                                                                                                      
Would relabel /etc/selinux/targeted/active/modules/100 from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0                                                                                                  
Would relabel /etc/selinux/targeted/active/modules/100/acct from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0                                                                                             
Would relabel /etc/selinux/targeted/active/modules/100/acct/cil from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0                                                                                         
Would relabel /etc/selinux/targeted/active/modules/100/acct/hll from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0                                                                                         
Would relabel /etc/selinux/targeted/active/modules/100/acct/lang_ext from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0
...
...
...
...
[core@cosa-devsh ~]$ rpm -q selinux-policy libsemanage policycoreutils 
selinux-policy-41.25-1.fc42.noarch
libsemanage-3.7-3.fc42.x86_64
policycoreutils-3.7-5.fc42.x86_64
```
Comment 8 Petr Lautrbach 2024-11-19 16:52:21 UTC 
the fix does not appear to be in tag: v41.25
Comment 9 Aoife Moloney 2025-02-26 13:14:36 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle.
Changing version to 42.
Comment 10 Zdenek Pytela 2025-04-01 14:29:54 UTC 
Should be fixed in selinux-policy-41.26-2.fc41 and newer.
Note You need to log in before you can comment on or make changes to this bug.