Bug 395891 - selinux policy issues
selinux policy issues
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-22 12:09 EST by Need Real Name
Modified: 2007-12-10 14:51 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-10 14:51:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-11-22 12:09:23 EST
Bunch of different selinux inconsistencies:


The following have a different restore context from what comes out-of-the-box
from the rpm:

/etc/rc.d/rc.local
     rpm: system_u:object_r:initrc_exec_t (I think)
     restorecon: system_u:object_r:etc_t

/etc/init.d/functions
     rpm: (I forget exactly but ended in something with bin_t)
     restorecon: system_u:object_r:etc_t

/etc/init.d/resolv.conf
     rpm: system_u:object_r:net_conf_t (I think)
     restorecon: system_u:object_r:etc_t

/etc/exports
     rpm: system_u:object_r:exports_t
     restorecon: system_u:object_r:etc_t

/etc/cups/printers.con
     rpm:  system_u:object_r:cupsd_rw_etc_t
     restorecon: system_u:object_r:cupsd_etc_t
Comment 1 Daniel Walsh 2007-11-26 11:13:13 EST
I am not sure what you are saying but the correct context for all these files is 

/etc/rc.d/rc.local
     rpm: system_u:object_r:initrc_exec_t (I think)
     restorecon: system_u:object_r:etc_t

/etc/init.d/functions  system_u:object_r:bin_t

/etc/init.d/resolv.conf 
This file does not exist?  If it did and was a file it would be initrc_exec_t

/etc/exports system_u:object_r:exports_t

/etc/cups/printers.con system_u:object_r:cupsd_etc_t

matchpathcon FILE_PATH 

Will tell you the system default context.  But make sure these are files.  The
label on a symbolic link and a file might be different.
Comment 2 Need Real Name 2007-11-28 23:47:01 EST
Sorry for lack of clarity -- by restorecon, I meant matchpathcon (I believe that
restorecon -n gives the same result as matchpathcon when the context is wrong)

The issues remain using matchpathcon - (i.e. I get the same context as I noted
before under restorecon). These DIFFER from what you suggested matchpathcon
should give.

Specifically,
    $matchpathcon /etc/rc.d/rc.local
    /etc/rc.d/rc.local      system_u:object_r:etc_t:s0

   $ matchpathcon /etc/init.d/functions
   /etc/init.d/functions   system_u:object_r:etc_t:s0

   $ matchpathcon /etc/resolv.conf
   /etc/resolv.conf        system_u:object_r:etc_t:s0

   $ matchpathcon /etc/exports
   /etc/exports    system_u:object_r:etc_t:s0

   $ matchpathcon /etc/cups/printers.conf
   /etc/cups/printers.conf system_u:object_r:cupsd_rw_etc_t:s0  

Again I am using a fresh install of F8 with:
   selinux-policy-devel-3.0.8-56.fc8.noarch.rpm
   selinux-policy-targeted-3.0.8-56.fc8.noarch.rpm

So, again I am not sure why matchpathcon is giving different answers from what I
get from the install rpms.
Comment 3 Daniel Walsh 2007-12-01 08:28:10 EST
ls -l /etc/rc.d/rc.local /etc/resolv.conf /etc/exports /etc/cups/printers.conf
Comment 4 Need Real Name 2007-12-04 20:10:44 EST
Dan,
OK. I think I figured out the source of the problem. I was using links but
hadn't realized that having a link would *change* the response of matchpathcon -
this is not obvious from the manpage "matchpathcon  - get the default SELinux
security context for the specified path from the file contexts configuration" --
I had (mis)interpreted this to mean that the response was only dependent on the
path and not on the file itself (or lack thereof).


Comment 5 Daniel Walsh 2007-12-05 10:44:18 EST
If you have a better wording I will update the matchpathcon man page.
Comment 6 Need Real Name 2007-12-05 23:01:29 EST
Dan,
I wish I could help but I really don't know how 'matchpathcon' works.

The description says "get the default SELinux security context for the specified
path from the file contexts configuration"

But it seems to me that it is doing something more like:
   Given a path, if a file exists then get the default security context for the
file based on the security context configuration for the file type and ownership
that currently exists at the path point. If there is no file existing at the
path then get the default security context assuming that the path represents a
standard file.

I know the above is imprecise and sounds a bit gobbly-gook but I truly don't
know what the function actually does.


Note You need to log in before you can comment on or make changes to this bug.