Bug 443569 - runcon user_u:system_r:unconfined_t:s0 <command> doesn't work in rawhide
Summary: runcon user_u:system_r:unconfined_t:s0 <command> doesn't work in rawhide
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: rawhide
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-22 08:44 UTC by Ondrej Vasik
Modified: 2008-04-22 14:27 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-04-22 11:01:17 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ondrej Vasik 2008-04-22 08:44:44 UTC
Description of problem:
runcon user_u:system_r:unconfined_t:s0 true -j 
now returns 
runcon: invalid context: user_u:system_r:unconfined_t:s0: Invalid argument

That command is part of coreutils build test suite and it passed without
troubles in rawhide build of coreutils-6.10-21.fc9 (Fri, 18 Apr 2008). Command
works ok in F8 and older Fedoras with the rawhide coreutils runcon command,
worked in koji build few days ago. So I guess problem is in recent change in
area of selinux policies or 

Version-Release number of selected component (if applicable):
policycoreutils-2.0.46-4.fc9.x86_64
coreutils-6.10-18.fc9.x86_64

How reproducible:
Always

Steps to Reproduce:
1.runcon user_u:system_r:unconfined_t:s0 true -j
  
Actual results:
runcon: invalid context: user_u:system_r:unconfined_t:s0: Invalid argument

Expected results:
No output, exit 0

Additional info:
mcstrans(d) running, SELinux permissive (but same with enforcing)

runcon -t unconfined_t true -j passes without an issue,
but
runcon -t unconfined_t -u user_u true -j
returns again error
runcon: invalid context: user_u:unconfined_r:unconfined_t:SystemLow-SystemHigh:
Invalid argument

Comment 1 Ondrej Vasik 2008-04-22 08:48:12 UTC
Sorry for missing end of the sentence in the Description of problem, it should
be "selinux policies or mcstrans(d). There is no recent change in runcon in
coreutils package." 

Comment 2 Daniel Walsh 2008-04-22 11:01:17 UTC
Change your code to

runcon -t unconfined_t -u unconfined_u true -j

user_u can not execute unconfined_t in rawhide.



Comment 3 Ondrej Vasik 2008-04-22 11:32:51 UTC
Ok, thanks for explanation, so it requires change in upstream coreutils
test-suite. I was just a bit surprised that it worked few days ago and now it
fails even in permissive mode. Will use runcon
unconfined_u:system_r:unconfined_t:s0 true -j. 

Comment 4 Ondrej Vasik 2008-04-22 11:39:03 UTC
(In fact the code in test suite is runcon $(id -Z) true -j  (and id -Z gets
context by getcon() ). So I think this is still a bit buggy behaviour since I
got the context user_u:system_r:unconfined_t:s0 from selinux/selinux.h getcon().
If user_u could not use unconfined_t, then it should not be returned as selinux
context of user. 

Comment 5 Daniel Walsh 2008-04-22 13:50:14 UTC
Sounds like somthing is a little fishy on your test machine.  I just tried the
above command on 

unconfined_u:unconfined_r:unconfined_t:s0

And it worked fine for me, on Rawhide.

I think you machine might have a screwed up user database.

If this was an upgrade from F7 you might need to execute.

semanage login -m -s unconfined_u __default__


Comment 6 Ondrej Vasik 2008-04-22 14:27:11 UTC
Thanks, that fixed my problem on test machine - seems to be that screwed up user
database was the cause. Sorry for bothering you.


Note You need to log in before you can comment on or make changes to this bug.