Bug 486563 - rpm -V says file context is incorrect when it is correct
Summary: rpm -V says file context is incorrect when it is correct
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rpm
Version: 4.8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Panu Matilainen
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-20 10:13 UTC by Jan Hutař
Modified: 2012-06-20 16:01 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-20 16:01:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Jan Hutař 2009-02-20 10:13:04 UTC 
Description of problem:
rpm -V says file context is incorrect when it is correct


Version-Release number of selected component (if applicable):
rpm-4.3.3-32_nonptl.x86_64
selinux-policy-targeted-1.17.30-2.151.el4.noarch
rhn-applet-2.1.28-3.el4.x86_64


How reproducible:
always


Steps to Reproduce:
1. # rpm -V rhn-applet
2. # rpm -q --queryformat '[%{FILENAMES} (%{FSCONTEXTS})\n]' rhn-applet | grep /etc/sysconfig/rhn/rhn-applet
3. # ls -Z /etc/sysconfig/rhn/rhn-applet


Actual results:
# rpm -V rhn-applet
........C c /etc/sysconfig/rhn/rhn-applet
# ls -Z /etc/sysconfig/rhn/rhn-applet
-rw-r--r--  root     root     root:object_r:etc_t              /etc/sysconfig/rhn/rhn-applet
# rpm -q --queryformat '[%{FILENAMES} (%{FSCONTEXTS})\n]' rhn-applet | grep /etc/sysconfig/rhn/rhn-applet
/etc/sysconfig/rhn/rhn-applet (root:object_r:etc_t)


Expected results:
# rpm -V rhn-applet
<no output>
Comment 1 Panu Matilainen 2009-02-20 11:28:24 UTC 
This is RHEL 4, not 5...
Comment 8 Daniel Walsh 2009-03-09 14:29:54 UTC 
It is complaining about the user component of the security context.

restorecon -F -v /etc/sysconfig/rhn/rhn-applet

Would have fixed it the way rpm wants it.

From a RHEL4 SELinux security point of view there is no difference between the to labels.
Comment 9 Jan Hutař 2009-03-10 13:28:17 UTC 
Thank you Dan.

So this is packaging issue (there should be correct context), or rpm's issue (should ignore user component of the security context). Could you please comment on this?

Thank you all in advance,
Jan
Comment 10 Daniel Walsh 2009-03-10 13:31:29 UTC 
Well, we removed the rpm -V checking of file context in RHEL5 and all Fedora releases.

No this is not a packaging issue it is a problem with the SELinux integration in RPM.

The system says the default label should be system_u:...
But if a logged in user edits and recreates the file, his SELinux user gets assigned.  unconfined_u:... or staff_u:... or root:...  

rpm -V did not take this into account.  restorecon  does.
Comment 11 Panu Matilainen 2009-03-10 13:39:47 UTC 
Hmm, maybe the most productive way to deal with this would be ripping the SELinux verification code from RHEL4 too...
Comment 14 Jan Hutař 2009-05-13 06:41:40 UTC 
As per the comment #10 and #11, I would close this as a duplicate of some "remove SELinux verification code from rpm on RHEL4" bug if there is any.
Comment 15 Jiri Pallich 2012-06-20 16:01:08 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.
Note You need to log in before you can comment on or make changes to this bug.