Description of problem: rpm -V says file context is incorrect when it is correct Version-Release number of selected component (if applicable): rpm-4.3.3-32_nonptl.x86_64 selinux-policy-targeted-1.17.30-2.151.el4.noarch rhn-applet-2.1.28-3.el4.x86_64 How reproducible: always Steps to Reproduce: 1. # rpm -V rhn-applet 2. # rpm -q --queryformat '[%{FILENAMES} (%{FSCONTEXTS})\n]' rhn-applet | grep /etc/sysconfig/rhn/rhn-applet 3. # ls -Z /etc/sysconfig/rhn/rhn-applet Actual results: # rpm -V rhn-applet ........C c /etc/sysconfig/rhn/rhn-applet # ls -Z /etc/sysconfig/rhn/rhn-applet -rw-r--r-- root root root:object_r:etc_t /etc/sysconfig/rhn/rhn-applet # rpm -q --queryformat '[%{FILENAMES} (%{FSCONTEXTS})\n]' rhn-applet | grep /etc/sysconfig/rhn/rhn-applet /etc/sysconfig/rhn/rhn-applet (root:object_r:etc_t) Expected results: # rpm -V rhn-applet <no output>
This is RHEL 4, not 5...
It is complaining about the user component of the security context. restorecon -F -v /etc/sysconfig/rhn/rhn-applet Would have fixed it the way rpm wants it. From a RHEL4 SELinux security point of view there is no difference between the to labels.
Thank you Dan. So this is packaging issue (there should be correct context), or rpm's issue (should ignore user component of the security context). Could you please comment on this? Thank you all in advance, Jan
Well, we removed the rpm -V checking of file context in RHEL5 and all Fedora releases. No this is not a packaging issue it is a problem with the SELinux integration in RPM. The system says the default label should be system_u:... But if a logged in user edits and recreates the file, his SELinux user gets assigned. unconfined_u:... or staff_u:... or root:... rpm -V did not take this into account. restorecon does.
Hmm, maybe the most productive way to deal with this would be ripping the SELinux verification code from RHEL4 too...
As per the comment #10 and #11, I would close this as a duplicate of some "remove SELinux verification code from rpm on RHEL4" bug if there is any.
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. Please See https://access.redhat.com/support/policy/updates/errata/ If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.