Bug 486563 - rpm -V says file context is incorrect when it is correct
rpm -V says file context is incorrect when it is correct
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: rpm (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Panu Matilainen
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2009-02-20 05:13 EST by Jan Hutař
Modified: 2012-06-20 12:01 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-06-20 12:01:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Hutař 2009-02-20 05:13:04 EST
Description of problem:
rpm -V says file context is incorrect when it is correct

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. # rpm -V rhn-applet
2. # rpm -q --queryformat '[%{FILENAMES} (%{FSCONTEXTS})\n]' rhn-applet | grep /etc/sysconfig/rhn/rhn-applet
3. # ls -Z /etc/sysconfig/rhn/rhn-applet

Actual results:
# rpm -V rhn-applet
........C c /etc/sysconfig/rhn/rhn-applet
# ls -Z /etc/sysconfig/rhn/rhn-applet
-rw-r--r--  root     root     root:object_r:etc_t              /etc/sysconfig/rhn/rhn-applet
# rpm -q --queryformat '[%{FILENAMES} (%{FSCONTEXTS})\n]' rhn-applet | grep /etc/sysconfig/rhn/rhn-applet
/etc/sysconfig/rhn/rhn-applet (root:object_r:etc_t)

Expected results:
# rpm -V rhn-applet
<no output>
Comment 1 Panu Matilainen 2009-02-20 06:28:24 EST
This is RHEL 4, not 5...
Comment 8 Daniel Walsh 2009-03-09 10:29:54 EDT
It is complaining about the user component of the security context.

restorecon -F -v /etc/sysconfig/rhn/rhn-applet

Would have fixed it the way rpm wants it.

From a RHEL4 SELinux security point of view there is no difference between the to labels.
Comment 9 Jan Hutař 2009-03-10 09:28:17 EDT
Thank you Dan.

So this is packaging issue (there should be correct context), or rpm's issue (should ignore user component of the security context). Could you please comment on this?

Thank you all in advance,
Comment 10 Daniel Walsh 2009-03-10 09:31:29 EDT
Well, we removed the rpm -V checking of file context in RHEL5 and all Fedora releases.

No this is not a packaging issue it is a problem with the SELinux integration in RPM.

The system says the default label should be system_u:...
But if a logged in user edits and recreates the file, his SELinux user gets assigned.  unconfined_u:... or staff_u:... or root:...  

rpm -V did not take this into account.  restorecon  does.
Comment 11 Panu Matilainen 2009-03-10 09:39:47 EDT
Hmm, maybe the most productive way to deal with this would be ripping the SELinux verification code from RHEL4 too...
Comment 14 Jan Hutař 2009-05-13 02:41:40 EDT
As per the comment #10 and #11, I would close this as a duplicate of some "remove SELinux verification code from rpm on RHEL4" bug if there is any.
Comment 15 Jiri Pallich 2012-06-20 12:01:08 EDT
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.

Note You need to log in before you can comment on or make changes to this bug.