Bug 486634 - remove chcon from post install
remove chcon from post install
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: squidGuard (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Gwyn Ciesla
Fedora Extras Quality Assurance
:
: 486438 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-20 14:20 EST by Daniel Walsh
Modified: 2009-02-27 22:25 EST (History)
4 users (show)

See Also:
Fixed In Version: 1.4-2.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-02-27 22:22:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2009-02-20 14:20:24 EST
Description of problem:

squidguard should not be doing chcon in its post install scripts.

chcon should never be done in a post install since it will not survive a reboot.

Also these commands are wrong

 /usr/bin/chcon -R system_u:object_r:squid_log_t /var/log/squidGuard >/dev/null 2>&1
/usr/bin/chcon -R system_u:object_r:squid_cache_t /var/squidGuard >/dev/null 2>&1
/usr/bin/chcon -R system_u:object_r:squid_log_t /var/log/squidGuard >/dev/null 2>&1

And are failing, while creating another avc.

system_u:object_r:squid_log_t is not a valid context it should be

system_u:object_r:squid_log_t:s0

Or a better command would have been

/usr/bin/chcon -R -t squid_log_t /var/log/squidGuard >/dev/null 

But the way this should be done if you need to is

# semanage fcontext -a -t  squid_log_t '/var/log/squidGuard(/.*)?'
# restorecon -R -v /var/log/squidGuard

Similarly for the other file context.

But really this labeling should go into the selinux-policy package, it is in RHEL5 and Rawhide now.

Miroslav please add it to F9 and F10.
Comment 1 Daniel Walsh 2009-02-20 14:23:21 EST
*** Bug 486438 has been marked as a duplicate of this bug. ***
Comment 2 Gwyn Ciesla 2009-02-20 14:25:24 EST
Thanks, I just took this over, and was wondering about that.  So all I need to do at this point is remove the chcon from post and rebuild?
Comment 3 Daniel Walsh 2009-02-23 09:50:47 EST
Yes.


And Miroslav needs to get out a new policy to label these directories correctly.
Comment 4 Gwyn Ciesla 2009-02-23 09:59:40 EST
Two questions there, do I need to wait for the new policy, and which branches will have their policy updated for this, that I will need to build for?
Comment 5 Daniel Walsh 2009-02-23 10:07:02 EST
No since your current fix does not work anyways, just remove the lines and I will talk to Miroslav to get it out quickly.


F9, F10 need fix

RHEL5 and Rawhide have it.
Comment 6 Gwyn Ciesla 2009-02-23 10:28:03 EST
Ok, I'll pull the SOURCES for the policy bits as well, and get these out today.
Comment 7 Miroslav Grepl 2009-02-24 09:30:54 EST
Fixed in selinux-policy-3.5.13-46.fc10 and selinux-policy-3.3.1-124.fc9
Comment 8 stanl 2009-02-24 11:53:14 EST
Thanks.
Comment 9 Fedora Update System 2009-02-24 11:59:53 EST
squidGuard-1.4-2.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/squidGuard-1.4-2.fc10
Comment 10 Fedora Update System 2009-02-24 12:00:03 EST
squidGuard-1.4-2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/squidGuard-1.4-2.fc9
Comment 11 Fedora Update System 2009-02-25 11:25:47 EST
squidGuard-1.4-2.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update squidGuard'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2009-2080
Comment 12 Fedora Update System 2009-02-25 11:27:09 EST
squidGuard-1.4-2.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squidGuard'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-2092
Comment 13 Fedora Update System 2009-02-27 22:22:40 EST
squidGuard-1.4-2.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-02-27 22:25:18 EST
squidGuard-1.4-2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.