Bug 532565 - matchpathcon_filespec_add: conflicting specifications for /sbin/e4fsck and /sbin/fsck.ext4dev
Summary: matchpathcon_filespec_add: conflicting specifications for /sbin/e4fsck and /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-02 19:54 UTC by Kevin Graham
Modified: 2012-10-15 14:30 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-2.4.6-271.el5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:37 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Kevin Graham 2009-11-02 19:54:14 UTC
With selinux-policy-targeted-2.4.6-255.el5 and e4fsprogs-1.41.5-3.el5 a '/sbin/setfiles' generates:

setfiles: matchpathcon_filespec_add:  conflicting specifications for /sbin/e4fsck and /sbin/fsck.ext4dev, using system_u:object_r:fsadm_exec_t:s0.

...inferring from bug 442899 comment 4, this was picked up from e2fsprogs without getting bug 286211.

Comment 1 Eric Sandeen 2009-11-02 20:31:55 UTC
Does this only show up for e4fsprogs?  I'd expect e2fsprogs to behave exactly the same way:

# ls -li /sbin/e?fsck /sbin/fsck.ext* | sort -n
14403933 -rwxr-xr-x 3 root root 1129200 Sep 30  2008 /sbin/e2fsck
14403933 -rwxr-xr-x 3 root root 1129200 Sep 30  2008 /sbin/fsck.ext2
14403933 -rwxr-xr-x 3 root root 1129200 Sep 30  2008 /sbin/fsck.ext3
14404149 -rwxr-xr-x 3 root root  317960 Sep 12  2008 /sbin/e4fsck
14404149 -rwxr-xr-x 3 root root  317960 Sep 12  2008 /sbin/fsck.ext4
14404149 -rwxr-xr-x 3 root root  317960 Sep 12  2008 /sbin/fsck.ext4dev

It sounds like we probably just need to teach the policy about the hardlinks in this package.

dwalsh...?

-Eric

Comment 2 Daniel Walsh 2009-11-02 20:44:35 UTC
Add a -Z 

# ls -liZ /sbin/e?fsck /sbin/fsck.ext* | sort -n

Comment 3 Kevin Graham 2009-11-02 20:50:56 UTC
re comment 1 -- guessing the contents of bug 286211 call it out (I don't have access to it), but /sbin/e2fsck is called out in file_contexts (as should e4fsck, presumably):

   /sbin/e2fsck    --      system_u:object_r:fsadm_exec_t:s0

...presumably to address the conflict between:

   /sbin/.*        system_u:object_r:sbin_t:s0

...and the hard links referenced as:

   /sbin/fsck.*    --      system_u:object_r:fsadm_exec_t:s0

Comment 4 Daniel Walsh 2009-11-02 20:59:00 UTC
Miroslav you need to add 

/sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)

to fstools.fc

Comment 5 Eric Sandeen 2009-11-02 21:00:45 UTC
Thanks Daniel.

-Eric

Comment 7 Miroslav Grepl 2009-11-06 14:33:22 UTC
Fixed in selinux-policy-2.4.6-264.el5

Comment 9 Milos Malik 2010-01-26 08:44:52 UTC
The same conflict on other files:

# rpm -q selinux-policy
selinux-policy-2.4.6-270.el5.noarch
# ls -li /sbin/mke4fs /sbin/mkfs.ext4*
32964672 -rwxr-xr-x 3 root root 211620 Jul 14  2009 /sbin/mke4fs
32964672 -rwxr-xr-x 3 root root 211620 Jul 14  2009 /sbin/mkfs.ext4
32964672 -rwxr-xr-x 3 root root 211620 Jul 14  2009 /sbin/mkfs.ext4dev
# ls -Z /sbin/mke4fs /sbin/mkfs.ext4*
-rwxr-xr-x  root root system_u:object_r:fsadm_exec_t   /sbin/mke4fs
-rwxr-xr-x  root root system_u:object_r:fsadm_exec_t   /sbin/mkfs.ext4
-rwxr-xr-x  root root system_u:object_r:fsadm_exec_t   /sbin/mkfs.ext4dev
# restorecon -Rv /sbin/
restorecon reset /sbin/mke4fs context system_u:object_r:fsadm_exec_t:s0->system_u:object_r:sbin_t:s0
restorecon reset /sbin/mkfs.ext4 context system_u:object_r:sbin_t:s0->system_u:object_r:fsadm_exec_t:s0

When restorecon meets /sbin/mke4fs, it changes the context to sbin_t. When restorecon meets /sbin/mkfs.ext4, it changes the context back to fsadm_exec_t.

Comment 10 Daniel Walsh 2010-01-27 14:25:34 UTC
Looks like we need

/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)

Comment 11 Miroslav Grepl 2010-01-27 14:33:06 UTC
Yes, I need to add this label.

Comment 12 Miroslav Grepl 2010-01-28 16:12:03 UTC
Fixed in selinux-policy-2.4.6-271.el5

Comment 16 errata-xmlrpc 2010-03-30 07:50:37 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.