With selinux-policy-targeted-2.4.6-255.el5 and e4fsprogs-1.41.5-3.el5 a '/sbin/setfiles' generates: setfiles: matchpathcon_filespec_add: conflicting specifications for /sbin/e4fsck and /sbin/fsck.ext4dev, using system_u:object_r:fsadm_exec_t:s0. ...inferring from bug 442899 comment 4, this was picked up from e2fsprogs without getting bug 286211.
Does this only show up for e4fsprogs? I'd expect e2fsprogs to behave exactly the same way: # ls -li /sbin/e?fsck /sbin/fsck.ext* | sort -n 14403933 -rwxr-xr-x 3 root root 1129200 Sep 30 2008 /sbin/e2fsck 14403933 -rwxr-xr-x 3 root root 1129200 Sep 30 2008 /sbin/fsck.ext2 14403933 -rwxr-xr-x 3 root root 1129200 Sep 30 2008 /sbin/fsck.ext3 14404149 -rwxr-xr-x 3 root root 317960 Sep 12 2008 /sbin/e4fsck 14404149 -rwxr-xr-x 3 root root 317960 Sep 12 2008 /sbin/fsck.ext4 14404149 -rwxr-xr-x 3 root root 317960 Sep 12 2008 /sbin/fsck.ext4dev It sounds like we probably just need to teach the policy about the hardlinks in this package. dwalsh...? -Eric
Add a -Z # ls -liZ /sbin/e?fsck /sbin/fsck.ext* | sort -n
re comment 1 -- guessing the contents of bug 286211 call it out (I don't have access to it), but /sbin/e2fsck is called out in file_contexts (as should e4fsck, presumably): /sbin/e2fsck -- system_u:object_r:fsadm_exec_t:s0 ...presumably to address the conflict between: /sbin/.* system_u:object_r:sbin_t:s0 ...and the hard links referenced as: /sbin/fsck.* -- system_u:object_r:fsadm_exec_t:s0
Miroslav you need to add /sbin/e4fsck -- gen_context(system_u:object_r:fsadm_exec_t,s0) to fstools.fc
Thanks Daniel. -Eric
Fixed in selinux-policy-2.4.6-264.el5
The same conflict on other files: # rpm -q selinux-policy selinux-policy-2.4.6-270.el5.noarch # ls -li /sbin/mke4fs /sbin/mkfs.ext4* 32964672 -rwxr-xr-x 3 root root 211620 Jul 14 2009 /sbin/mke4fs 32964672 -rwxr-xr-x 3 root root 211620 Jul 14 2009 /sbin/mkfs.ext4 32964672 -rwxr-xr-x 3 root root 211620 Jul 14 2009 /sbin/mkfs.ext4dev # ls -Z /sbin/mke4fs /sbin/mkfs.ext4* -rwxr-xr-x root root system_u:object_r:fsadm_exec_t /sbin/mke4fs -rwxr-xr-x root root system_u:object_r:fsadm_exec_t /sbin/mkfs.ext4 -rwxr-xr-x root root system_u:object_r:fsadm_exec_t /sbin/mkfs.ext4dev # restorecon -Rv /sbin/ restorecon reset /sbin/mke4fs context system_u:object_r:fsadm_exec_t:s0->system_u:object_r:sbin_t:s0 restorecon reset /sbin/mkfs.ext4 context system_u:object_r:sbin_t:s0->system_u:object_r:fsadm_exec_t:s0 When restorecon meets /sbin/mke4fs, it changes the context to sbin_t. When restorecon meets /sbin/mkfs.ext4, it changes the context back to fsadm_exec_t.
Looks like we need /sbin/mke4fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
Yes, I need to add this label.
Fixed in selinux-policy-2.4.6-271.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html