Bug 532565 - matchpathcon_filespec_add: conflicting specifications for /sbin/e4fsck and /sbin/fsck.ext4dev
matchpathcon_filespec_add: conflicting specifications for /sbin/e4fsck and /...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
low Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-02 14:54 EST by Kevin Graham
Modified: 2012-10-15 10:30 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-271.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-30 03:50:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kevin Graham 2009-11-02 14:54:14 EST
With selinux-policy-targeted-2.4.6-255.el5 and e4fsprogs-1.41.5-3.el5 a '/sbin/setfiles' generates:

setfiles: matchpathcon_filespec_add:  conflicting specifications for /sbin/e4fsck and /sbin/fsck.ext4dev, using system_u:object_r:fsadm_exec_t:s0.

...inferring from bug 442899 comment 4, this was picked up from e2fsprogs without getting bug 286211.
Comment 1 Eric Sandeen 2009-11-02 15:31:55 EST
Does this only show up for e4fsprogs?  I'd expect e2fsprogs to behave exactly the same way:

# ls -li /sbin/e?fsck /sbin/fsck.ext* | sort -n
14403933 -rwxr-xr-x 3 root root 1129200 Sep 30  2008 /sbin/e2fsck
14403933 -rwxr-xr-x 3 root root 1129200 Sep 30  2008 /sbin/fsck.ext2
14403933 -rwxr-xr-x 3 root root 1129200 Sep 30  2008 /sbin/fsck.ext3
14404149 -rwxr-xr-x 3 root root  317960 Sep 12  2008 /sbin/e4fsck
14404149 -rwxr-xr-x 3 root root  317960 Sep 12  2008 /sbin/fsck.ext4
14404149 -rwxr-xr-x 3 root root  317960 Sep 12  2008 /sbin/fsck.ext4dev

It sounds like we probably just need to teach the policy about the hardlinks in this package.

dwalsh...?

-Eric
Comment 2 Daniel Walsh 2009-11-02 15:44:35 EST
Add a -Z 

# ls -liZ /sbin/e?fsck /sbin/fsck.ext* | sort -n
Comment 3 Kevin Graham 2009-11-02 15:50:56 EST
re comment 1 -- guessing the contents of bug 286211 call it out (I don't have access to it), but /sbin/e2fsck is called out in file_contexts (as should e4fsck, presumably):

   /sbin/e2fsck    --      system_u:object_r:fsadm_exec_t:s0

...presumably to address the conflict between:

   /sbin/.*        system_u:object_r:sbin_t:s0

...and the hard links referenced as:

   /sbin/fsck.*    --      system_u:object_r:fsadm_exec_t:s0
Comment 4 Daniel Walsh 2009-11-02 15:59:00 EST
Miroslav you need to add 

/sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)

to fstools.fc
Comment 5 Eric Sandeen 2009-11-02 16:00:45 EST
Thanks Daniel.

-Eric
Comment 7 Miroslav Grepl 2009-11-06 09:33:22 EST
Fixed in selinux-policy-2.4.6-264.el5
Comment 9 Milos Malik 2010-01-26 03:44:52 EST
The same conflict on other files:

# rpm -q selinux-policy
selinux-policy-2.4.6-270.el5.noarch
# ls -li /sbin/mke4fs /sbin/mkfs.ext4*
32964672 -rwxr-xr-x 3 root root 211620 Jul 14  2009 /sbin/mke4fs
32964672 -rwxr-xr-x 3 root root 211620 Jul 14  2009 /sbin/mkfs.ext4
32964672 -rwxr-xr-x 3 root root 211620 Jul 14  2009 /sbin/mkfs.ext4dev
# ls -Z /sbin/mke4fs /sbin/mkfs.ext4*
-rwxr-xr-x  root root system_u:object_r:fsadm_exec_t   /sbin/mke4fs
-rwxr-xr-x  root root system_u:object_r:fsadm_exec_t   /sbin/mkfs.ext4
-rwxr-xr-x  root root system_u:object_r:fsadm_exec_t   /sbin/mkfs.ext4dev
# restorecon -Rv /sbin/
restorecon reset /sbin/mke4fs context system_u:object_r:fsadm_exec_t:s0->system_u:object_r:sbin_t:s0
restorecon reset /sbin/mkfs.ext4 context system_u:object_r:sbin_t:s0->system_u:object_r:fsadm_exec_t:s0

When restorecon meets /sbin/mke4fs, it changes the context to sbin_t. When restorecon meets /sbin/mkfs.ext4, it changes the context back to fsadm_exec_t.
Comment 10 Daniel Walsh 2010-01-27 09:25:34 EST
Looks like we need

/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
Comment 11 Miroslav Grepl 2010-01-27 09:33:06 EST
Yes, I need to add this label.
Comment 12 Miroslav Grepl 2010-01-28 11:12:03 EST
Fixed in selinux-policy-2.4.6-271.el5
Comment 16 errata-xmlrpc 2010-03-30 03:50:37 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.