Bug 699449 - mislabelled files after boot
mislabelled files after boot
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.1
All Linux
high Severity high
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks: RHEL62CCC 846801 846802
  Show dependency treegraph
 
Reported: 2011-04-25 13:30 EDT by Linda Knippers
Modified: 2012-08-08 14:29 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-90.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 08:28:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Linda Knippers 2011-04-25 13:30:20 EDT
Description of problem:
I'm running RHEL6.1 snap 3 with the MLS policy in the evaluated
configuration.  After I boot the system and log onto the serial
console and run 'restorecon -r -v /', I always get these label changes:

restorecon reset /dev/hpilo context system_u:object_r:device_t:s15:c0.c1023->system_u:object_r:device_t:s0
restorecon reset /dev/ttyS1 context root:object_r:user_tty_device_t:s0->system_u:object_r:tty_device_t:s0
restorecon reset /var/cache/libvirt/qemu context system_u:object_r:virt_cache_t:s0->system_u:object_r:virt_cache_t:s0-s15:c0.c1023

If I log off and log back in on the console as a regular user, 
restorecon shows this:

restorecon reset /dev/ttyS1 context staff_u:object_r:user_tty_device_t:s0->system_u:object_r:tty_device_t:s0

Logged off and back in as root:

restorecon reset /dev/ttyS1 context root:object_r:user_tty_device_t:s0->system_u:object_r:tty_device_t:s0

I don't know what the right labels should be but the files seem to be
created in a way that is inconsistent with the policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6.noarch
selinux-policy-mls-3.7.19-82.el6.noarch
selinux-policy-targeted-3.7.19-82.el6.noarch


How reproducible:

Very.  The hpilo and qemu contexts get changed on every boot.
The /dev/ttyS1 (my console) gets changed after every login.

Steps to Reproduce:
1.boot the system
2.run 'restorecon -r -v /'
3.
  
Actual results:
The label changes listed above

Expected results:
No label changes

Additional info:
Comment 2 Daniel Walsh 2011-04-25 15:24:30 EDT
TTy's are labeled differently depending on the user that is logged in.  A tty that is not being used by a user would be labeled as tty_device_t, while a tty assigned to a logged in user would be user_tty_device_t, so these labels are correct.

/dev/hplilo being mislabeled is a bug in policy, this directory must be being created by cups?  and I guess it has to by SystemHigh?


What does this show?

ls -lZd /var/cache/libvirt


We probably want the context to be.


/var/cache/libvirt	-d	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
/var/cache/libvirt/.*		<<None>>
Comment 3 Daniel Walsh 2011-04-25 15:27:18 EDT
Also might need 

/dev/hpilo		-d	gen_context(system_u:object_r:device_t,mls_systemhigh)
Comment 4 Linda Knippers 2011-04-25 15:40:29 EDT
(In reply to comment #2)
> TTy's are labeled differently depending on the user that is logged in.  A tty
> that is not being used by a user would be labeled as tty_device_t, while a tty
> assigned to a logged in user would be user_tty_device_t, so these labels are
> correct.

Ok, cool.

> /dev/hplilo being mislabeled is a bug in policy, this directory must be being
> created by cups?  and I guess it has to by SystemHigh?

/dev/hpilo is for communicating to the hp management processor (iLO).
I'm not sure what level it should be.


> What does this show?
> 
> ls -lZd /var/cache/libvirt

# ls -lZd /var/cache/libvirt
drwx------. root root system_u:object_r:virt_cache_t:SystemLow-SystemHigh /var/cache/libvirt

 
> We probably want the context to be.
> 
> 
> /var/cache/libvirt -d
> gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
> /var/cache/libvirt/.*  <<None>>
Comment 8 Miroslav Grepl 2011-04-27 03:07:36 EDT
Fixed in selinux-policy-3.7.19-90.el6
Comment 11 errata-xmlrpc 2011-05-19 08:28:01 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html

Note You need to log in before you can comment on or make changes to this bug.