Bug 699449 - mislabelled files after boot
Summary: mislabelled files after boot
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: RHEL62CCC 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-04-25 17:30 UTC by Linda Knippers
Modified: 2012-08-08 18:29 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-05-19 12:28:01 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0526 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-05-19 09:37:41 UTC

Description Linda Knippers 2011-04-25 17:30:20 UTC
Description of problem:
I'm running RHEL6.1 snap 3 with the MLS policy in the evaluated
configuration.  After I boot the system and log onto the serial
console and run 'restorecon -r -v /', I always get these label changes:

restorecon reset /dev/hpilo context system_u:object_r:device_t:s15:c0.c1023->system_u:object_r:device_t:s0
restorecon reset /dev/ttyS1 context root:object_r:user_tty_device_t:s0->system_u:object_r:tty_device_t:s0
restorecon reset /var/cache/libvirt/qemu context system_u:object_r:virt_cache_t:s0->system_u:object_r:virt_cache_t:s0-s15:c0.c1023

If I log off and log back in on the console as a regular user, 
restorecon shows this:

restorecon reset /dev/ttyS1 context staff_u:object_r:user_tty_device_t:s0->system_u:object_r:tty_device_t:s0

Logged off and back in as root:

restorecon reset /dev/ttyS1 context root:object_r:user_tty_device_t:s0->system_u:object_r:tty_device_t:s0

I don't know what the right labels should be but the files seem to be
created in a way that is inconsistent with the policy.

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-82.el6.noarch
selinux-policy-mls-3.7.19-82.el6.noarch
selinux-policy-targeted-3.7.19-82.el6.noarch


How reproducible:

Very.  The hpilo and qemu contexts get changed on every boot.
The /dev/ttyS1 (my console) gets changed after every login.

Steps to Reproduce:
1.boot the system
2.run 'restorecon -r -v /'
3.
  
Actual results:
The label changes listed above

Expected results:
No label changes

Additional info:

Comment 2 Daniel Walsh 2011-04-25 19:24:30 UTC
TTy's are labeled differently depending on the user that is logged in.  A tty that is not being used by a user would be labeled as tty_device_t, while a tty assigned to a logged in user would be user_tty_device_t, so these labels are correct.

/dev/hplilo being mislabeled is a bug in policy, this directory must be being created by cups?  and I guess it has to by SystemHigh?


What does this show?

ls -lZd /var/cache/libvirt


We probably want the context to be.


/var/cache/libvirt	-d	gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
/var/cache/libvirt/.*		<<None>>

Comment 3 Daniel Walsh 2011-04-25 19:27:18 UTC
Also might need 

/dev/hpilo		-d	gen_context(system_u:object_r:device_t,mls_systemhigh)

Comment 4 Linda Knippers 2011-04-25 19:40:29 UTC
(In reply to comment #2)
> TTy's are labeled differently depending on the user that is logged in.  A tty
> that is not being used by a user would be labeled as tty_device_t, while a tty
> assigned to a logged in user would be user_tty_device_t, so these labels are
> correct.

Ok, cool.

> /dev/hplilo being mislabeled is a bug in policy, this directory must be being
> created by cups?  and I guess it has to by SystemHigh?

/dev/hpilo is for communicating to the hp management processor (iLO).
I'm not sure what level it should be.


> What does this show?
> 
> ls -lZd /var/cache/libvirt

# ls -lZd /var/cache/libvirt
drwx------. root root system_u:object_r:virt_cache_t:SystemLow-SystemHigh /var/cache/libvirt

 
> We probably want the context to be.
> 
> 
> /var/cache/libvirt -d
> gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
> /var/cache/libvirt/.*  <<None>>

Comment 8 Miroslav Grepl 2011-04-27 07:07:36 UTC
Fixed in selinux-policy-3.7.19-90.el6

Comment 11 errata-xmlrpc 2011-05-19 12:28:01 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html


Note You need to log in before you can comment on or make changes to this bug.