Bug 737844 - config_homt_t on /run/user/*/dconf should apparently be user_tmp_t
Summary: config_homt_t on /run/user/*/dconf should apparently be user_tmp_t
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: checkpolicy
Version: 16
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-13 08:53 UTC by Mads Kiilerich
Modified: 2011-09-23 04:01 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-32.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-23 04:01:21 UTC


Attachments (Terms of Use)

Description Mads Kiilerich 2011-09-13 08:53:20 UTC
I see

# restorecon -vrn /run
restorecon reset /run/user/mk/dconf context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0
restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:config_home_t:s0->system_u:object_r:user_tmp_t:s0

I would expect these files on tmpfs to be created correctly from the beginning. I don't know if it could be enforced in the policy or if dconf should do something in a different way.

selinux-policy-3.10.0-25.fc16.noarch
libselinux-2.1.5-4.fc16.x86_64
dconf-0.9.0-1.fc16.x86_64
dracut-013-8.fc16.noarch
systemd-35-1.fc16.x86_64
kernel-3.1.0-0.rc6.git0.0.fc16.x86_64

Comment 1 Mads Kiilerich 2011-09-13 08:53:58 UTC
This happens after 
Bug 737837 - systemd-tmpfiles: Failed to set security context ... for /var: Permission denied
and could thus be related.

Comment 2 Miroslav Grepl 2011-09-13 14:15:21 UTC
I am building  a new f16 policy which should have a fix.

Comment 3 Daniel Walsh 2011-09-13 15:05:31 UTC
selinux-policy-3.10.0-28.fc16  should have fix for systemd-tmpfiles problems.

Comment 4 Mads Kiilerich 2011-09-13 21:27:27 UTC
Heh, it seems like you got two conflicting fixes - now we have the opposite prooblem.

After an enforcing reboot:

# restorecon -vrn /run
restorecon reset /run/user/mk/dconf context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/gdm/dconf context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/gdm/dconf/user context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.10.0-28.fc16.noarch

Comment 5 Miroslav Grepl 2011-09-14 05:21:51 UTC
ok, how about dmesg issues?

Comment 6 Miroslav Grepl 2011-09-14 05:22:31 UTC
You will need to update on selinux-policy-3.10.0-29.fc16

Comment 7 Mads Kiilerich 2011-09-17 12:25:59 UTC
With

selinux-policy-targeted-3.10.0-29.1.fc16.noarch
libselinux-2.1.5-5.fc16.x86_64
systemd-35-1.fc16.x86_64
kernel-3.1.0-0.rc6.git0.0.fc16.x86_64

and after a relabeling boot and login as mk I get:

# restorecon -rvn /run
restorecon reset /run/user/mk/dconf context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/gdm/dconf context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/gdm/dconf/user context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0

- and I also don't see any indication of any fix in the changelog

Comment 8 Miroslav Grepl 2011-09-20 12:08:14 UTC
Ok, the problem is file name transition does not work correctly.

Comment 9 Fedora Update System 2011-09-20 15:35:12 UTC
checkpolicy-2.1.3-1.1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/checkpolicy-2.1.3-1.1.fc16

Comment 10 Fedora Update System 2011-09-20 19:05:00 UTC
Package checkpolicy-2.1.3-1.1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing checkpolicy-2.1.3-1.1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/checkpolicy-2.1.3-1.1.fc16
then log in and leave karma (feedback).

Comment 11 Mads Kiilerich 2011-09-20 20:33:27 UTC
I installed
selinux-policy-targeted-3.10.0-31.fc16.noarch
checkpolicy-2.1.3-1.1.fc16.x86_64
and rebooted-relabeled, but still:

# restorecon -rvn /run
restorecon reset /run/user/mk/dconf context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/mk/dconf/user context unconfined_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/gdm/dconf context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0
restorecon reset /run/user/gdm/dconf/user context system_u:object_r:user_tmp_t:s0->system_u:object_r:config_home_t:s0

(/home/mk is an nfs mount and I have use_nfs_home_dirs on - I doubt that could make any difference, but just in case...)

Comment 12 Daniel Walsh 2011-09-20 20:45:01 UTC
I have not investigated these, but they should not cause problems.  I am more concerned about livecd or full installed logins blowing up.

Comment 13 Mads Kiilerich 2011-09-21 14:53:28 UTC
Seems to be solved by selinux-policy-targeted-3.10.0-32.fc16.noarch too.

Comment 14 Fedora Update System 2011-09-21 22:13:56 UTC
Package selinux-policy-3.10.0-32.fc16, checkpolicy-2.1.3-1.2.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-32.fc16 checkpolicy-2.1.3-1.2.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-32.fc16,checkpolicy-2.1.3-1.2.fc16
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2011-09-23 04:01:01 UTC
selinux-policy-3.10.0-32.fc16, checkpolicy-2.1.3-1.2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.