Hide Forgot
Description of problem: Someone renamed matahari-net init script to matahari-network, but did not tell SELinux guys about it. Which means that matahari-network init script is now labelled initrc_exec_t instead of matahari_initrc_exec_t. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-115.el6.noarch selinux-policy-minimum-3.7.19-115.el6.noarch selinux-policy-doc-3.7.19-115.el6.noarch selinux-policy-targeted-3.7.19-115.el6.noarch selinux-policy-mls-3.7.19-115.el6.noarch matahari-lib-0.4.4-2.el6.x86_64 matahari-network-0.4.4-2.el6.x86_64 matahari-debuginfo-0.4.4-2.el6.x86_64 matahari-broker-0.4.4-2.el6.x86_64 matahari-sysconfig-0.4.4-2.el6.x86_64 matahari-agent-lib-0.4.4-2.el6.x86_64 matahari-host-0.4.4-2.el6.x86_64 matahari-0.4.4-2.el6.x86_64 matahari-consoles-0.4.4-2.el6.x86_64 matahari-service-0.4.4-2.el6.x86_64 Steps to Reproduce: # matchpathcon /etc/rc.d/init.d/matahari-net /etc/rc.d/init.d/matahari-net system_u:object_r:matahari_initrc_exec_t:s0 # matchpathcon /etc/rc.d/init.d/matahari-network /etc/rc.d/init.d/matahari-network system_u:object_r:initrc_exec_t:s0 # Actual results: # matchpathcon /etc/rc.d/init.d/matahari-* /etc/rc.d/init.d/matahari-broker system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/matahari-host system_u:object_r:matahari_initrc_exec_t:s0 /etc/rc.d/init.d/matahari-network system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/matahari-service system_u:object_r:matahari_initrc_exec_t:s0 /etc/rc.d/init.d/matahari-sysconfig system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/matahari-sysconfig-console system_u:object_r:initrc_exec_t:s0 Expected results: * all matahari init scripts are labelled matahari_initrc_exec_t
Unfortunately following binaries were also renamed which means they are all labelled bin_t now. # matchpathcon /usr/sbin/matahari-* /usr/sbin/matahari-brokerd system_u:object_r:bin_t:s0 /usr/sbin/matahari-dbus-hostd system_u:object_r:bin_t:s0 /usr/sbin/matahari-dbus-networkd system_u:object_r:bin_t:s0 /usr/sbin/matahari-dbus-serviced system_u:object_r:bin_t:s0 /usr/sbin/matahari-qmf-hostd system_u:object_r:bin_t:s0 /usr/sbin/matahari-qmf-networkd system_u:object_r:bin_t:s0 /usr/sbin/matahari-qmf-service-cli system_u:object_r:bin_t:s0 /usr/sbin/matahari-qmf-serviced system_u:object_r:bin_t:s0 /usr/sbin/matahari-qmf-sysconfig-consoled system_u:object_r:bin_t:s0 /usr/sbin/matahari-qmf-sysconfigd system_u:object_r:bin_t:s0 #
Milos, how were these binaries named?
Old names ======= /usr/sbin/matahari-hostd /usr/sbin/matahari-netd /usr/sbin/matahari-serviced New names ======= -rwxr-xr-x. 1 root root 13268 Sep 9 09:51 /usr/sbin/matahari-dbus-hostd -rwxr-xr-x. 1 root root 10296 Sep 9 09:51 /usr/sbin/matahari-dbus-networkd -rwxr-xr-x. 1 root root 16056 Sep 9 09:51 /usr/sbin/matahari-dbus-serviced -rwxr-xr-x. 1 root root 52708 Sep 9 09:51 /usr/sbin/matahari-qmf-hostd -rwxr-xr-x. 1 root root 29692 Sep 9 09:51 /usr/sbin/matahari-qmf-networkd -rwxr-xr-x. 1 root root 73128 Sep 9 09:51 /usr/sbin/matahari-qmf-serviced But their count doubled.
OK, we really need to fix it in this case.
I just checked in a fix for F16.
Fixed in selinux-policy-3.7.19-116.el6
Fixed in selinux-policy-3.7.19-118.el6.noarch matchpathcon /usr/sbin/matahari-*net* /usr/sbin/matahari-netd system_u:object_r:matahari_netd_exec_t:s0
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html