Bug 746003 - reservesys does not preserve selinux context of /etc/motd
Summary: reservesys does not preserve selinux context of /etc/motd
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: tests
Version: 0.6
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: 0.15.4
Assignee: Dan Callaghan
QA Contact:
URL:
Whiteboard: SELinux
Depends On:
Blocks: 545868
TreeView+ depends on / blocked
 
Reported: 2011-10-13 15:36 UTC by Jan Hutař
Modified: 2018-02-06 00:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-17 22:38:57 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Hutař 2011-10-13 15:36:02 UTC 
Description of problem:
When I reserve RHEL5 system and then tries to fix SELinux contexts across /etc, I see two issues with motd caused by Beaker.


Version-Release number of selected component (if applicable):
beah-0.6.34-2.el5


How reproducible:
1 of 1


Steps to Reproduce:
1. Reserve RHEL5-Server-U7 system
2. # restorecon -vRn /etc | grep motd


Actual results:
There should be no output.


Expected results:
restorecon reset /etc/motd context root:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0
restorecon reset /etc/motd.orig context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
Comment 1 Nick Coghlan 2012-10-17 04:39:25 UTC 
Bulk reassignment of issues as Bill has moved to another team.
Comment 2 Dan Callaghan 2012-10-29 05:46:41 UTC 
Both the /distribution/reservesys and /distribution/install tasks fiddle with /etc/motd and don't preserve SELinux context.
Comment 4 Dan Callaghan 2014-01-21 06:57:04 UTC 
On Gerrit: http://gerrit.beaker-project.org/2716
Comment 5 Nick Coghlan 2014-01-21 08:33:29 UTC 
Dan,

We have an SELinux glitch in Beaker that has been there for a while, which is that /etc/motd doesn't have the right context on (at least) RHEL5U7.

The original /etc/motd in Beaker provisioned systems is created by a line like this:

    FILE=/etc/motd
    echo "** ** ** **" > $FILE

After that, we just append the rest of the message to it. The system reservation task then moves that original file aside, and creates a new one, again with a shell pipe.

These are the two files that Jan indicates have an incorrect SELinux context in the report above.

Do shell pipes in older versions of RHEL set the SELinux context correctly? If not, that would explain the incorrect contexts for these files.

If that is the case, would doing "touch $FILE" before appending to it via a pipe solve the problem? Or will we need to do an explicit restorecon to ensure we get a correct context all the way back to the dim dark early days of RHEL's SELinux support when it wasn't integrate directly into any of the core utilities?
Comment 6 Daniel Walsh 2014-01-21 16:51:03 UTC 
The SELinux context is based on the label of the object that created it and the containing directory.

In this case the init script is running as initrc_t and the directory (/etc) is labeled etc_t.

We have a rule in policy that says if a process running as initrc_t creates a file in a directory labeled etc_t, it will create it as etc_runtime_t.

sesearch -T -s initrc_t -t etc_t -c file | grep runtime
   type_transition initrc_t etc_t : file etc_runtime_t; 

The script that you have creating the file should just run restorecon and then you will not have the problem.

FILE=/etc/motd
echo "** ** ** **" > $FILE
restorecon $FILE
Comment 7 Nick Coghlan 2014-01-22 00:37:15 UTC 
Thanks Dan, we can do that.
Comment 10 Dan Callaghan 2014-02-17 22:38:57 UTC 
distribution-reservesys-3.4-3 has been released.
Note You need to log in before you can comment on or make changes to this bug.