Description of problem: When I reserve RHEL5 system and then tries to fix SELinux contexts across /etc, I see two issues with motd caused by Beaker. Version-Release number of selected component (if applicable): beah-0.6.34-2.el5 How reproducible: 1 of 1 Steps to Reproduce: 1. Reserve RHEL5-Server-U7 system 2. # restorecon -vRn /etc | grep motd Actual results: There should be no output. Expected results: restorecon reset /etc/motd context root:object_r:etc_t:s0->system_u:object_r:etc_runtime_t:s0 restorecon reset /etc/motd.orig context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
Bulk reassignment of issues as Bill has moved to another team.
Both the /distribution/reservesys and /distribution/install tasks fiddle with /etc/motd and don't preserve SELinux context.
On Gerrit: http://gerrit.beaker-project.org/2716
Dan, We have an SELinux glitch in Beaker that has been there for a while, which is that /etc/motd doesn't have the right context on (at least) RHEL5U7. The original /etc/motd in Beaker provisioned systems is created by a line like this: FILE=/etc/motd echo "** ** ** **" > $FILE After that, we just append the rest of the message to it. The system reservation task then moves that original file aside, and creates a new one, again with a shell pipe. These are the two files that Jan indicates have an incorrect SELinux context in the report above. Do shell pipes in older versions of RHEL set the SELinux context correctly? If not, that would explain the incorrect contexts for these files. If that is the case, would doing "touch $FILE" before appending to it via a pipe solve the problem? Or will we need to do an explicit restorecon to ensure we get a correct context all the way back to the dim dark early days of RHEL's SELinux support when it wasn't integrate directly into any of the core utilities?
The SELinux context is based on the label of the object that created it and the containing directory. In this case the init script is running as initrc_t and the directory (/etc) is labeled etc_t. We have a rule in policy that says if a process running as initrc_t creates a file in a directory labeled etc_t, it will create it as etc_runtime_t. sesearch -T -s initrc_t -t etc_t -c file | grep runtime type_transition initrc_t etc_t : file etc_runtime_t; The script that you have creating the file should just run restorecon and then you will not have the problem. FILE=/etc/motd echo "** ** ** **" > $FILE restorecon $FILE
Thanks Dan, we can do that.
distribution-reservesys-3.4-3 has been released.