RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 747345 - semanage is changing permissions of /etc/selinux files
Summary: semanage is changing permissions of /etc/selinux files
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: libsemanage
Version: 6.2
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: Miroslav Vadkerti
URL:
Whiteboard:
Depends On:
Blocks: RHEL62CCC 750914 846801 846802
TreeView+ depends on / blocked
 
Reported: 2011-10-19 14:51 UTC by Miroslav Vadkerti
Modified: 2016-09-06 12:26 UTC (History)
10 users (show)

Fixed In Version: libsemanage-2.0.43-4.1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-06 19:04:13 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Save, clear, and restore umask around file creation by libsemanage. (945 bytes, patch)
2011-10-19 16:57 UTC, Stephen Smalley 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1770 0 normal SHIPPED_LIVE libsemanage bug fix update 2011-12-06 01:01:33 UTC

Description Miroslav Vadkerti 2011-10-19 14:51:56 UTC 
Description of problem:
During development of CC tests we found an issue with semanage. It is changing permissions of /etc/selinux files according to the set umask. This has large side effects, e.g. with umask 027 it makes restorecon unusable for ordinary users. This bug was found on an MLS machine applies generally.

Reproducer:
# umask
0027
# ll /etc/selinux/mls/contexts/files/file_contexts
-rw-r--r--. 1 root root 224235 Oct 19 09:29 /etc/selinux/mls/contexts/files/file_contexts
# mkdir /d
# semanage fcontext -a -t home_root_t /d
# ll /etc/selinux/mls/contexts/files/file_contexts
-rw-r-----. 1 root root 224235 Oct 19 09:38 /etc/selinux/mls/contexts/files/file_contexts

Version-Release number of selected component (if applicable):
policycoreutils-python-2.0.83-19.16.el6

How reproducible:
100%

Steps to Reproduce:
see description
  
Actual results:
semanage changes file permissions

Expected results:
semanage doesn't change file permissions

Additional info:
I can reproduce this also in policycoreutils-python from RHEL6.0:
policycoreutils-python-2.0.83-19.1.el6.x86_64
Comment 1 Daniel Walsh 2011-10-19 15:08:53 UTC 
I am not sure if this is a bug or not.  Users generally should not be running restorecon. Currently we do not have hard coded permissions for these files.
Comment 2 Miroslav Vadkerti 2011-10-19 15:19:48 UTC 
This is an issue with semanage changing permissions on several files in /etc/selinux according to umask. Is this on purpose?

For example if user wants to use ssh-copy-id he ends up with permission denied because it runs restorecon:
# grep -n restorecon $(which ssh-copy-id)
41:{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon .ssh .ssh/authorized_keys" || exit 1
Comment 3 Miroslav Grepl 2011-10-19 15:35:02 UTC 
I would say, if an admin sets umask, then probably is expected the restorecon won't work for users.
Comment 4 Miroslav Vadkerti 2011-10-19 15:48:58 UTC 
If this won't be fixed in semanage, we will need to fix openssh.
Comment 5 Stephen Smalley 2011-10-19 16:22:12 UTC 
Maybe libsemanage should save and restore umask() when creating files?  It already allows file mode to be specified via semanage.conf, but doesn't save/restore umask and thus is subject to caller's umask.
Comment 6 Stephen Smalley 2011-10-19 16:40:41 UTC 
I'd say this is similar to the situation when someone runs adduser and /etc/passwd gets re-created; the permissions of /etc/passwd aren't subject to the caller's umask, right?  So libsemanage ought to save and clear the umask before creating files and restore it afterward.  Simple patch to semanage_copy_file().
Comment 7 Eduard Benes 2011-10-19 16:43:04 UTC 
(In reply to comment #5)
> Maybe libsemanage should save and restore umask() when creating files?  It
> already allows file mode to be specified via semanage.conf, but doesn't
> save/restore umask and thus is subject to caller's umask.

I agree, you are reading my thoughts. I think that unless there is another way how to preserve the correct contexts for ssh-copy-id this is the most appropriate solution.
Comment 8 Stephen Smalley 2011-10-19 16:57:26 UTC 
Created attachment 529059 [details]
Save, clear, and restore umask around file creation by libsemanage.
Comment 9 Tomas Mraz 2011-10-19 18:20:13 UTC 
Or it should copy the permissions from the original file with chmod() call.
Comment 14 Daniel Walsh 2011-10-20 19:34:15 UTC 
Patch applied in libsemanage-2.0.45-1.1.el6
Comment 19 errata-xmlrpc 2011-12-06 19:04:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1770.html
Note You need to log in before you can comment on or make changes to this bug.