Bug 753907 - 'local' file contexts seemingly no longer override defaults
Summary: 'local' file contexts seemingly no longer override defaults
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 19
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-14 20:26 UTC by Ben Webb
Modified: 2013-08-28 17:17 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-08-28 17:17:19 UTC


Attachments (Terms of Use)

Description Ben Webb 2011-11-14 20:26:05 UTC
Description of problem:
Some files on our systems need to have custom contexts in order to work correctly. In the past (Fedora 15 and earlier) we have successfully used 'semanage fcontext' to do this and override the defaults. However, in Fedora 16 this no longer works - seemingly because the regex in /etc/selinux/targeted/contexts/files/file_contexts matches and is applied in preference to that in file_contexts.local. Specifically, this affects us with custom Nagios plugins (see steps below).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-55.fc16.noarch

How reproducible:
Always.

Steps to Reproduce:
1. yum install nagios-plugins
2. cd /usr/lib64/nagios/plugins; touch myplugin; ls -lZ
   Note that myplugin is labeled bin_t, the default label for Nagios plugins. But "myplugin" is a custom Nagios plugin which needs more access; we need to mark it as an unconfined plugin, so...

3. semanage fcontext -a -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/myplugin
4. restorecon -v *

Actual results:
restorecon does not apply the unconfined type to the Nagios plugin; it stays as bin_t. Even if we use chcon to set the type, running restorecon will just revert it back to bin_t.

Expected results:
myplugin becomes labeled as nagios_unconfined_plugin_exec_t. (This is what happened in Fedora 15 and earlier.)

Additional info:
semanage still seems to work in some instances. For example, we have a MATLAB installation which lives in /usr/lib/matlab-7.13.0.564/. This contains a bunch of DSOs in /usr/lib/matlab-7.13.0.564/bin/glnxa64/, which are (by default) labeled as bin_t. However, some of them contain text relocations, so we mark them accordingly, i.e.

semanage fcontext -a -t textrel_shlib_t /usr/lib/matlab-7.13.0.564/bin/glnxa64/libtbb.so.2

In this case, restorecon *does* set the file context correctly. It's not clear to me why one case works and the other does not, but this might help you to pin down the problem.

Comment 1 Daniel Walsh 2011-11-14 21:32:57 UTC
Try

# semanage fcontext -a -t nagios_unconfined_plugin_exec_t
/usr/lib/nagios/plugins/myplugin


The problem is label substitution.

We substitute /usr/lib for /usr/lib64 in restorecon.

Comment 2 Ben Webb 2011-11-14 21:52:31 UTC
(In reply to comment #1)
> We substitute /usr/lib for /usr/lib64 in restorecon.

That's it, thanks! Works fine on our systems with that substitution. I did read the restorecon man page before reporting the bug, but saw no mention of this there - might be useful to mention this label substitution there (and/or have "semanage fcontext" warn or do the reverse substitution if the user tries to add a /usr/lib64/ file context).

Comment 3 Daniel Walsh 2011-11-16 20:44:59 UTC
I added a fix for this in 

policycoreutils-2.1.4-10.fc16

 semanage fcontext -a -t etc_t /usr/lib64/dan
/usr/sbin/semanage: File spec /usr/lib64/dan conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/dan' instead

Comment 4 Fedora Update System 2011-11-17 20:22:57 UTC
policycoreutils-2.1.4-10.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/policycoreutils-2.1.4-10.fc16

Comment 5 Fedora Update System 2011-11-19 05:57:06 UTC
Package policycoreutils-2.1.4-10.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.4-10.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16077/policycoreutils-2.1.4-10.fc16
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-11-21 22:53:32 UTC
policycoreutils-2.1.4-10.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Edgar Hoch 2011-11-29 20:50:30 UTC
Could you add the fix also for fcontext equivalence rules, please?

Test case:

# semanage fcontext -a -e /mnt /fs
# semanage fcontext -a -t var_lib_t /fs/database
/usr/sbin/semanage: File spec /fs/database conflicts with equivalency rule '/fs /mnt'; Try adding '/mnt/database' instead
# semanage fcontext -a -e /var/lib/mysql /fs/database/mysql
#

In the last command I think we should also get an conflict error message like in the command before.

Otherwise the behavior of the SELinux implementation should be fixed.
In the example above files in /fs/database/mysql are still labeled mnt_t instead of mysqld_db_t.

SELinux Local fcontext Equivalence 

/fs = /mnt
/fs/database/mysql = /var/lib/mysql

Comment 8 Fedora End Of Life 2013-01-16 22:39:46 UTC
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 9 Fedora End Of Life 2013-04-03 19:19:59 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Comment 10 Daniel Walsh 2013-08-28 17:17:19 UTC
This seems to be fixed in the current release.

# semanage fcontext -a -e /mnt /fs
# semanage fcontext -a -e /var/lib/mysql /fs/database/mysql
ValueError: File spec /fs/database/mysql conflicts with equivalency rule '/fs /mnt'; Try adding '/mnt/database/mysql' instead


Note You need to log in before you can comment on or make changes to this bug.