Description of problem: Some files on our systems need to have custom contexts in order to work correctly. In the past (Fedora 15 and earlier) we have successfully used 'semanage fcontext' to do this and override the defaults. However, in Fedora 16 this no longer works - seemingly because the regex in /etc/selinux/targeted/contexts/files/file_contexts matches and is applied in preference to that in file_contexts.local. Specifically, this affects us with custom Nagios plugins (see steps below). Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-55.fc16.noarch How reproducible: Always. Steps to Reproduce: 1. yum install nagios-plugins 2. cd /usr/lib64/nagios/plugins; touch myplugin; ls -lZ Note that myplugin is labeled bin_t, the default label for Nagios plugins. But "myplugin" is a custom Nagios plugin which needs more access; we need to mark it as an unconfined plugin, so... 3. semanage fcontext -a -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/myplugin 4. restorecon -v * Actual results: restorecon does not apply the unconfined type to the Nagios plugin; it stays as bin_t. Even if we use chcon to set the type, running restorecon will just revert it back to bin_t. Expected results: myplugin becomes labeled as nagios_unconfined_plugin_exec_t. (This is what happened in Fedora 15 and earlier.) Additional info: semanage still seems to work in some instances. For example, we have a MATLAB installation which lives in /usr/lib/matlab-7.13.0.564/. This contains a bunch of DSOs in /usr/lib/matlab-7.13.0.564/bin/glnxa64/, which are (by default) labeled as bin_t. However, some of them contain text relocations, so we mark them accordingly, i.e. semanage fcontext -a -t textrel_shlib_t /usr/lib/matlab-7.13.0.564/bin/glnxa64/libtbb.so.2 In this case, restorecon *does* set the file context correctly. It's not clear to me why one case works and the other does not, but this might help you to pin down the problem.
Try # semanage fcontext -a -t nagios_unconfined_plugin_exec_t /usr/lib/nagios/plugins/myplugin The problem is label substitution. We substitute /usr/lib for /usr/lib64 in restorecon.
(In reply to comment #1) > We substitute /usr/lib for /usr/lib64 in restorecon. That's it, thanks! Works fine on our systems with that substitution. I did read the restorecon man page before reporting the bug, but saw no mention of this there - might be useful to mention this label substitution there (and/or have "semanage fcontext" warn or do the reverse substitution if the user tries to add a /usr/lib64/ file context).
I added a fix for this in policycoreutils-2.1.4-10.fc16 semanage fcontext -a -t etc_t /usr/lib64/dan /usr/sbin/semanage: File spec /usr/lib64/dan conflicts with equivalency rule '/usr/lib64 /usr/lib'; Try adding '/usr/lib/dan' instead
policycoreutils-2.1.4-10.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/policycoreutils-2.1.4-10.fc16
Package policycoreutils-2.1.4-10.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.4-10.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16077/policycoreutils-2.1.4-10.fc16 then log in and leave karma (feedback).
policycoreutils-2.1.4-10.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Could you add the fix also for fcontext equivalence rules, please? Test case: # semanage fcontext -a -e /mnt /fs # semanage fcontext -a -t var_lib_t /fs/database /usr/sbin/semanage: File spec /fs/database conflicts with equivalency rule '/fs /mnt'; Try adding '/mnt/database' instead # semanage fcontext -a -e /var/lib/mysql /fs/database/mysql # In the last command I think we should also get an conflict error message like in the command before. Otherwise the behavior of the SELinux implementation should be fixed. In the example above files in /fs/database/mysql are still labeled mnt_t instead of mysqld_db_t. SELinux Local fcontext Equivalence /fs = /mnt /fs/database/mysql = /var/lib/mysql
This message is a reminder that Fedora 16 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '16'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 16's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 16 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
This seems to be fixed in the current release. # semanage fcontext -a -e /mnt /fs # semanage fcontext -a -e /var/lib/mysql /fs/database/mysql ValueError: File spec /fs/database/mysql conflicts with equivalency rule '/fs /mnt'; Try adding '/mnt/database/mysql' instead