Maybe restorecon ignores symlinks completely.

# man restorecon | col -b | grep -A 2 NOTE
NOTE
       restorecon does not follow symbolic links.

#

We just fixed this in F17.

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

---Problem Description---
restorecon ignores symbolic link rules.

---uname output---
Linux horn.stglabs.ibm.com 2.6.32-279.1.1.el6.ppc64 #1 SMP Wed Jun 20 11:42:00 EDT 2012 ppc64 ppc64 ppc64 GNU/Linux

Machine Type = Power 7

---Debugger---
A debugger is not configured

---Steps to Reproduce---
[root@f0523p3 ?]# ls -lZ /etc/localtime
-rw-r--r--. root root system_u:object_r:locale_t:s0    /etc/localtime
[root@f0523p3 ?]# mkdir /opt/etc
[root@f0523p3 ?]# ln -fs /etc/localtime /opt/etc/localtime
[root@f0523p3 ?]# ls -lZ /opt/etc/localtime
lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0   /opt/etc/localtime -> /etc/localtime
[root@f0523p3 ?]# semanage fcontext -a -f -l -t locale_t /opt/etc/localtime
[root@f0523p3 ?]# restorecon /opt/etc/localtime
[root@f0523p3 ?]# ls -lZ /opt/etc/localtime
lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0   /opt/etc/localtime -> /etc/localtime

Contact Information = gcwilson.com, kjerick.com

rpm -qa | grep -i selinux output: libselinux-2.0.94-5.3.el6.ppc64
libselinux-utils-2.0.94-5.3.el6.ppc64
libselinux-devel-2.0.94-5.3.el6.ppc
libselinux-python-2.0.94-5.3.el6.ppc64
libselinux-2.0.94-5.3.el6.ppc
selinux-policy-3.7.19-155.el6_3.noarch
selinux-policy-targeted-3.7.19-155.el6_3.noarch
libselinux-devel-2.0.94-5.3.el6.ppc64

Userspace tool common name: restorecon

getsebool output: abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> on
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> on
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_nsplugin_transition --> off
allow_user_exec_content --> on
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> off
allow_ypbind --> off
allow_zebra_write_config --> on
authlogin_radius --> off
cdrecord_read_content --> off
clamd_use_jit --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
condor_domain_can_network_connect --> off
cron_can_relabel --> off
dhcpc_exec_iptables --> off
domain_kernel_load_modules --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
git_cgit_read_gitosis_content --> off
git_session_bind_all_unreserved_ports --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
global_ssp --> off
gpg_agent_env_file --> off
gpg_web_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
icecast_connect_any --> off
init_upstart --> on
irssi_use_full_network --> off
logging_syslogd_can_sendmail --> off
mmap_low_allowed --> off
mozilla_read_content --> off
mysql_connect_any --> off
named_write_master_zones --> off
ncftool_read_user_content --> off
nscd_use_shm --> on
nsplugin_can_network --> on
openvpn_enable_homedirs --> on
piranha_lvs_can_network_connect --> off
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
puppet_manage_all_files --> off
puppetmaster_use_db --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_read_shadow --> off
rgmanager_can_network_connect --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
sepgsql_unconfined_dbadm --> on
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
telepathy_tcp_connect_generic_network_ports --> off
tftp_anon_write --> off
tor_bind_all_unreserved_ports --> off
unconfined_login --> on
unconfined_mmap_zero_ignore --> off
unconfined_mozilla_plugin_transition --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_dri --> on
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_setrlimit --> on
user_tcp_server --> off
user_ttyfile_stat --> off
varnishd_connect_any --> off
vbetool_mmap_zero_ignore --> off
virt_use_comm --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> on
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_object_manager --> off

The userspace tool has the following bit modes: 64-bit

/etc/selinux/config output: # This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Userspace rpm: policycoreutils-2.0.83-19.24.el6.ppc64

Userspace tool obtained from project website:  na

*Additional Instructions for gcwilson.com, kjerick.com:
-Attach ltrace and strace of userspace application.
-Attach contents of /var/log/audit/audit.log

Hi Dan, Is there any way this fix can be put into the service stream?

Changed priority from block to high on our side since there's a workaround.

This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

That too doesn't change the context :-

# restorecon -R -v /test/symlinked
# ls -Z /test/symlinked/file1 
-rw-r--r--. root root unconfined_u:object_r:default_t:s0 /test/symlinked/file1

restorecon is doing a realpath on the file, so it is translating the file via realpath.  We are doing this so that a symbolic link attack will not cause the file to get mislabeled.

strace restorecon /test/symlinked/file 2>&1  | grep /test
execve("/sbin/restorecon", ["restorecon", "/test/symlinked/file"], [/* 23 vars */]) = 0
lstat("/test/symlinked/file", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat("/test", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/test/symlinked", {st_mode=S_IFLNK|0777, st_size=14, ...}) = 0
readlink("/test/symlinked", "/test/original", 4095) = 14
lstat("/test", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/test/original", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/test/original/file", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat("/test/original/file", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lgetxattr("/test/original/file", "security.selinux", "staff_u:object_r:default_t:s0", 255) = 30

Just tested this on RHEL6.3 and Fedora 17.

On RHEL6 restorecon doesn't restore the context of the symlink (when symlink is the actual item). On Fedora 17 the context is restored. I belive this is the problem mentioned in #c6.

Dan, could you please confirm that this is what's is going to be fixed? Thank you.

(In reply to comment #17)
> Just tested this on RHEL6.3 and Fedora 17.
> 
> On RHEL6 restorecon doesn't restore the context of the symlink (when symlink
> is the actual item). On Fedora 17 the context is restored. I belive this is
> the problem mentioned in #c6.
> 
> Dan, could you please confirm that this is what's is going to be fixed?
> Thank you.

Karel,
how did you get this working on Fedora17?

It works how Dan wrote in the #comment 17.

Another test

# ls -lZ /usr/lib/satelite 
lrwxrwxrwx. root root unconfined_u:object_r:lib_t:SystemLow /usr/lib/satelite -> /usr/share/man/man8/httpd_selinux.8.gz
# semanage fcontext -a -f -l -t httpd_sys_content_t /usr/lib/satelite
# matchpathcon /usr/lib/satelite
/usr/lib/satelite	system_u:object_r:httpd_sys_content_t:SystemLow
# restorecon -v /usr/lib/satelite
restorecon reset /usr/lib/satelite context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0

Ok, we discovered bug in the policy. We do not have the following rule on RHEL6

allow setfiles_t file_type : lnk_file { read getattr relabelfrom relabelto } ;

We have just

allow setfiles_t file_type : lnk_file { getattr relabelfrom relabelto } ;

So I am switching this bug to selinux-policy component.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0314.html