This bug has been copied from bug #846631 and has been proposed to be backported to 5.8 z-stream (EUS).
Created attachment 603256 [details] nsswitch.conf check script
If the package sudo-1.7.2p1-14.el5_8.3 is beeing uninstalled the context of /etc/nsswitch.conf is changed from system_u:object_r:etc_t:s0 to root:object_r:etc_t:s0. Next installation keeps root:object_r:etc_t:s0. Why installation keeps user attributes while uninstall changes it? Steps to reproduce: 1. remove sudo if present 2. recostrecon -F /etc/nsswitch.conf 3. ls -Z /etc/nsswitch.conf -rw-r--r-- root root system_u:object_r:etc_t /etc/nsswitch.conf 4. install sudo-1.7.2p1-14.el5_8.3 5. ls -Z /etc/nsswitch.conf -rw-r--r-- root root system_u:object_r:etc_t /etc/nsswitch.conf 6. remove sudo 7. ls -Z /etc/nsswitch.conf -rw-r--r-- root root root:object_r:etc_t /etc/nsswitch.conf
This is not a bug. The difference is whether or not the file is being created freshly or copied into or mv'd. If a new file is created it will get the SELinux User of the process that created it. If it is written directly to or just mv'd the context will not change. SELinux in RHEL and Fedora does not enforce anything based on the User component so this is not a bug.
Ok than, I will write the test which will check only the :object_r:etc_t part.
I found out that using little bit modified method as in el5_8.2 would not change even user attributes in selinux context. Just cat into file instead of mv: a=`mktemp` grep -v sudores /etc/nsswitch.conf > $a cat $a >/etc/nsswitch.conf rm -f $a echo "sudoers: files ldap" >>/etc/nsswitch.conf This way the file in not recreated but just truncated and new content is written so no attributes are changed.
(In reply to comment #10) > I found out that using little bit modified method as in el5_8.2 would not > change even user attributes in selinux context. Just cat into file instead > of mv: > > a=`mktemp` > grep -v sudores /etc/nsswitch.conf > $a > cat $a >/etc/nsswitch.conf > rm -f $a > echo "sudoers: files ldap" >>/etc/nsswitch.conf > > This way the file in not recreated but just truncated and new content is > written so no attributes are changed. All of that is not necessary when using "sed -i" to update nsswitch.conf.
The scripts proposed in bug 846764 solve this and other problems, and are complete with the exception of a test for the availability of restorecon (a condition mentioned in bug 818585). The proposed change in bug 846631 for release as el5_8.3 still makes unnecessary modifications to /etc/nsswitch.conf. Given the amount of damage -- which was in no way limited to Postgres -- done by the last few revisions of this package, is it too much to ask that this be reviewed/QAed by someone with a higher degree of familiarity with the shell?
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-1160.html