914166 – File context from module is not being assigned by restorecon if equivalency used

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 914166 - File context from module is not being assigned by restorecon if equivalency used

Summary: File context from module is not being assigned by restorecon if equivalency used

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	908726
TreeView+	depends on / blocked

Reported:	2013-02-22 09:43 UTC by Michal Trunecka
Modified:	2014-09-30 23:34 UTC (History)
CC List:	9 users (show)
Fixed In Version:	selinux-policy-3.12.1-126.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 13:22:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Michal Trunecka 2013-02-22 09:43:08 UTC

Description of problem:

File context which is defined in the module .fc file doesn't work. Context is listed by semanage fcontext, but matchpathcon or restrcon don't see it. Example follows:

##########reporoducer.te 
policy_module(reproducer,1.0)

type reproducer_exec_t;

##########reproducer.fc
/usr/local/bin/reproducer_bin    --   system_u:object_r:reproducer_exec_t:s0

########## Build the policy
# make -f /usr/share/selinux/devel/Makefile 
make[1]: Entering directory `/root/test-policy'
Compiling targeted reporoducer module
/usr/bin/checkmodule:  loading policy configuration from tmp/reporoducer.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 17) to tmp/reporoducer.mod
Creating targeted reporoducer.pp policy package
rm tmp/reporoducer.mod tmp/reporoducer.mod.fc
make[1]: Leaving directory `/root/test-policy'

########## Insert module into the policy
# semodule -i reporoducer.pp

########## Then matchpathcon doesn't see the context (so doesn't restorecon)
# matchpathcon /usr/local/bin/reproducer_bin
/usr/local/bin/reproducer_bin	system_u:object_r:bin_t:s0

########## But the semanage does
# semanage fcontext -l | grep reproducer
WARNING: Policy would be downgraded from version 29 to 28.
/usr/local/bin/reproducer_bin                      regular file       system_u:object_r:reproducer_exec_t:s0 


The exactly same files work fine on RHEL6.


Version-Release number of selected component (if applicable):
[root@dhcp-25-181 test-policy]# rpm -qa selinux-policy\*
selinux-policy-3.12.1-14.el7.noarch
selinux-policy-devel-3.12.1-14.el7.noarch
selinux-policy-targeted-3.12.1-14.el7.noarch
selinux-policy-doc-3.12.1-14.el7.noarch
[root@dhcp-25-181 test-policy]# rpm -qa policycoreutils\*
policycoreutils-2.1.14-7.el7.x86_64
policycoreutils-python-2.1.14-7.el7.x86_64
policycoreutils-devel-2.1.14-7.el7.x86_64
rpm -qa libselinux\*
libselinux-python-2.1.13-3.el7.x86_64
libselinux-utils-2.1.13-3.el7.x86_64
libselinux-devel-2.1.13-3.el7.x86_64
libselinux-ruby-2.1.13-3.el7.x86_64
libselinux-2.1.13-3.el7.x86_64
rpm -qa libsemanage\*
libsemanage-2.1.10-2.el7.x86_64
libsemanage-devel-2.1.10-2.el7.x86_64
libsemanage-python-2.1.10-2.el7.x86_64


How reproducible:
always

Comment 1 Daniel Walsh 2013-02-22 12:56:03 UTC

That is because you did not define it as a files_type

files_type(reproducer_exec_t)

restorecon is only allowed to assign files_type types to file systems.

Comment 2 Michal Trunecka 2013-02-22 13:16:39 UTC

And it is new feature in RHEL? Or is it a bug in RHEL6?

Well, I'm a bit confused. I modified the module:

# cat reporoducer.te 
policy_module(reproducer,1.0)

type reproducer_exec_t;
files_type(reproducer_exec_t)

And the behaviour is still the same.

And in addition, the same behavoiur is with the policy generated by "sepolicy generate".

Comment 3 Michal Trunecka 2013-02-22 13:33:18 UTC

# seinfo -treproducer_exec_t -x
   reproducer_exec_t
      file_type
      non_security_file_type
      non_auth_file_type


# semanage fcontext -l | grep reprod
WARNING: Policy would be downgraded from version 29 to 28.
/usr/local/bin/reproducer_bin                      regular file       system_u:object_r:reproducer_exec_t:s0 


# matchpathcon /usr/local/bin/reproducer_bin
/usr/local/bin/reproducer_bin	system_u:object_r:bin_t:s0

Comment 4 Daniel Walsh 2013-02-22 14:58:33 UTC

ls -l /usr/local/bin/reproducer_bin

Comment 5 Michal Trunecka 2013-02-25 07:20:47 UTC

# ls -lZ /usr/local/bin/reproducer_bin
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /usr/local/bin/reproducer_bin


The behaviour is the same when the file doesn't exist.

Comment 12 Ben Yuan 2013-07-02 04:47:35 UTC

I've run into a similar problem here and I believe I know what's causing it.

My copy of file_contexts.subs_dist contains a mapping from /usr/local to /usr. These aliases seem to take effect before the rules in file_contexts are checked, and thus a rule specifically targeting /usr/local/foo will never be honored - any rule for /usr/foo will be applied instead.

The workaround is to change your .fc file so it targets /usr/bin/reproducer_bin instead. This rule will be applied to /usr/local/bin/reproducer_bin just fine.

Comment 13 Daniel Walsh 2013-10-03 14:26:56 UTC


*** This bug has been marked as a duplicate of bug 971425 ***

Comment 30 Ludek Smid 2014-06-13 13:22:28 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.