Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionMichal Trunecka
2013-02-22 09:43:08 UTC
Description of problem:
File context which is defined in the module .fc file doesn't work. Context is listed by semanage fcontext, but matchpathcon or restrcon don't see it. Example follows:
##########reporoducer.te
policy_module(reproducer,1.0)
type reproducer_exec_t;
##########reproducer.fc
/usr/local/bin/reproducer_bin -- system_u:object_r:reproducer_exec_t:s0
########## Build the policy
# make -f /usr/share/selinux/devel/Makefile
make[1]: Entering directory `/root/test-policy'
Compiling targeted reporoducer module
/usr/bin/checkmodule: loading policy configuration from tmp/reporoducer.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 17) to tmp/reporoducer.mod
Creating targeted reporoducer.pp policy package
rm tmp/reporoducer.mod tmp/reporoducer.mod.fc
make[1]: Leaving directory `/root/test-policy'
########## Insert module into the policy
# semodule -i reporoducer.pp
########## Then matchpathcon doesn't see the context (so doesn't restorecon)
# matchpathcon /usr/local/bin/reproducer_bin
/usr/local/bin/reproducer_bin system_u:object_r:bin_t:s0
########## But the semanage does
# semanage fcontext -l | grep reproducer
WARNING: Policy would be downgraded from version 29 to 28.
/usr/local/bin/reproducer_bin regular file system_u:object_r:reproducer_exec_t:s0
The exactly same files work fine on RHEL6.
Version-Release number of selected component (if applicable):
[root@dhcp-25-181 test-policy]# rpm -qa selinux-policy\*
selinux-policy-3.12.1-14.el7.noarch
selinux-policy-devel-3.12.1-14.el7.noarch
selinux-policy-targeted-3.12.1-14.el7.noarch
selinux-policy-doc-3.12.1-14.el7.noarch
[root@dhcp-25-181 test-policy]# rpm -qa policycoreutils\*
policycoreutils-2.1.14-7.el7.x86_64
policycoreutils-python-2.1.14-7.el7.x86_64
policycoreutils-devel-2.1.14-7.el7.x86_64
rpm -qa libselinux\*
libselinux-python-2.1.13-3.el7.x86_64
libselinux-utils-2.1.13-3.el7.x86_64
libselinux-devel-2.1.13-3.el7.x86_64
libselinux-ruby-2.1.13-3.el7.x86_64
libselinux-2.1.13-3.el7.x86_64
rpm -qa libsemanage\*
libsemanage-2.1.10-2.el7.x86_64
libsemanage-devel-2.1.10-2.el7.x86_64
libsemanage-python-2.1.10-2.el7.x86_64
How reproducible:
always
That is because you did not define it as a files_type
files_type(reproducer_exec_t)
restorecon is only allowed to assign files_type types to file systems.
And it is new feature in RHEL? Or is it a bug in RHEL6?
Well, I'm a bit confused. I modified the module:
# cat reporoducer.te
policy_module(reproducer,1.0)
type reproducer_exec_t;
files_type(reproducer_exec_t)
And the behaviour is still the same.
And in addition, the same behavoiur is with the policy generated by "sepolicy generate".
# ls -lZ /usr/local/bin/reproducer_bin
-rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/local/bin/reproducer_bin
The behaviour is the same when the file doesn't exist.
I've run into a similar problem here and I believe I know what's causing it.
My copy of file_contexts.subs_dist contains a mapping from /usr/local to /usr. These aliases seem to take effect before the rules in file_contexts are checked, and thus a rule specifically targeting /usr/local/foo will never be honored - any rule for /usr/foo will be applied instead.
The workaround is to change your .fc file so it targets /usr/bin/reproducer_bin instead. This rule will be applied to /usr/local/bin/reproducer_bin just fine.
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.