Bug 970286 - Please label /usr/lib64/cracklib_dict.pwd.gz as crack_db_t
Please label /usr/lib64/cracklib_dict.pwd.gz as crack_db_t
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-03 17:32 EDT by Nalin Dahyabhai
Modified: 2013-06-15 08:01 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-15 08:01:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2013-06-03 17:32:28 EDT
Description of problem:
We already label the old location of the default cracklib dictionary (/usr/lib(64)?/cracklib_dict.pwd) as crack_db_t.  If we want to take advantage of cracklib's ability to read compressed dictionaries, we need to ensure that the compressed version of the dictionary (/usr/lib(64)?/cracklib_dict.pwd.gz) has the same label.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-47.fc19.noarch

How reproducible:
Always

Steps to Reproduce:
matchpathcon /usr/share/cracklib/pw_dict.pwd.gz /usr/share/cracklib/pw_dict.pwd /usr/lib64/cracklib_dict.pwd.gz /usr/lib64/cracklib_dict.pwd /usr/lib/cracklib_dict.pwd.gz /usr/lib/cracklib_dict.pwd

Actual results:
/usr/share/cracklib/pw_dict.pwd.gz	system_u:object_r:crack_db_t:s0
/usr/share/cracklib/pw_dict.pwd	system_u:object_r:crack_db_t:s0
/usr/lib64/cracklib_dict.pwd.gz	system_u:object_r:crack_db_t:s0
/usr/lib64/cracklib_dict.pwd	system_u:object_r:lib_t:s0
/usr/lib/cracklib_dict.pwd.gz	system_u:object_r:crack_db_t:s0
/usr/lib/cracklib_dict.pwd	system_u:object_r:crack_db_t:s0

Expected results:
They should all have the same label, I think.
Comment 1 Nalin Dahyabhai 2013-06-03 18:01:14 EDT
Wow, I even got myself confused there.  It's /usr/lib(64)?/cracklib_dict.pwd, which is often a symlink to /usr/share/cracklib/pw_dict.pwd now.
Comment 2 Miroslav Grepl 2013-06-04 11:06:42 EDT
So it should be ok.

# matchpathcon /usr/share/cracklib/pw_dict.pwd
/usr/share/cracklib/pw_dict.pwd	system_u:object_r:crack_db_t:s0
Comment 3 Nalin Dahyabhai 2013-06-04 11:22:51 EDT
That one's fine.  It's /usr/lib64/cracklib_dict.pwd which is labeled lib_t on my system, I'm guessing because the context configuration doesn't match if it's a symlink.
Comment 4 Daniel Walsh 2013-06-15 08:01:32 EDT
Yes we are only labeling files if they match, and everything is allowed to read lib_t symlinks (almost) so this should not be a bug.

 ls -lZ /usr/share/cracklib/pw_dict.pwd.gz 
-rw-r--r--. root root system_u:object_r:crack_db_t:s0  /usr/share/cracklib/pw_dict.pwd.gz

Note You need to log in before you can comment on or make changes to this bug.