Red Hat Bugzilla – Bug 971425
File context not working correctly on RHEL7
Last modified: 2014-09-30 19:35:03 EDT
Description of problem: By default, following simulated SCL man page directory has man_t type: # matchpathcon /opt/rh/collection-xyz/root/usr/local/share/man/man9 /opt/rh/collection-xyz/root/usr/local/share/man/man9 system_u:object_r:man_t:s0 With the file context equivalency, it has usr_t despite the fact that dir in original path has mnt_t # semanage fcontext -l | grep "/opt/rh/collection-xyz/root = /"' # matchpathcon /usr/local/share/man/man9 /usr/local/share/man/man9x system_u:object_r:man_t:s0 # matchpathcon /opt/rh/collection-xyz/root/usr/local/share/man/man9x /opt/rh/collection-xyz/root/usr/local/share/man/man9x system_u:object_r:usr_t:s0 Version-Release number of selected component (if applicable): selinux-policy-3.12.1-48.el7.noarch Additional information: Here is the list of files with inconsistent contexts after installation "filesystem" and "setup" rpms into simulated SCL directory in /opt: :: [ FAIL ] :: /usr/local/share/man and /opt/rh/collection-xyz/root/usr/local/share/man are labelled differently :: [ FAIL ] :: /usr/local/share/man/man9 and /opt/rh/collection-xyz/root/usr/local/share/man/man9 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man1 and /opt/rh/collection-xyz/root/usr/local/share/man/man1 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man1x and /opt/rh/collection-xyz/root/usr/local/share/man/man1x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man2 and /opt/rh/collection-xyz/root/usr/local/share/man/man2 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man2x and /opt/rh/collection-xyz/root/usr/local/share/man/man2x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man3 and /opt/rh/collection-xyz/root/usr/local/share/man/man3 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man3x and /opt/rh/collection-xyz/root/usr/local/share/man/man3x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man4 and /opt/rh/collection-xyz/root/usr/local/share/man/man4 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man4x and /opt/rh/collection-xyz/root/usr/local/share/man/man4x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man5 and /opt/rh/collection-xyz/root/usr/local/share/man/man5 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man5x and /opt/rh/collection-xyz/root/usr/local/share/man/man5x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man6 and /opt/rh/collection-xyz/root/usr/local/share/man/man6 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man6x and /opt/rh/collection-xyz/root/usr/local/share/man/man6x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man7 and /opt/rh/collection-xyz/root/usr/local/share/man/man7 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man7x and /opt/rh/collection-xyz/root/usr/local/share/man/man7x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man8 and /opt/rh/collection-xyz/root/usr/local/share/man/man8 are labelled differently :: [ FAIL ] :: /usr/local/share/man/man8x and /opt/rh/collection-xyz/root/usr/local/share/man/man8x are labelled differently :: [ FAIL ] :: /usr/local/share/man/man9x and /opt/rh/collection-xyz/root/usr/local/share/man/man9x are labelled differently :: [ FAIL ] :: /usr/local/share/man/mann and /opt/rh/collection-xyz/root/usr/local/share/man/mann are labelled differently :: [ FAIL ] :: /usr/local/etc and /opt/rh/collection-xyz/root/usr/local/etc are labelled differently :: [ FAIL ] :: /usr/local/lib64 and /opt/rh/collection-xyz/root/usr/local/lib64 are labelled differently :: [ FAIL ] :: /usr/local/libexec and /opt/rh/collection-xyz/root/usr/local/libexec are labelled differently :: [ FAIL ] :: /usr/lib64 and /opt/rh/collection-xyz/root/usr/lib64 are labelled differently :: [ FAIL ] :: /usr/lib64/X11 and /opt/rh/collection-xyz/root/usr/lib64/X11 are labelled differently :: [ FAIL ] :: /usr/lib64/games and /opt/rh/collection-xyz/root/usr/lib64/games are labelled differently :: [ FAIL ] :: /usr/lib64/pm-utils and /opt/rh/collection-xyz/root/usr/lib64/pm-utils are labelled differently :: [ FAIL ] :: /usr/lib64/pm-utils/module.d and /opt/rh/collection-xyz/root/usr/lib64/pm-utils/module.d are labelled differently :: [ FAIL ] :: /usr/lib64/pm-utils/power.d and /opt/rh/collection-xyz/root/usr/lib64/pm-utils/power.d are labelled differently :: [ FAIL ] :: /usr/lib64/pm-utils/sleep.d and /opt/rh/collection-xyz/root/usr/lib64/pm-utils/sleep.d are labelled differently :: [ FAIL ] :: /usr/lib64/sse2 and /opt/rh/collection-xyz/root/usr/lib64/sse2 are labelled differently :: [ FAIL ] :: /usr/lib64/tls and /opt/rh/collection-xyz/root/usr/lib64/tls are labelled differently
We have to make the libselinux matching functions recursive At least apply the local ones first then apply the distro ones second.
*** Bug 914166 has been marked as a duplicate of this bug. ***
Fixed in libselinux-2.1.13-21.el7
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.