-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
None
-
None
-
Moderate
-
rhel-security-selinux
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
Run fixfiles on files under /usr/sbin doesn't work
What is the impact of this issue to you?
Fixfiles are not working as expected, manual restorecon -Rv on /usr/sbin/ does relabel the binaries to the correct label
Please provide the package NVR for which the bug is seen:
policycoreutils-3.9-1.el10.x86_64 and equivalent SELinux packages
How reproducible is this bug?:
100%
Steps to reproduce
1) Enable EPEL
2) Remove if installed: dnf -y remove nsd selinux-policy-extra && semodule -B
3) dnf -y install nsd (from epel) ( system at this point in time unaware of nsd selinux policy )
As expected files get generic selinux labels
ls -ltrZ /usr/sbin/nsd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1751544 Dec 9 01:00 /usr/sbin/nsd
ls -ltrZ /etc/nsd/nsd.conf
rw-rr-. 1 root root system_u:object_r:etc_t:s0 15720 Dec 9 01:00 /etc/nsd/nsd.conf
4) cp -vf /etc/selinux/targeted/contexts/files/file_contexts /tmp/file_contexts.pre
5) dnf -y install selinux-policy-extra && semodule -B ( Enables nsd selinux policy )
6) bash -x fixfiles -v -C /tmp/file_contexts.pre restore
7 ) OK: ls -ltrZ /etc/nsd/nsd.conf
rw-rr-. 1 root root system_u:object_r:nsd_conf_t:s0 15720 Dec 9 01:00 /etc/nsd/nsd.conf
8) NOT OK # ls -ltrZ /usr/sbin/nsd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 1751544 Dec 9 01:00 /usr/sbin/nsd
9) Manual fix restorecon -Rv /usr/sbin/nsd
Relabeled /usr/sbin/nsd from system_u:object_r:bin_t:s0 to system_u:object_r:nsd_exec_t:s0
Expected results
fixfiles should relabel the files under /usr/sbin
Actual results
fixfiles doesn't relabel the files under /usr/sbin but does under /usr/bin instead
Additional information:
Fedora implemented /usr/sbin and /usr/bin unification and so does the selinux-policy followed a patch that just replaces /usr/sbin path to /usr/bin path.
https://github.com/fedora-selinux/selinux-policy/commit/1be14f9b5a99a4eec7f9aba7fbb83bf8dde817f4
~~~
commit 1be14f9b5a99a4eec7f9aba7fbb83bf8dde817f4
Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Date: Thu Apr 11 18:15:46 2024 +0200
Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
This is for https://fedoraproject.org/wiki/Changes/Unify_bin_and_sbin.
We want to match /usr/bin/foo and /usr/sbin/foo. Instead of duplicating
all the paths, introduce the alias and use the new path everywhere.
Duplicate paths are removed.
(cat */.fc | sed -r 's/\s+/ /g' | sort | grep -v '^#' | uniq -c | grep -v ' 1 ')
~~~
There should be a check for symlinks using readlink -f and that path should be used instead. I could raise an upstream PR for this but I don't see a point for why would Fedora maintainers care about a bug that doesn't bother them.
Alternatively, we would need to have RHEL 10 to unify /usr/bin and /usr/sbin anytime soon to resolve this bug on its own
