-
Bug
-
Resolution: Unresolved
-
Major
-
rhel-8.8.0
-
libsemanage-2.9-10.el8_10
-
None
-
Moderate
-
ZStream
-
rhel-sst-security-selinux
-
ssg_security
-
None
-
QE ack
-
False
-
-
None
-
Red Hat Enterprise Linux
-
None
-
Approved Blocker
-
-
Pass
-
Automated
-
Unspecified
-
None
What were you trying to do that didn't work?
Installing any SELinux module with semodule command changes SELinux labels in /etc/selinux/targeted/contexts/files.
Please provide the package NVR for which bug is seen:
policycoreutils-2.9-20
How reproducible:
Steps to reproduce
- Create dummy SELinux module (dummy.te):
module dummy 1.0; require { type unconfined_t; class file { getattr read write }; } allow unconfined_t self:file { getattr read write };
- Compile the module:
# checkmodule -M -m -o dummy.mod dummy.te
- Create package:
# semodule_package -o dummy.pp -m dummy.mod
- Check SELinux labels:
$ ls -laZ /etc/selinux/targeted/contexts/files total 1004 drwxr-xr-x. 2 root root system_u:object_r:file_context_t:s0 4096 Nov 7 10:48 . drwxr-xr-x. 4 root root system_u:object_r:default_context_t:s0 4096 Sep 21 10:27 .. -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 402605 Nov 7 10:48 file_contexts -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 567302 Nov 7 10:48 file_contexts.bin -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 13835 Nov 7 10:48 file_contexts.homedirs -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 19028 Nov 7 10:48 file_contexts.homedirs.bin -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 0 Sep 21 10:27 file_contexts.local -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 0 Sep 21 10:27 file_contexts.subs -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 597 Sep 21 10:27 file_contexts.subs_dist -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 139 Sep 21 10:27 media
- Install SELinux module
# semodule -i dummy.pp
- Check SELinux labels again:
$ $ ls -laZ /etc/selinux/targeted/contexts/files total 1004 drwxr-xr-x. 2 root root system_u:object_r:file_context_t:s0 4096 Nov 7 10:48 . drwxr-xr-x. 4 root root system_u:object_r:default_context_t:s0 4096 Sep 21 10:27 .. -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 402605 Nov 7 10:48 file_contexts -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 567302 Nov 7 10:48 file_contexts.bin -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 13835 Nov 7 10:48 file_contexts.homedirs -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 19028 Nov 7 10:48 file_contexts.homedirs.bin -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 0 Sep 21 10:27 file_contexts.local -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 0 Sep 21 10:27 file_contexts.subs -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 597 Sep 21 10:27 file_contexts.subs_dist -rw-r--r--. 1 root root system_u:object_r:file_context_t:s0 139 Sep 21 10:27 media
Expected results
Labels are unchanged.
Actual results
SELinux labels (user part) for files in /etc/selinux/targeted/contexts/files are changed from system_u to unconfined_u.
- is cloned by
-
RHEL-31216 Semodule changes SELinux labels in /etc/selinux/targeted/contexts/files
- Planning
- links to
-
RHBA-2024:142895 selinux-policy bug fix update