Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-31216

Semodule changes SELinux labels in /etc/selinux/targeted/contexts/files

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-9.6
    • rhel-9.3.0
    • libsemanage
    • None
    • None
    • None
    • ZStream
    • rhel-sst-security-selinux
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • No
    • Red Hat Enterprise Linux
    • None
    • Approved Blocker
    • Hide

      The automated test passes.

      Show
      The automated test passes.
    • None
    • Automated
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Installing any SELinux module with semodule command changes SELinux labels in /etc/selinux/targeted/contexts/files.

      Please provide the package NVR for which bug is seen:

      policycoreutils-2.9-20

      How reproducible:

      Steps to reproduce

      1. Create dummy SELinux module (dummy.te): 
        module dummy 1.0;

require {
    type unconfined_t;
    class file { getattr read write };
}

allow unconfined_t self:file { getattr read write };
      1. Compile the module: 
        # checkmodule -M -m -o dummy.mod dummy.te
      1. Create package: 
        # semodule_package -o dummy.pp -m dummy.mod
      1. Check SELinux labels: 
        $ ls -laZ /etc/selinux/targeted/contexts/files
total 1004
drwxr-xr-x. 2 root root system_u:object_r:file_context_t:s0      4096 Nov  7 10:48 .
drwxr-xr-x. 4 root root system_u:object_r:default_context_t:s0   4096 Sep 21 10:27 ..
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0    402605 Nov  7 10:48 file_contexts
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0    567302 Nov  7 10:48 file_contexts.bin
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0     13835 Nov  7 10:48 file_contexts.homedirs
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0     19028 Nov  7 10:48 file_contexts.homedirs.bin
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0         0 Sep 21 10:27 file_contexts.local
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0         0 Sep 21 10:27 file_contexts.subs
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0       597 Sep 21 10:27 file_contexts.subs_dist
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0       139 Sep 21 10:27 media
      1. Install SELinux module 
        # semodule -i dummy.pp
      1. Check SELinux labels again: 
        $ $ ls -laZ /etc/selinux/targeted/contexts/files
total 1004
drwxr-xr-x. 2 root root system_u:object_r:file_context_t:s0       4096 Nov  7 10:48 .
drwxr-xr-x. 4 root root system_u:object_r:default_context_t:s0    4096 Sep 21 10:27 ..
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 402605 Nov  7 10:48 file_contexts
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 567302 Nov  7 10:48 file_contexts.bin
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0  13835 Nov  7 10:48 file_contexts.homedirs
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0  19028 Nov  7 10:48 file_contexts.homedirs.bin
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0          0 Sep 21 10:27 file_contexts.local
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0          0 Sep 21 10:27 file_contexts.subs
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0        597 Sep 21 10:27 file_contexts.subs_dist
-rw-r--r--. 1 root root system_u:object_r:file_context_t:s0        139 Sep 21 10:27 media

      Expected results

      Labels are unchanged.

      Actual results

      SELinux labels (user part) for files in /etc/selinux/targeted/contexts/files are changed from system_u to unconfined_u.

              vmojzis@redhat.com Vit Mojzis
              agentplatform Dynatrace Dynatrace (Inactive)
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: