-
Bug
-
Resolution: Done-Errata
-
Blocker
-
rhel-8.10.z
-
None
-
libsemanage-2.9-11.el8_10
-
No
-
Important
-
2
-
rhel-security-selinux
-
ssg_security
-
24
-
5
-
QE ack
-
False
-
False
-
-
None
-
SELINUX 250129: 1, SELINUX 250219: 2
-
-
Pass
-
Automated
-
None
What were you trying to do that didn't work?
y
What is the impact of this issue to you?
Dogtag PKI cannot be installed with custom names.
Please provide the package NVR for which the bug is seen:
[root@pki1 pki]# rpm -qa | grep selinux
libselinux-utils-2.9-9.el8_10.x86_64
selinux-policy-3.14.3-139.el8_10.1.noarch
libselinux-2.9-9.el8_10.x86_64
python3-libselinux-2.9-9.el8_10.x86_64
rpm-plugin-selinux-4.14.3-32.el8_10.x86_64
selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
How reproducible is this bug?:
Steps to reproduce
- Create a folder in /etc/pki called test and a file inside.
- Copy the following script in the VM (this perform similar action done inside DogtagPKI code):
#!/usr/bin/python3 import sys import selinux import seobject def update_context(file_dir, new_context): suffix = '(/.*)?' trans = seobject.semanageRecords('targeted') trans.start() fcon = seobject.fcontextRecords(trans) fcon.add( file_dir + suffix, new_context, '', 's0', '') trans.finish() selinux.restorecon(file_dir, True, True, True) if __name__ == "__main__": update_context(sys.argv[1], sys.argv[2])
- run the script with:
[root@pki1 pki]# python3 update_context.py $PWD/test pki_tomcat_etc_rw_t Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0 Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0 Updated digest for: /etc/pki/test *no* further _formatting_ is done here
The context is replaced with the same old value.
Expected results
Running the same steps in Fedora41 the final step is:
[root@vm-10-0-185-55 pki]# python update_context.py $PWD/test pki_tomcat_etc_rw_t Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0 Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
The context is properly configured.
Actual results
The context is not updated properly.
Addtionally, if the resorecon CLI is executed after the script the context is properly updated:
[root@pki1 pki]# ls -lZr test total 0 -rw-r--r--. 1 root root system_u:object_r:cert_t:s0 0 Jan 9 05:31 alias [root@pki1 pki]# restorecon -Rv test Relabeled /etc/pki/test from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0 Relabeled /etc/pki/test/alias from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
- is cloned by
-
RHEL-76472 python function "restorecon" not working when executed from python script
-
- Closed
-
- links to
-
RHBA-2025:145374 libselinux bug fix update
-
RHBA-2025:145392 libsemanage update