Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-73348

python function "restorecon" not working when executed from python script

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Blocker Blocker
    • rhel-8.10.z
    • rhel-8.10.z
    • libsemanage
    • None
    • libsemanage-2.9-11.el8_10
    • No
    • Important
    • 2
    • rhel-security-selinux
    • ssg_security
    • 24
    • 5
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • SELINUX 250129: 1, SELINUX 250219: 2
    • None

      What were you trying to do that didn't work?

      y

      What is the impact of this issue to you?

      Dogtag PKI cannot be installed with custom names.

      Please provide the package NVR for which the bug is seen:

      [root@pki1 pki]# rpm -qa | grep selinux

      libselinux-utils-2.9-9.el8_10.x86_64
      selinux-policy-3.14.3-139.el8_10.1.noarch
      libselinux-2.9-9.el8_10.x86_64
      python3-libselinux-2.9-9.el8_10.x86_64
      rpm-plugin-selinux-4.14.3-32.el8_10.x86_64
      selinux-policy-targeted-3.14.3-139.el8_10.1.noarch

      How reproducible is this bug?:

      Steps to reproduce

      1. Create a folder in /etc/pki called test and a file inside.
      2. Copy the following script in the VM (this perform similar action done inside DogtagPKI code):
      #!/usr/bin/python3
import sys
import selinux
import seobject

def update_context(file_dir, new_context):
    suffix = '(/.*)?'
    trans = seobject.semanageRecords('targeted')
    trans.start()

    fcon = seobject.fcontextRecords(trans)
    fcon.add(
            file_dir + suffix,
            new_context, '', 's0', '')
    trans.finish()
    selinux.restorecon(file_dir, True, True, True)


if __name__ == "__main__":
    update_context(sys.argv[1], sys.argv[2])
      1. run the script with:
      [root@pki1 pki]# python3 update_context.py $PWD/test pki_tomcat_etc_rw_t

Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0
Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0
Updated digest for: /etc/pki/test
*no* further _formatting_ is done here

      The context is replaced with the same old value.

      Expected results

      Running the same steps in Fedora41 the final step is:

      [root@vm-10-0-185-55 pki]# python update_context.py $PWD/test pki_tomcat_etc_rw_t
Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0

      The context is properly configured.

      Actual results

      The context is not updated properly.

      Addtionally, if the resorecon CLI is executed after the script the context is properly updated:

      [root@pki1 pki]# ls -lZr test
total 0
-rw-r--r--. 1 root root system_u:object_r:cert_t:s0 0 Jan  9 05:31 alias
[root@pki1 pki]# restorecon -Rv test
Relabeled /etc/pki/test from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Relabeled /etc/pki/test/alias from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0

              rhn-engineering-plautrba Petr Lautrbach
              rh-ee-mfargett Marco Fargetta
              Vit Mojzis Vit Mojzis
              Milos Malik Milos Malik
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: