Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-76472

python function "restorecon" not working when executed from python script

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Blocker Blocker
    • rhel-9.6
    • rhel-9.6
    • libselinux
    • None
    • libselinux-3.6-3.el9
    • No
    • Important
    • 2
    • rhel-security-selinux
    • ssg_security
    • 24
    • 2
    • QE ack
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250129: 1, SELINUX 250219: 2
    • Release Note Not Required
    • None

      What were you trying to do that didn't work?

      Dogtag PKI installation, when using a custom folder name, will update the file context during the installation in order to allow the execution but the "restorecon" method do not work.

      What is the impact of this issue to you?

      Dogtag PKI cannot be installed with custom names.

      Please provide the package NVR for which the bug is seen:

      [root@pki1 pki]# rpm -qa | grep selinux

      libselinux-utils-2.9-9.el8_10.x86_64
      selinux-policy-3.14.3-139.el8_10.1.noarch
      libselinux-2.9-9.el8_10.x86_64
      python3-libselinux-2.9-9.el8_10.x86_64
      rpm-plugin-selinux-4.14.3-32.el8_10.x86_64
      selinux-policy-targeted-3.14.3-139.el8_10.1.noarch

      How reproducible is this bug?:

      Steps to reproduce

      1. Create a folder in /etc/pki called test and a file inside.
      2. Copy the following script in the VM (this perform similar action done inside DogtagPKI code):
      #!/usr/bin/python3
import sys
import selinux
import seobject

def update_context(file_dir, new_context):
    suffix = '(/.*)?'
    trans = seobject.semanageRecords('targeted')
    trans.start()

    fcon = seobject.fcontextRecords(trans)
    fcon.add(
            file_dir + suffix,
            new_context, '', 's0', '')
    trans.finish()
    selinux.restorecon(file_dir, True, True, True)


if __name__ == "__main__":
    update_context(sys.argv[1], sys.argv[2])
      1. run the script with:
      [root@pki1 pki]# python3 update_context.py $PWD/test pki_tomcat_etc_rw_t

Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0
Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0
Updated digest for: /etc/pki/test
*no* further _formatting_ is done here

      The context is replaced with the same old value.

      Expected results

      Running the same steps in Fedora41 the final step is:

      [root@vm-10-0-185-55 pki]# python update_context.py $PWD/test pki_tomcat_etc_rw_t
Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0

      The context is properly configured.

      Actual results

      The context is not updated properly.

      Addtionally, if the resorecon CLI is executed after the script the context is properly updated:

      [root@pki1 pki]# ls -lZr test
total 0
-rw-r--r--. 1 root root system_u:object_r:cert_t:s0 0 Jan  9 05:31 alias
[root@pki1 pki]# restorecon -Rv test
Relabeled /etc/pki/test from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Relabeled /etc/pki/test/alias from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0

              rhn-engineering-plautrba Petr Lautrbach
              rh-ee-mfargett Marco Fargetta
              Petr Lautrbach Petr Lautrbach
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: