fixfiles/autorelabel sets wrong label
Environment
- RHEL 7
- policycoreutils-2.5-17.1.el7.x86_64
Issue
When autorelabel is scheduled for next system boot and fixfiles_exclude_dirs is not empty, fixfiles sets incorrect label.
Steps to Reproduce:
1. Create a dummy file and customized context
# touch /usr/local/bin/dummy
# semanage fcontext -a -t shell_exec_t /usr/local/bin/dummy
# restorecon -F /usr/local/bin/dummy
# ls -Z /usr/local/bin/dummy
-rw-r--r--. root root system_u:object_r:shell_exec_t:s0 /usr/local/bin/dummy
- Add a existing directory to /etc/selinux/fixfiles_exclude_dirs
# mkdir /mydir
# echo "/mydir" > /etc/selinux/fixfiles_exclude_dirs
- Run "fixfiles -F restore" (this is what is done when touching /.autorelabel and rebooting)
# fixfiles -F restore
- Verify context
# ls -Z /usr/local/bin/dummy
Actual results: (bin_t)
-rw-r--r--. root root system_u:object_r:bin_t:s0 /usr/local/bin/dummy
Expected results: (shell_exec_t)
-rw-r--r--. root root system_u:object_r:shell_exec_t:s0 /usr/local/bin/dummy
Resolution
Update to policycoreutils-2.5-29.el7 shipped with Advisory RHBA-2018:3098 or newer.
Root Cause
File file_contexts.local was not included in the list of spec_files used for setfiles command in fixfiles restore. This bug is now fixed.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments