392941 – [TRACKER] SELinux file contexts are being changed during regular system operations

Bug 392941 - [TRACKER] SELinux file contexts are being changed during regular system operations

Summary: [TRACKER] SELinux file contexts are being changed during regular system opera...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:	Tracker

Depends on:
Blocks:

Reported:	2011-12-02 20:17 UTC by Sven Vermeulen (RETIRED)
Modified:	2017-01-19 18:46 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Updated list (392941-LIST,7.57 KB, text/plain) 2011-12-10 12:38 UTC, Sven Vermeulen (RETIRED)	Details
Updated list (392941-LIST,7.37 KB, text/plain) 2011-12-10 12:46 UTC, Sven Vermeulen (RETIRED)	Details
Updated list (392941-LIST,6.47 KB, text/plain) 2011-12-10 12:52 UTC, Sven Vermeulen (RETIRED)	Details
Updated list (392941-LIST,1.69 KB, text/plain) 2011-12-10 13:05 UTC, Sven Vermeulen (RETIRED)	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2011-12-02 20:17:48 UTC

In the below excerpt, we find that file contexts were altered during the operation of a system and then reconverted. Either the update is wrong (which might be solved with policy updates) or the target context is wrong (which needs to be solved with file context changes).

Since this is about many packages simultaneously, created a TRACKER bug for this (and perhaps others later as well).

Reproducible: Always




restorecon reset /sys/fs/cgroup context system_u:object_r:sysfs_t->system_u:object_r:cgroup_t
restorecon reset /dev/.udev/rules.d/10-root-link.rules context system_u:object_r:device_t->system_u:object_r:udev_tbl_t
restorecon reset /dev/mapper/control context system_u:object_r:device_t->system_u:object_r:lvm_control_t
restorecon reset /var/run/.nscd_socket context system_u:object_r:var_run_t->system_u:object_r:nscd_var_run_t
restorecon reset /var/run/authdaemon.pid.lock context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /var/run/lcr/lcr.lock context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /var/run/pppd2.tdb context system_u:object_r:initrc_var_run_t->system_u:object_r:var_run_t
restorecon reset /var/log/wtmp-20111201.gz context system_u:object_r:var_log_t->system_u:object_r:wtmp_t
restorecon reset /var/log/btmp-20111201.gz context system_u:object_r:var_log_t->system_u:object_r:faillog_t
restorecon reset /var/lib/texmf/web2c/metafont/mf.base context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/metafont/mf.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/tex/tex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/tex/tex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/latex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdfxmltex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/mptopdf.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/etex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/mptopdf.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdfetex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/xmltex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdftex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/latex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdfxmltex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/xmltex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdflatex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdfetex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdflatex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/pdftex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/pdftex/etex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/luatex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/dviluatex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/dviluatex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/lualatex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/dvilualatex.fmt context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/lualatex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/dvilualatex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/luatex/luatex.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/metapost/mpost.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/metapost/mfplain.mem context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/metapost/mfplain.log context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/texmf/web2c/metapost/mpost.mem context root:object_r:portage_tmp_t->system_u:object_r:tetex_data_t
restorecon reset /var/lib/mlocate/mlocate.db context system_u:object_r:cron_var_lib_t->system_u:object_r:var_lib_t
restorecon reset /var/lib/nxserver/home/.ssh context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /var/lib/nxserver/home/.ssh/server.id_dsa.pub.key context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /var/lib/nxserver/home/.ssh/client.id_dsa.key context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /var/lib/nxserver/home/.ssh/known_hosts context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /var/lib/nxserver/home/.ssh/authorized_keys2 context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /var/lib/rkhunter/db/rkhunter_prop_list.dat context system_u:object_r:cron_var_lib_t->system_u:object_r:var_lib_t
restorecon reset /var/virusmails/1322615320.M591968P28525V0000000000000903I00066A23_2.firewall,S=4467:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615328.M601156P28525V0000000000000903I00066A24_3.firewall,S=3661:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615294.M818132P28525V0000000000000903I0006697B_0.firewall,S=3493:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615301.M994215P28525V0000000000000903I000669C3_1.firewall,S=3394:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615345.M376831P28525V0000000000000903I00066A25_4.firewall,S=2791:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/cache/eix.previous context root:object_r:user_tmp_t->system_u:object_r:var_t
restorecon reset /etc/profile.env context root:object_r:etc_t->system_u:object_r:etc_runtime_t
restorecon reset /etc/init.d/dibbler-client context root:object_r:etc_t->system_u:object_r:initrc_exec_t
restorecon reset /etc/init.d/diaspora context root:object_r:etc_t->system_u:object_r:initrc_exec_t
restorecon reset /etc/amavisd.conf context root:object_r:etc_t->system_u:object_r:amavis_etc_t
restorecon reset /etc/make.conf context root:object_r:etc_t->system_u:object_r:portage_conf_t
restorecon reset /etc/env.d/binutils/config-i686-pc-linux-gnu context root:object_r:etc_t->system_u:object_r:etc_runtime_t
restorecon reset /etc/env.d/05binutils context root:object_r:etc_t->system_u:object_r:etc_runtime_t
restorecon reset /etc/resolv.conf context system_u:object_r:etc_runtime_t->system_u:object_r:net_conf_t
restorecon reset /etc/ipsec.conf context root:object_r:etc_t->system_u:object_r:ipsec_conf_file_t
restorecon reset /etc/dhcp/dhcpd.conf context root:object_r:etc_t->system_u:object_r:dhcp_etc_t
restorecon reset /etc/csh.env context root:object_r:etc_t->system_u:object_r:etc_runtime_t
restorecon reset /etc/dibbler/radvd.conf context system_u:object_r:etc_runtime_t->system_u:object_r:etc_t
restorecon reset /etc/dibbler/radvd.conf.old context system_u:object_r:etc_runtime_t->system_u:object_r:etc_t
restorecon reset /etc/hosts context root:object_r:etc_t->system_u:object_r:net_conf_t
restorecon reset /etc/bind/named.conf context root:object_r:named_zone_t->system_u:object_r:named_conf_t
restorecon reset /sbin/nca context system_u:object_r:ssh_exec_t->system_u:object_r:bin_t
restorecon reset /sbin/ncad context system_u:object_r:sshd_exec_t->system_u:object_r:bin_t
restorecon reset /usr/NX/bin/nxserver context system_u:object_r:shell_exec_t->system_u:object_r:nx_server_exec_t
restorecon reset /usr/NX/home/nx/.ssh context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /usr/NX/home/nx/.ssh/default.id_dsa.pub context system_u:object_r:user_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /usr/NX/home/nx/.ssh/known_hosts context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /usr/NX/home/nx/.ssh/authorized_keys2 context system_u:object_r:user_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /usr/NX/home/nx/.ssh/default.id_dsa.pub.backup context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /usr/NX/home/nx/.ssh/restore.id_dsa.pub context system_u:object_r:nx_server_ssh_home_t->system_u:object_r:nx_server_home_ssh_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/newrelic_rpm-3.3.0/bin context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/newrelic_rpm-3.3.0/bin/newrelic context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/newrelic_rpm-3.3.0/bin/newrelic_cmd context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/newrelic_rpm-3.3.0/bin/mongrel_rpm context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/term-ansicolor-1.0.7/bin context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/term-ansicolor-1.0.7/bin/decolor context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/term-ansicolor-1.0.7/bin/cdiff context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/rdoc-3.10/bin context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/rdoc-3.10/bin/rdoc context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ruby/gems/1.8/gems/rdoc-3.10/bin/ri context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/c++ context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/g++ context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/i686-pc-linux-gnu-gcc context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/i686-pc-linux-gnu-g++ context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/i686-pc-linux-gnu-c++ context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/gcc context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /usr/lib/ccache/bin/cc context root:object_r:lib_t->system_u:object_r:bin_t
restorecon reset /nomirror/major-slow.log context system_u:object_r:mysqld_db_t->system_u:object_r:default_t

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2011-12-10 12:38:28 UTC

Created attachment 295355 [details]
Updated list

The /var/lib/texmf stuff is placed by texlive-latex and texlive-basic. However, after re-emerging, the contexts are still as they should be, so can't really reproduce.

Can you try rebuilding those packages and confirm that this problem is still (or isn't anymore) present?

Attached updated list, /var/lib/texmf stripped.

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2011-12-10 12:46:18 UTC

Created attachment 295359 [details]
Updated list

The /etc/init.d updates are imo because of installing the package without FEATURES="selinux". Any file placed by Portage in /etc/init.d gets the initrc_exec_t type:

/etc/init\.d/.*    regular file     system_u:object_r:initrc_exec_t

Attachment is list where init.d is removed.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2011-12-10 12:52:22 UTC

Created attachment 295361 [details]
Updated list

The virusmail stuff:

restorecon reset /var/virusmails/1322615320.M591968P28525V0000000000000903I00066A23_2.firewall,S=4467:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t 
restorecon reset /var/virusmails/1322615328.M601156P28525V0000000000000903I00066A24_3.firewall,S=3661:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615294.M818132P28525V0000000000000903I0006697B_0.firewall,S=3493:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615301.M994215P28525V0000000000000903I000669C3_1.firewall,S=3394:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t
restorecon reset /var/virusmails/1322615345.M376831P28525V0000000000000903I00066A25_4.firewall,S=2791:2,S context system_u:object_r:user_home_t->system_u:object_r:amavis_quarantine_t

Can you confirm that /var/virusmails is already labeled as amavis_quarantine_t? It should be. Perhaps the /var/virusmails directory is not created by the package (which package is this btw?).

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2011-12-10 13:05:29 UTC

Created attachment 295363 [details]
Updated list

Stripped:
- Files whose context is correctly set by Portage after installation (i.e. cannot confirm problem)
- Files whose context is correctly set by (selinux-aware) udev and confirmed
- Files whose context change is due to a policy updated (i.e. normal that this occurs now)
- Files that are part of a specific system setting (/nomirror/major-slow.log)
- Files that are generated by logrotate (yes, this makes the files var_log_t for wtmp/btmp, but that isn't an issue afaik)

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2011-12-26 16:34:31 UTC

Dropping others as well, changes are not reproduceable (cannot find cause in sources)