499636 – SELinux: x11-libs/gdk-pixbuf installs mislabeled file

Bug 499636 - SELinux: x11-libs/gdk-pixbuf installs mislabeled file

Summary: SELinux: x11-libs/gdk-pixbuf installs mislabeled file

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Linux Gnome Desktop Team

URL:
Whiteboard:
Keywords:	Inclusion, PATCH

Duplicates (1):	489568 (view as bug list)
Depends on:
Blocks:

Reported:	2014-01-28 22:19 UTC by Mira Ressel
Modified:	2014-02-22 08:05 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch for gnome2-utils.eclass fixing SELinux labeling problem (patch,526 bytes, patch) 2014-01-28 22:20 UTC, Mira Ressel	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mira Ressel 2014-01-28 22:19:28 UTC

x11-libs/gdk-pixbuf installs the file /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache, however this file is mislabeled on SELinux systems. This happens because the relevant code (gnome2_gdk_pixbuf_update() inside gnome2-utils.eclass) creates the file in /tmp and then moves it to the correct location.

A neat solution would be to move the file with "mv -Z", which would work both on SELinux and non-SELinux machines, however, this feature is only available with >=sys-apps/coreutils-8.22. Another solution would be to call "restorecon" on the final location of the file, however this would require some conditional logic in the eclass which only did this for SELinux systems.

Therefore, I chose a third solution, which consists of the attached two-lines patch.

Comment 1 Mira Ressel 2014-01-28 22:20:24 UTC

Created attachment 369012 [details, diff]
Patch for gnome2-utils.eclass fixing SELinux labeling problem

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2014-02-01 14:43:42 UTC

GNOME folks, the analysis done by Luis is correct. Moving the file keeps the context (which is for a temporary file at that point) whereas copying creates a new context (based on the directory on which the file is copied).

Would it be possible to implement this logic in the eclass?

Comment 3 Gilles Dartiguelongue (RETIRED) gentoo-dev

2014-02-06 21:47:03 UTC

Sure, could you send this to gentoo-dev mailing list for the usual eclass review process ?

Comment 4 Mira Ressel 2014-02-06 22:08:56 UTC

(In reply to Gilles Dartiguelongue from comment #3)
> Sure, could you send this to gentoo-dev mailing list for the usual eclass
> review process ?

Okay, will do that tomorrow. But is it really neccessary? I'm not too familiar with the usual workflows here yet, but according to the devmanual, minor updates to eclasses other than the omnipresent ones like eutils can and should be done at the maintainer's discretion. (Not that I'd care about the additional step, I just don't want to bother anyone...)

Comment 5 Gilles Dartiguelongue (RETIRED) gentoo-dev

2014-02-06 22:44:50 UTC

it's just that I'm not familiar with selinux stuff and would like more eyes to see it :)

Comment 6 Mira Ressel 2014-02-13 21:22:09 UTC

There haven't been any comments on my mail to gentoo-dev. It's really a trivial change and besides, it's already been acknowledged by both involved herds. Could you please apply the patch?

Comment 7 Pacho Ramos gentoo-dev

2014-02-15 15:08:51 UTC

*** Bug 489568 has been marked as a duplicate of this bug. ***

Comment 8 Pacho Ramos gentoo-dev

2014-02-22 08:05:49 UTC

+  22 Feb 2014; Pacho Ramos <pacho@gentoo.org> gnome2-utils.eclass:
+  Be more friendly with SELinux (#499636 by Luis Ressel)
+