alexmir-laptop ~ # restorecon -nv /home/minder/Downloads restorecon reset /home/minder/Downloads context staff_u:object_r:user_home_t->staff_u:object_r:default_t alexmir-laptop ~ # restorecon -nv /home/minder/Dropbox/Public restorecon reset /home/minder/Dropbox/Public context staff_u:object_r:dropbox_content_t->staff_u:object_r:default_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/Dropbox/Public /.* system_u:object_r:default_t alexmir-laptop ~ # grep -i home /etc/selinux/strict/contexts/files/file_contexts /var/run/user/[^/]*/libguestfs(/.*)? system_u:object_r:virt_home_t /root/\.k5login -- system_u:object_r:krb5_home_t Reproducible: Always Steps to Reproduce: 1. Configure SElinux 2. Change any boolean. For example, dropbox_bind_port -> on, dropbox_read_generic_user_content -> off 3. restorecon command shows reset context to default_t domain for any file in the HOME dir. Expected Results: 1. Configure SElinux 2. Change any boolean. For example, dropbox_bind_port -> on, dropbox_read_generic_user_content -> off 3. restorecon command shows reset context to RIGHT domain for any file in any dir alexmir-laptop ~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: strict Current mode: enforcing Mode from config file: enforcing Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 29 Portage 2.2.20.1 (python 2.7.9-final-0, hardened/linux/amd64/selinux, gcc-4.8.4, glibc-2.20-r2, 4.0.8-hardened x86_64) ================================================================= System uname: Linux-4.0.8-hardened-x86_64-Intel-R-_Core-TM-_i7-4500U_CPU_@_1.80GHz-with-gentoo-2.2 KiB Mem: 7813052 total, 1803936 free KiB Swap: 8388604 total, 8388604 free Timestamp of repository gentoo: Mon, 24 Aug 2015 00:45:01 +0000 sh bash 4.3_p39 ld GNU ld (Gentoo 2.24 p1.4) 2.24 app-shells/bash: 4.3_p39::gentoo dev-java/java-config: 2.2.0::gentoo dev-lang/perl: 5.20.2::gentoo dev-lang/python: 2.7.9-r1::gentoo, 3.4.1::gentoo dev-util/cmake: 3.2.2::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.17::gentoo sys-apps/sandbox: 2.6-r1::gentoo sys-devel/autoconf: 2.13::gentoo, 2.69::gentoo sys-devel/automake: 1.11.6-r1::gentoo, 1.12.6::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.24-r3::gentoo sys-devel/gcc: 4.8.4::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 3.18::gentoo (virtual/os-headers) sys-libs/glibc: 2.20-r2::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 x-portage location: /usr/local/portage masters: gentoo priority: 0 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/genkernel/arch/x86_64/modules_load /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=8 --load-average=7.0 --binpkg-respect-use=n" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles getbinpkg merge-sync metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="C" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp"
That is really weird. What versions of the policies do you have installed? Can you try re-loading all the policies: cd /usr/share/selinux/strict/ semodule -i $(ls *.pp | grep -v unconfined) Is there any error message? What about if you re-install all the policy packages? emerge -av1 $(qlist -IC sec-policy/)
(In reply to Jason Zaman from comment #1) > That is really weird. What versions of the policies do you have installed? alexmir-laptop ~ # qlist -ICv selinux sec-policy/selinux-abrt-2.20141203-r7 sec-policy/selinux-accountsd-2.20141203-r7 sec-policy/selinux-alsa-2.20141203-r7 sec-policy/selinux-apm-2.20141203-r7 sec-policy/selinux-at-2.20141203-r7 sec-policy/selinux-base-2.20141203-r7 sec-policy/selinux-base-policy-2.20141203-r7 sec-policy/selinux-bluetooth-2.20141203-r7 sec-policy/selinux-brctl-2.20141203-r7 sec-policy/selinux-cgroup-2.20141203-r7 sec-policy/selinux-chromium-2.20141203-r7 sec-policy/selinux-consolekit-2.20141203-r7 sec-policy/selinux-cpucontrol-2.20141203-r7 sec-policy/selinux-cups-2.20141203-r7 sec-policy/selinux-dbus-2.20141203-r7 sec-policy/selinux-devicekit-2.20141203-r7 sec-policy/selinux-dhcp-2.20141203-r7 sec-policy/selinux-dmidecode-2.20141203-r7 sec-policy/selinux-dropbox-2.20141203-r7 sec-policy/selinux-flash-2.20141203-r7 sec-policy/selinux-ftp-2.20141203-r7 sec-policy/selinux-games-2.20141203-r7 sec-policy/selinux-gpg-2.20141203-r7 sec-policy/selinux-gpm-2.20141203-r7 sec-policy/selinux-inetd-2.20141203-r7 sec-policy/selinux-ipsec-2.20141203-r7 sec-policy/selinux-java-2.20141203-r7 sec-policy/selinux-kerberos-2.20141203-r7 sec-policy/selinux-ldap-2.20141203-r7 sec-policy/selinux-links-2.20141203-r7 sec-policy/selinux-logrotate-2.20141203-r7 sec-policy/selinux-lpd-2.20141203-r7 sec-policy/selinux-makewhatis-2.20141203-r7 sec-policy/selinux-mandb-2.20141203-r7 sec-policy/selinux-mcelog-2.20141203-r7 sec-policy/selinux-mozilla-2.20141203-r7 sec-policy/selinux-mysql-2.20141203-r7 sec-policy/selinux-networkmanager-2.20141203-r7 sec-policy/selinux-ntp-2.20141203-r7 sec-policy/selinux-openrc-2.20141203-r7 sec-policy/selinux-policykit-2.20141203-r7 sec-policy/selinux-pulseaudio-2.20141203-r7 sec-policy/selinux-qemu-2.20141203-r7 sec-policy/selinux-remotelogin-2.20141203-r7 sec-policy/selinux-rpm-2.20141203-r7 sec-policy/selinux-sasl-2.20141203-r7 sec-policy/selinux-shutdown-2.20141203-r7 sec-policy/selinux-skype-2.20141203-r7 sec-policy/selinux-smartmon-2.20141203-r7 sec-policy/selinux-sudo-2.20141203-r7 sec-policy/selinux-sysstat-2.20141203-r7 sec-policy/selinux-telnet-2.20141203-r7 sec-policy/selinux-tor-2.20141203-r7 sec-policy/selinux-uptime-2.20141203-r7 sec-policy/selinux-uucp-2.20141203-r7 sec-policy/selinux-virt-2.20141203-r7 sec-policy/selinux-vpn-2.20141203-r7 sec-policy/selinux-wireshark-2.20141203-r7 sec-policy/selinux-xscreensaver-2.20141203-r7 sec-policy/selinux-xserver-2.20141203-r7 sys-libs/libselinux-2.4 > Can you try re-loading all the policies: > > cd /usr/share/selinux/strict/ > semodule -i $(ls *.pp | grep -v unconfined) Does not helped. alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/Dropbox/Public /.* system_u:object_r:default_t alexmir-laptop ~ # restorecon -nv /home/minder/Downloads restorecon reset /home/minder/Downloads context staff_u:object_r:user_home_t->staff_u:object_r:default_t > Is there any error message? I don't see any error messages at dmesg or message.log > What about if you re-install all the policy packages? > > emerge -av1 $(qlist -IC sec-policy/) I will try later This issue I see not first time. At the previous time I update system and selinux policy to new versions and issue has gone. But now it appears again. And I don't know the reason by which its appears? Right now I don't have any updates for selinux policies.
I ran "semodule -B" After that restorecon reset to the right domain but findcon shows wrong output: alexmir-laptop ~ # restorecon -nv /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t alexmir-laptop ~ # restorecon -nv /home/minder/Dropbox/TESTFILE restorecon reset /home/minder/Dropbox/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:dropbox_content_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/TESTFILE /.* system_u:object_r:default_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/Dropbox/TESTFILE /.* system_u:object_r:default_t alexmir-laptop ~ #
I had change some booleans and after that restorecon reset to wrong context again: alexmir-laptop ~ # setsebool -P abrt_anon_write on alexmir-laptop ~ # setsebool -P abrt_handle_event on alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:user_home_t->staff_u:object_r:default_t alexmir-laptop ~ # ls -ltrhZ /home/minder/TESTFILE -rw-r--r--. 1 minder minder staff_u:object_r:default_t 0 авг 25 16:54 /home/minder/TESTFILE alexmir-laptop ~ # semodule -B alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t alexmir-laptop ~ # ls -ltrhZ /home/minder/TESTFILE -rw-r--r--. 1 minder minder staff_u:object_r:user_home_t 0 авг 25 16:54 /home/minder/TESTFILE
For findcon you have to pass it the homedirs file. It does not automatically figure it out: # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/jason/Dropbox/Public /.* system_u:object_r:default_t # findcon /etc/selinux/strict/contexts/files/file_contexts.homedirs -p /home/jason/Dropbox/Public /home/[^/]*/.+ user_u:object_r:user_home_t /home/[^/]*/Dropbox(/.*)? user_u:object_r:dropbox_content_t /home/jason/.+ staff_u:object_r:user_home_t /home/jason/Dropbox(/.*)? staff_u:object_r:dropbox_content_t
> What about if you re-install all the policy packages? > > emerge -av1 $(qlist -IC sec-policy/) alexmir-laptop ~ # chcon -t default_t /home/minder/TESTFILE alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t alexmir-laptop ~ # setsebool -P rsync_client off alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:user_home_t->staff_u:object_r:default_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts.homedirs -p /home/minder/TESTFILE alexmir-laptop ~ # alexmir-laptop ~ # emerge -Kav1 $(qlist -IC sec-policy/) alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts.homedirs -p /home/minder/TESTFILE /home/[^/]*/.+ user_u:object_r:user_home_t /home/minder/.+ staff_u:object_r:user_home_t After I run "setsebool -P" file /etc/selinux/strict/contexts/files/file_contexts.homedirs is empty. After I run "semodule -B" or "emerge -av1 $(qlist -IC sec-policy/)" the file /etc/selinux/strict/contexts/files/file_contexts.homedirs consist context for every selinux user. I think this is a bug.
I ran into this on one of my laptops the other day too. I have no idea what I did to cause it but restorecon made my homedir default_t and the file_contexts.homedirs file was indeed empty. semodule -B also fixed the problem for me. I did not have to rebuild all the packages. Can you reliably reproduce this? I have no idea how to trigger the problem so I cant find out why. I was rebuilding a few things on my laptop and the selinux libraries / tools were rebuilt but I dont see how that would affect anything. I may have flipped a boolean earlier but dont remember. The actual problem is that the file_contexts.homedirs file is 0bytes so restorecon has no idea what the labels should be and thus everything is default_t. I need to be able to reliably reproduce it and any possible denials or dmesg that shows up when it happens.
I have 3 PC and on any of them I can reproduce this bug by change any boolean "/usr/sbin/setsebool -P". I ran strace and I see: open("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 6 umask(022) = 0 read(5, "", 4192) = 0 close(5) = 0 close(6) = 0 rename("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", "/etc/selinux/strict/contexts/files/file_contexts.homedirs") = 0 open("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 7 umask(022) = 0 read(6, "#\n#\n# User-specific file context"..., 4192) = 4192 write(7, "#\n#\n# User-specific file context"..., 4192) = 4192 read(6, "*)?\tstaff_u:object_r:ikec_home_t"..., 4192) = 4192 write(7, "*)?\tstaff_u:object_r:ikec_home_t"..., 4192) = 4192 read(6, ")?\troot:object_r:skype_home_t\n/r"..., 4192) = 2729 write(7, ")?\troot:object_r:skype_home_t\n/r"..., 2729) = 2729 read(6, "", 4192) = 0 close(6) = 0 close(7) = 0 rename("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", "/etc/selinux/strict/contexts/files/file_contexts.homedirs") = 0 setsebool creates file_contexts.homedirs.tmp, writes to it nothing and rename file_contexts.homedirs.tmp to the file_contexts.homedirs. semodule creates file_contexts.homedirs.tmp, writes to it context pattern and rename file_contexts.homedirs.tmp to the file_contexts.homedirs.
Thanks, now I can reproduce it on all my systems too. I tried the latest git sources too in my test VM. I reported the bug upstream here: https://marc.info/?l=selinux&m=144127449221129&w=2
I added sys-libs/libsemanage-2.4-r2 to the tree to fix this. The fix was posted here: https://marc.info/?l=selinux&m=144129974231332&w=2 I also added a couple other patches which added other files to the managed area as well since at first the patch failed to apply and it looked like they might be important too.
The link in comment 10 went to one of the replies. this is the correct link. https://marc.info/?l=selinux&m=144129375427383&w=2
sys-libs/libsemanage-2.4-r2 is stable
