Summary: | sys-libs/libsemanage - file_contexts.homedirs file becomes empty and all HOME_DIR contexts are missing | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alexander Miroshnichenko <alex> |
Component: | SELinux | Assignee: | Jason Zaman <perfinion> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Alexander Miroshnichenko
2015-08-25 10:40:14 UTC
That is really weird. What versions of the policies do you have installed? Can you try re-loading all the policies: cd /usr/share/selinux/strict/ semodule -i $(ls *.pp | grep -v unconfined) Is there any error message? What about if you re-install all the policy packages? emerge -av1 $(qlist -IC sec-policy/) (In reply to Jason Zaman from comment #1) > That is really weird. What versions of the policies do you have installed? alexmir-laptop ~ # qlist -ICv selinux sec-policy/selinux-abrt-2.20141203-r7 sec-policy/selinux-accountsd-2.20141203-r7 sec-policy/selinux-alsa-2.20141203-r7 sec-policy/selinux-apm-2.20141203-r7 sec-policy/selinux-at-2.20141203-r7 sec-policy/selinux-base-2.20141203-r7 sec-policy/selinux-base-policy-2.20141203-r7 sec-policy/selinux-bluetooth-2.20141203-r7 sec-policy/selinux-brctl-2.20141203-r7 sec-policy/selinux-cgroup-2.20141203-r7 sec-policy/selinux-chromium-2.20141203-r7 sec-policy/selinux-consolekit-2.20141203-r7 sec-policy/selinux-cpucontrol-2.20141203-r7 sec-policy/selinux-cups-2.20141203-r7 sec-policy/selinux-dbus-2.20141203-r7 sec-policy/selinux-devicekit-2.20141203-r7 sec-policy/selinux-dhcp-2.20141203-r7 sec-policy/selinux-dmidecode-2.20141203-r7 sec-policy/selinux-dropbox-2.20141203-r7 sec-policy/selinux-flash-2.20141203-r7 sec-policy/selinux-ftp-2.20141203-r7 sec-policy/selinux-games-2.20141203-r7 sec-policy/selinux-gpg-2.20141203-r7 sec-policy/selinux-gpm-2.20141203-r7 sec-policy/selinux-inetd-2.20141203-r7 sec-policy/selinux-ipsec-2.20141203-r7 sec-policy/selinux-java-2.20141203-r7 sec-policy/selinux-kerberos-2.20141203-r7 sec-policy/selinux-ldap-2.20141203-r7 sec-policy/selinux-links-2.20141203-r7 sec-policy/selinux-logrotate-2.20141203-r7 sec-policy/selinux-lpd-2.20141203-r7 sec-policy/selinux-makewhatis-2.20141203-r7 sec-policy/selinux-mandb-2.20141203-r7 sec-policy/selinux-mcelog-2.20141203-r7 sec-policy/selinux-mozilla-2.20141203-r7 sec-policy/selinux-mysql-2.20141203-r7 sec-policy/selinux-networkmanager-2.20141203-r7 sec-policy/selinux-ntp-2.20141203-r7 sec-policy/selinux-openrc-2.20141203-r7 sec-policy/selinux-policykit-2.20141203-r7 sec-policy/selinux-pulseaudio-2.20141203-r7 sec-policy/selinux-qemu-2.20141203-r7 sec-policy/selinux-remotelogin-2.20141203-r7 sec-policy/selinux-rpm-2.20141203-r7 sec-policy/selinux-sasl-2.20141203-r7 sec-policy/selinux-shutdown-2.20141203-r7 sec-policy/selinux-skype-2.20141203-r7 sec-policy/selinux-smartmon-2.20141203-r7 sec-policy/selinux-sudo-2.20141203-r7 sec-policy/selinux-sysstat-2.20141203-r7 sec-policy/selinux-telnet-2.20141203-r7 sec-policy/selinux-tor-2.20141203-r7 sec-policy/selinux-uptime-2.20141203-r7 sec-policy/selinux-uucp-2.20141203-r7 sec-policy/selinux-virt-2.20141203-r7 sec-policy/selinux-vpn-2.20141203-r7 sec-policy/selinux-wireshark-2.20141203-r7 sec-policy/selinux-xscreensaver-2.20141203-r7 sec-policy/selinux-xserver-2.20141203-r7 sys-libs/libselinux-2.4 > Can you try re-loading all the policies: > > cd /usr/share/selinux/strict/ > semodule -i $(ls *.pp | grep -v unconfined) Does not helped. alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/Dropbox/Public /.* system_u:object_r:default_t alexmir-laptop ~ # restorecon -nv /home/minder/Downloads restorecon reset /home/minder/Downloads context staff_u:object_r:user_home_t->staff_u:object_r:default_t > Is there any error message? I don't see any error messages at dmesg or message.log > What about if you re-install all the policy packages? > > emerge -av1 $(qlist -IC sec-policy/) I will try later This issue I see not first time. At the previous time I update system and selinux policy to new versions and issue has gone. But now it appears again. And I don't know the reason by which its appears? Right now I don't have any updates for selinux policies. I ran "semodule -B" After that restorecon reset to the right domain but findcon shows wrong output: alexmir-laptop ~ # restorecon -nv /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t alexmir-laptop ~ # restorecon -nv /home/minder/Dropbox/TESTFILE restorecon reset /home/minder/Dropbox/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:dropbox_content_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/TESTFILE /.* system_u:object_r:default_t alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/minder/Dropbox/TESTFILE /.* system_u:object_r:default_t alexmir-laptop ~ # I had change some booleans and after that restorecon reset to wrong context again: alexmir-laptop ~ # setsebool -P abrt_anon_write on alexmir-laptop ~ # setsebool -P abrt_handle_event on alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:user_home_t->staff_u:object_r:default_t alexmir-laptop ~ # ls -ltrhZ /home/minder/TESTFILE -rw-r--r--. 1 minder minder staff_u:object_r:default_t 0 авг 25 16:54 /home/minder/TESTFILE alexmir-laptop ~ # semodule -B alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t alexmir-laptop ~ # ls -ltrhZ /home/minder/TESTFILE -rw-r--r--. 1 minder minder staff_u:object_r:user_home_t 0 авг 25 16:54 /home/minder/TESTFILE For findcon you have to pass it the homedirs file. It does not automatically figure it out: # findcon /etc/selinux/strict/contexts/files/file_contexts -p /home/jason/Dropbox/Public /.* system_u:object_r:default_t # findcon /etc/selinux/strict/contexts/files/file_contexts.homedirs -p /home/jason/Dropbox/Public /home/[^/]*/.+ user_u:object_r:user_home_t /home/[^/]*/Dropbox(/.*)? user_u:object_r:dropbox_content_t /home/jason/.+ staff_u:object_r:user_home_t /home/jason/Dropbox(/.*)? staff_u:object_r:dropbox_content_t > What about if you re-install all the policy packages?
>
> emerge -av1 $(qlist -IC sec-policy/)
alexmir-laptop ~ # chcon -t default_t /home/minder/TESTFILE
alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE
restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t
alexmir-laptop ~ # setsebool -P rsync_client off
alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE
restorecon reset /home/minder/TESTFILE context staff_u:object_r:user_home_t->staff_u:object_r:default_t
alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts.homedirs -p /home/minder/TESTFILE
alexmir-laptop ~ #
alexmir-laptop ~ # emerge -Kav1 $(qlist -IC sec-policy/)
alexmir-laptop ~ # restorecon -v /home/minder/TESTFILE
restorecon reset /home/minder/TESTFILE context staff_u:object_r:default_t->staff_u:object_r:user_home_t
alexmir-laptop ~ # findcon /etc/selinux/strict/contexts/files/file_contexts.homedirs -p /home/minder/TESTFILE
/home/[^/]*/.+ user_u:object_r:user_home_t
/home/minder/.+ staff_u:object_r:user_home_t
After I run "setsebool -P" file /etc/selinux/strict/contexts/files/file_contexts.homedirs is empty.
After I run "semodule -B" or "emerge -av1 $(qlist -IC sec-policy/)" the file /etc/selinux/strict/contexts/files/file_contexts.homedirs consist context for every selinux user.
I think this is a bug.
I ran into this on one of my laptops the other day too. I have no idea what I did to cause it but restorecon made my homedir default_t and the file_contexts.homedirs file was indeed empty. semodule -B also fixed the problem for me. I did not have to rebuild all the packages. Can you reliably reproduce this? I have no idea how to trigger the problem so I cant find out why. I was rebuilding a few things on my laptop and the selinux libraries / tools were rebuilt but I dont see how that would affect anything. I may have flipped a boolean earlier but dont remember. The actual problem is that the file_contexts.homedirs file is 0bytes so restorecon has no idea what the labels should be and thus everything is default_t. I need to be able to reliably reproduce it and any possible denials or dmesg that shows up when it happens. I have 3 PC and on any of them I can reproduce this bug by change any boolean "/usr/sbin/setsebool -P". I ran strace and I see: open("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 6 umask(022) = 0 read(5, "", 4192) = 0 close(5) = 0 close(6) = 0 rename("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", "/etc/selinux/strict/contexts/files/file_contexts.homedirs") = 0 open("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", O_WRONLY|O_CREAT|O_TRUNC, 0644) = 7 umask(022) = 0 read(6, "#\n#\n# User-specific file context"..., 4192) = 4192 write(7, "#\n#\n# User-specific file context"..., 4192) = 4192 read(6, "*)?\tstaff_u:object_r:ikec_home_t"..., 4192) = 4192 write(7, "*)?\tstaff_u:object_r:ikec_home_t"..., 4192) = 4192 read(6, ")?\troot:object_r:skype_home_t\n/r"..., 4192) = 2729 write(7, ")?\troot:object_r:skype_home_t\n/r"..., 2729) = 2729 read(6, "", 4192) = 0 close(6) = 0 close(7) = 0 rename("/etc/selinux/strict/contexts/files/file_contexts.homedirs.tmp", "/etc/selinux/strict/contexts/files/file_contexts.homedirs") = 0 setsebool creates file_contexts.homedirs.tmp, writes to it nothing and rename file_contexts.homedirs.tmp to the file_contexts.homedirs. semodule creates file_contexts.homedirs.tmp, writes to it context pattern and rename file_contexts.homedirs.tmp to the file_contexts.homedirs. Thanks, now I can reproduce it on all my systems too. I tried the latest git sources too in my test VM. I reported the bug upstream here: https://marc.info/?l=selinux&m=144127449221129&w=2 I added sys-libs/libsemanage-2.4-r2 to the tree to fix this. The fix was posted here: https://marc.info/?l=selinux&m=144129974231332&w=2 I also added a couple other patches which added other files to the managed area as well since at first the patch failed to apply and it looked like they might be important too. The link in comment 10 went to one of the replies. this is the correct link. https://marc.info/?l=selinux&m=144129375427383&w=2 sys-libs/libsemanage-2.4-r2 is stable |