455080 – sys-process/fcron-3.1.1 - Files were moved without updating default selinux file context policies, please patch.

Bug 455080 - sys-process/fcron-3.1.1 - Files were moved without updating default selinux file context policies, please patch.

Summary: sys-process/fcron-3.1.1 - Files were moved without updating default selinux f...

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r12
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2013-02-02 01:14 UTC by vespian
Modified:	2013-03-29 10:53 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Fix fcron&fcronsighup default contexts (fcron_context_p1.patch,1.02 KB, text/plain) 2013-02-02 01:14 UTC, vespian	Details
Fix default selinux context for fcrontab's temporary files. (fcron_context_p2.patch,1.08 KB, patch) 2013-02-02 01:15 UTC, vespian	Details \| Diff
emerge --info (emerge_info,5.12 KB, text/plain) 2013-02-02 01:17 UTC, vespian	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description vespian 2013-02-02 01:14:19 UTC

Created attachment 337640 [details]
Fix fcron&fcronsighup default contexts

With fcron update from 3.0.6-r1 to 3.1.1 fcron, and fcronsighup binaries were moved to /usr/libexec without updating selinux file context policies. 

In effect we have right after update:
~ # semanage fcontext -l | grep fcronsighup
/usr/sbin/fcronsighup                              regular file       system_u:object_r:crontab_exec_t:s0 
~ # ls -lZ /usr/libexec/fcronsighup 
-rws--x---. 1 root fcron system_u:object_r:bin_t:s0 27032 01-29 03:03 /usr/libexec/fcronsighup

Patch implementing a possible fix was attached as fcron_context_p1.patch. 

Additionally the policy does not reflect temporary files which fcron creates, patch is in fcron_context_p2.patch

There are other changes to, but still working on them.

Comment 1 vespian 2013-02-02 01:15:06 UTC

Created attachment 337642 [details, diff]
Fix default selinux context for fcrontab's temporary files.

Comment 2 vespian 2013-02-02 01:17:42 UTC

Created attachment 337644 [details]
emerge --info

Comment 3 vespian 2013-03-03 18:00:15 UTC

I think that I wrongly set the Component field - it should be SElinux. Sorry about that.

Comment 4 Diego Elio Pettenò (RETIRED) gentoo-dev

2013-03-04 06:37:08 UTC

@selinux please advise on these bugs, or simply fix them if something's there to fix.

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2013-03-07 19:31:45 UTC

Fixed in repository and can be checked using the live ebuilds. Will be fixed in the r12 policies as well.

Comment 6 Sven Vermeulen (RETIRED) gentoo-dev

2013-03-09 12:42:22 UTC

rev 12 in main tree, ~arch'ed