Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1686833 - restorecon relabels files /var/cache/yum
Summary: restorecon relabels files /var/cache/yum
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: rc
: 8.1
Assignee: Zdenek Pytela
QA Contact: Milos Malik
Depends On: 1682526
TreeView+ depends on / blocked
Reported: 2019-03-08 12:57 UTC by mkenjale
Modified: 2019-03-29 06:48 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1654190
Last Closed:
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description mkenjale 2019-03-08 12:57:54 UTC
This bug was initially created as a clone of Bug #1654190 as this issue was not selected to be included in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small number of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available.

The Bug #1654190 was closed and recommendation I am opening the request to Red Hat Enterprise Linux 8

Description of problem:
While running restorecon, my customer notices that all(?) files in /var/cache/yum get relabeled:

[ ... ]
restorecon reset /var/cache/yum context unconfined_u:object_r:rpm_var_lib_t:s0->unconfined_u:object_r:rpm_var_cache_t:s0
restorecon reset /var/cache/yum/x86_64 context unconfined_u:object_r:rpm_var_lib_t:s0->unconfined_u:object_r:rpm_var_cache_t:s0
restorecon reset /var/cache/yum/x86_64/7Server context unconfined_u:object_r:rpm_var_lib_t:s0->unconfined_u:object_r:rpm_var_cache_t:s0
[ ... ]

Version-Release number of selected component (if applicable): RHEL 7.6

How reproducible: Always

Steps to Reproduce:
1. Run yum
2. Run restorecon -Rv /var/cache/yum

Actual results:
Files are have the wrong label.

Expected results:
Files have the correct selinux label.

Comment 1 Milos Malik 2019-03-08 14:02:31 UTC
# matchpathcon /var/
/var	system_u:object_r:var_t:s0
# matchpathcon /var/cache/
/var/cache	system_u:object_r:var_t:s0
# matchpathcon /var/cache/yum
/var/cache/yum	system_u:object_r:rpm_var_cache_t:s0

Because dnf/yum is usually executed by root user and it runs unconfined_u:unconfined_r:unconfined_t:s0, following filename transition rules are the cause for mislabeled /var/cache/yum:

# sesearch -s unconfined_t -t var_t -c dir -T | grep rpm_var_lib_t
type_transition unconfined_t var_t:dir rpm_var_lib_t dnf;
type_transition unconfined_t var_t:dir rpm_var_lib_t rpm;
type_transition unconfined_t var_t:dir rpm_var_lib_t yum;

I believe that SELinux policy contains a macro which incorrectly generates above-mentioned rules.

Comment 2 Milos Malik 2019-03-08 14:17:46 UTC
Easy to reproduce:

# ls -dZ /var/cache
system_u:object_r:var_t:s0 /var/cache
# ls -dZ /var/cache/rpm
ls: cannot access '/var/cache/rpm': No such file or directory
# mkdir /var/cache/rpm
# ls -dZ /var/cache/rpm
unconfined_u:object_r:rpm_var_lib_t:s0 /var/cache/rpm
# restorecon -Rv /var/cache/rpm/
Relabeled /var/cache/rpm from unconfined_u:object_r:rpm_var_lib_t:s0 to unconfined_u:object_r:var_t:s0

Note You need to log in before you can comment on or make changes to this bug.