Seems to be a problem with a substitution alias.
Contexts potentially affected:
```
$ rg ^/usr/sbin /etc/selinux/targeted/contexts/files/file_contexts
4104:/usr/sbin/tlshd -- system_u:object_r:ktlshd_exec_t:s0
4304:/usr/sbin/nbdkit -- system_u:object_r:nbdkit_exec_t:s0
4305:/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0
5663:/usr/sbin/rhel-push-plugin -- system_u:object_r:container_runtime_exec_t:s0
5749:/usr/sbin/pcm-sensor-server -- system_u:object_r:pcmsensor_exec_t:s0
4104:/usr/sbin/tlshd -- system_u:object_r:ktlshd_exec_t:s0
4304:/usr/sbin/nbdkit -- system_u:object_r:nbdkit_exec_t:s0
4305:/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0
5663:/usr/sbin/rhel-push-plugin -- system_u:object_r:container_runtime_exec_t:s0
5749:/usr/sbin/pcm-sensor-server -- system_u:object_r:pcmsensor_exec_t:s0
```
And the culprit would be an aliasing rule:
```
$ rg bin /etc/selinux/targeted/contexts/files/file_contexts.subs_dist
29:/sbin /usr/bin
33:/bin /usr/bin
34:/usr/sbin /usr/bin # <-----------
29:/sbin /usr/bin
33:/bin /usr/bin
34:/usr/sbin /usr/bin # <-----------
```
According to selabel_file(5):
Substitution File Format
Each line within the substitution files (.subs and .subs_dist) has the form:
subs_pathname pathname
Where:
pathname
A path that matches an entry in one or more of the file contexts policy configuration file.
subs_pathname
The path that will be aliased (considered equivalent) with pathname by the look up process.
Example:
# ./contexts/files/file_contexts.subs
# pathname subs_pathname
/myweb /var/www
/myspool /var/spool/mail
Using the above example, when selabel_lookup(3) is passed a path of /myweb/index.html the function will substitute the /myweb component
with /var/www, therefore the path used is:
/var/www/index.html
Each line within the substitution files (.subs and .subs_dist) has the form:
subs_pathname pathname
Where:
pathname
A path that matches an entry in one or more of the file contexts policy configuration file.
subs_pathname
The path that will be aliased (considered equivalent) with pathname by the look up process.
Example:
# ./contexts/files/file_contexts.subs
# pathname subs_pathname
/myweb /var/www
/myspool /var/spool/mail
Using the above example, when selabel_lookup(3) is passed a path of /myweb/index.html the function will substitute the /myweb component
with /var/www, therefore the path used is:
/var/www/index.html
Assuming (I haven't checked, I could be wrong) `restorecon` uses labels returned by `selabel_lookup`, it makes sense it thinks the context is correct.
On Sat, Dec 28, 2024 at 2:28 PM Sam Varshavchik via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Something happened with the most recent selinux update in F41, breaking my
> local policy.
>
> [root@jack ~]# semanage fcontext -l | grep httportmapd
> /usr/sbin/httportmapd regular file
> system_u:object_r:libcxx_httportmapd_exec_t:s0
>
> This is coming from a local policy module I cobbled together and installed,
> yet:
>
> [root@jack ~]# ls -alZ /usr/sbin/httportmapd
> -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 318104 Sep 21 2018
> /usr/sbin/httportmapd
>
> And restorecon -F /usr/sbin/httportmapd does not fix the context, and stays
> silent no matter how many -v options I feed to it.
>
> Any idea why my file context is not being used?
This looks like a bigger issue, and not just with my module.
There's another explicit file context set for /usr/sbin/smartd. semanage
says:
/usr/sbin/smartd regular file system_u:object_r:fsdaemon_exec_t:s0
However:
[root@jack ~]# ls -alZ /usr/sbin/smartd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 671608 Jul 19 20:00 /usr/sbin/smartd
And restorecon thinks this is peachy.
I note that semanage fcontext lists, separately:
/usr/sbin = /usr/bin
Not sure if this is related, or not. I do see stuff in /usr/sbin with other
labels, namely /usr/sbin/xl2tpd. I don't see how it's set, this does not
appear in the output of semanage fcontext.
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
