David Sastre Medina via selinux writes:
Contexts potentially affected: ``` $ rg ^/usr/sbin /etc/selinux/targeted/contexts/files/file_contexts 4104:/usr/sbin/tlshd -- system_u:object_r:ktlshd_exec_t:s0 4304:/usr/sbin/nbdkit -- system_u:object_r:nbdkit_exec_t:s0 4305:/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s05663:/usr/sbin/rhel-push-plugin -- system_u:object_r:container_runtime_exec_t:s0 5749:/usr/sbin/pcm-sensor-server -- system_u:object_r:pcmsensor_exec_t:s0``` And the culprit would be an aliasing rule: ``` $ rg bin /etc/selinux/targeted/contexts/files/file_contexts.subs_dist 29:/sbin /usr/bin 33:/bin /usr/bin 34:/usr/sbin /usr/bin # <-----------
Assuming (I haven't checked, I could be wrong) `restorecon` uses labels returned by `selabel_lookup`, it makes sense it thinks the context is correct.
Something other than restorecon got changed. I did not start getting AVCs until I installed a week's worth of updates.
dnf history shows that I installed version 0:41.27-1 of selinux policy packages. I had no issues prior to installing this update.
It appears that many packages are already aware of this …feature. The abrt- dbus package, for example, installs /usr/sbin/abrt-dbus, but includes a label for:
[root@jack ~]# semanage fcontext --list | grep abrt_exec_t /usr/bin/abrt-dbus regular file system_u:object_r:abrt_exec_t:s0 This is very confusing.
Attachment:
pgphnV6CQ795j.pgp
Description: PGP signature
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
