I didn't mean to imply that `restorecon` has changed, rather that it's working as expected.
I think the /usr/sbin -> /usr/bin addition to file_contexts.subs_dist is related to https://discussion.fedoraproject.org/t/f40-change-proposal-unify-usr-bin-and-usr-sbin-system-wide/99853
Reading the changelog of the selinux-policy RPM, you can read that:
- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
was implemented in 41.4-1. Depending on which version you upgraded from, that may be proof.
Adding "fake" labels for files installed under `/usr/sbin` using `/usr/bin` in the file contexts is just hiding the problem.
On Sun, Dec 29, 2024 at 5:44 PM Sam Varshavchik via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
David Sastre Medina via selinux writes:
> Contexts potentially affected:
>
>
> ```
> $ rg ^/usr/sbin /etc/selinux/targeted/contexts/files/file_contexts
> 4104:/usr/sbin/tlshd -- system_u:object_r:ktlshd_exec_t:s0
> 4304:/usr/sbin/nbdkit -- system_u:object_r:nbdkit_exec_t:s0
> 4305:/usr/sbin/smartd -- system_u:object_r:fsdaemon_exec_t:s0
> 5663:/usr/sbin/rhel-push-plugin --
> system_u:object_r:container_runtime_exec_t:s0
> 5749:/usr/sbin/pcm-sensor-server --
> system_u:object_r:pcmsensor_exec_t:s0
>
> ```
>
>
>
> And the culprit would be an aliasing rule:
>
>
>
> ```
> $ rg bin /etc/selinux/targeted/contexts/files/file_contexts.subs_dist
> 29:/sbin /usr/bin
> 33:/bin /usr/bin
> 34:/usr/sbin /usr/bin # <-----------
> Assuming (I haven't checked, I could be wrong) `restorecon` uses labels
> returned by `selabel_lookup`, it makes sense it thinks the context is
> correct.
Something other than restorecon got changed. I did not start getting AVCs
until I installed a week's worth of updates.
dnf history shows that I installed version 0:41.27-1 of selinux policy
packages. I had no issues prior to installing this update.
It appears that many packages are already aware of this …feature. The abrt-
dbus package, for example, installs /usr/sbin/abrt-dbus, but includes a
label for:
[root@jack ~]# semanage fcontext --list | grep abrt_exec_t
/usr/bin/abrt-dbus regular file system_u:object_r:abrt_exec_t:s0
This is very confusing.
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
