David Sastre Medina via selinux writes:
I think the /usr/sbin -> /usr/bin addition to file_contexts.subs_dist is related to <URL:https://discussion.fedoraproject.org/t/f40-change-proposal- unify-usr-bin-and-usr-sbin-system-wide/ 99853>https://discussion.fedoraproject.org/t/f40-change-proposal-unify-usr- bin-and-usr-sbin-system-wide/99853
I remembered that while I was trying to figure out this Scooby Doo mystery, yesterday. I checked and /usr/sbin is not a symlink yet, as was proposed there, so I figured that the proposal wasn't fully baked.
Still, this nagged in my mind. I decided to see what "semanage fcontext" knows about /usr/sbin/* and, it didn't seem to know much. I looked there. I saw plenty of stuff with labels. Digging through what "semanage fcontext" was telling me I found those labels had entries with the /usr/bin prefix, which were, of course, referring to nonexistent files. I tried setting the label for my /usr/sbin binary via /usr/bin and it worked. I felt dirty.
I did see, early in my adventures, that fcontext terminated its braindump with "/usr/sbin = /usr/bin". I could not find anything in the semanage- fcontext man page that explained the output, but it sort of gave me a vague, general idea, of something like that, which prompted me to look closer at the rules, and eventually figure it out.
Reading the changelog of the selinux-policy RPM, you can read that:- Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/binwas implemented in 41.4-1. Depending on which version you upgraded from, that may be proof.
According to dnf history I updated from 41.26. I can only say that I started to get AVCs after this update and I am pretty confident of that. The consequence of the AVC was an hourly spam in my mailbox, which was pretty loud, and it definitely started then, and not whenever I updated from 41.4.
The alias might've been introduced in that version, but up until the latest update it seems that the alias's handling was much more robust, and it's now …less robust. In addition to selinux-policy, I updated glibc and the kernel.
I almost forgot to mention: my /var/run labels were also broken in my policy module. For an almost identical reason (except that /var/run is a real symlink to /run, so this alias at least makes a little bit more sense).
Attachment:
pgpNlVaSVKWt7.pgp
Description: PGP signature
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
