On Sun, Dec 29, 2024 at 10:02 PM Sam Varshavchik via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
David Sastre Medina via selinux writes:
> I think the /usr/sbin -> /usr/bin addition to file_contexts.subs_dist is
> related to <URL:https://discussion.fedoraproject.org/t/f40-change-proposal-
> unify-usr-bin-and-usr-sbin-system-wide/
> 99853>https://discussion.fedoraproject.org/t/f40-change-proposal-unify-usr-
> bin-and-usr-sbin-system-wide/99853
Correct, the active link for the change is
selinux-policy complies to this since Fedora 41 (June to September).
A part of the package there is a script to convert local entries to a selinux module. It can be debugged with
DEBUG=yes /usr/libexec/selinux/binsbin-convert.sh targeted
and subsequently the content of /run/selinux-policy checked. If the script does not work, please report a bug.
Anyway, the long term solution is to change the entries to use /usr/bin.
I remembered that while I was trying to figure out this Scooby Doo mystery,
yesterday. I checked and /usr/sbin is not a symlink yet, as was proposed
there, so I figured that the proposal wasn't fully baked.
Still, this nagged in my mind. I decided to see what "semanage fcontext"
knows about /usr/sbin/* and, it didn't seem to know much. I looked there. I
saw plenty of stuff with labels. Digging through what "semanage fcontext"
was telling me I found those labels had entries with the /usr/bin prefix,
which were, of course, referring to nonexistent files. I tried setting the
label for my /usr/sbin binary via /usr/bin and it worked. I felt dirty.
I did see, early in my adventures, that fcontext terminated its braindump
with "/usr/sbin = /usr/bin". I could not find anything in the semanage-
fcontext man page that explained the output, but it sort of gave me a vague,
general idea, of something like that, which prompted me to look closer at
the rules, and eventually figure it out.
> Reading the changelog of the selinux-policy RPM, you can read that:
> - Alias /usr/sbin to /usr/bin and change all /usr/sbin paths to /usr/bin
>
>
> was implemented in 41.4-1. Depending on which version you upgraded from, that
> may be proof.
According to dnf history I updated from 41.26. I can only say that I started
to get AVCs after this update and I am pretty confident of that. The
consequence of the AVC was an hourly spam in my mailbox, which was pretty
loud, and it definitely started then, and not whenever I updated from 41.4.
The alias might've been introduced in that version, but up until the latest
update it seems that the alias's handling was much more robust, and it's now
…less robust. In addition to selinux-policy, I updated glibc and the kernel.
I almost forgot to mention: my /var/run labels were also broken in my policy
module. For an almost identical reason (except that /var/run is a real
symlink to /run, so this alias at least makes a little bit more sense).
Similarly, the /var/run=/run equivalency was inverted and all entries were changed in F40 before its GA
and there also is a conversion script in place.
Local policy should use /run.
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela
Security SELinux team
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
