On Thu, Jan 9, 2025 at 7:28 PM David Sastre Medina <d.sastre.medina@xxxxxxxxx> wrote:
Hello Zdenek,There are a few executables that are not being properly labelled, and restorecon does not correct it.I don't have any custom policy installed in this system.This is one example:$ sudo semanage fcontext -l | rg /usr/sbin/smartd
/usr/sbin/smartd regular file system_u:object_r:fsdaemon_exec_t:s0
$ ls -lZ /usr/sbin/smartd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 671608 Jul 20 02:00 /usr/sbin/smartd$ sudo restorecon -v /usr/sbin/smartd
$ ls -lZ /usr/sbin/smartd
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 671608 Jul 20 02:00 /usr/sbin/smartdThe other executables potentially affected by the same problem (I cannot check, I don't have any of them installed), are:$ sudo semanage fcontext -l | rg /usr/sbin//usr/sbin/nbdkit regular file system_u:object_r:nbdkit_exec_t:s0
/usr/sbin/pcm-sensor-server regular file system_u:object_r:pcmsensor_exec_t:s0
/usr/sbin/rhel-push-plugin regular file system_u:object_r:container_runtime_exec_t:s0
/usr/sbin/smartd regular file system_u:object_r:fsdaemon_exec_t:s0
/usr/sbin/tlshd regular file system_u:object_r:ktlshd_exec_t:s0Let me know if you need a bug opened for this, and where (GitHub, BZ, ...)
David,
thanks for the report, no need for an action now. Some of them were fixed just a while ago, the others need some attention to find out what makes them different from other entries which work fine. nbdkit and smartmontools ship their own policy and it needs to be changed there.
It should also be fixed on selinux-policy update or when the script is run manually; that's certainly meant as a temporary measure only.
Regards.On Thu, Jan 9, 2025 at 6:57 PM Zdenek Pytela via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:--On Fri, Jan 3, 2025 at 6:01 PM Sam Varshavchik via selinux <selinux@xxxxxxxxxxxxxxxxxxxxxxx> wrote:Zdenek Pytela writes:
> Anyway, the long term solution is to change the entries to use /usr/bin.
So, right now:
1. A package installs stuff in /usr/sbin
2. It installs an selinux policy file referencing filenames in /usr/bin
Am I the only one who has …questions, here?Firstly, there is an equivalency supporting the change:
f42# semanage fcontext -l | grep /usr/sbin.=
/usr/sbin = /usr/bin
f42# ls -Z /usr/sbin/sshd
system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd
f42# matchpathcon /usr/sbin/sshd
/usr/sbin/sshd system_u:object_r:sshd_exec_t:s0Equivalency is a feature to substitute one path in the policy with another.Secondly, there is a script to take care of all entries referring to /usr/sbin, e. g. from a local policy module. Feel free to file a bug report if an improvement is needed.
--
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek PytelaSecurity SELinux team
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Zdenek Pytela
Security SELinux team
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
