On 08/16/2016 03:32 AM, Vit Mojzis wrote: > When given invalid regexp, semanage reports error, but adds the invalid > context to "/etc/selinux/targeted/contexts/files/file_contexts.local", > which breaks the system (won't boot in enforcing mode). The new context > doesn't show up on "#semanage fcontext -l -C" and cannot be removed by > "semanage fcontext --delete". > > Investigation on Fedora version of libsemanage showed that > "file_contexts.local" is not backed up before the new version is > installed into the system and therefore cannot be restored after failure. > For more details see: https://bugzilla.redhat.com/show_bug.cgi?id=1362041 > > # semanage fcontext -a -t httpd_exec_t "(/.*)?" > specfiles SHA1 digest: 980289cabd78157523679695fd2e4fd0a5b5ff05 > calculated using the following specfile(s): > /etc/selinux/targeted/contexts/files/file_contexts.subs_dist > /etc/selinux/targeted/contexts/files/file_contexts.subs > /etc/selinux/targeted/contexts/files/file_contexts > /etc/selinux/targeted/contexts/files/file_contexts.homedirs > /etc/selinux/targeted/contexts/files/file_contexts.local > libsemanage.semanage_exec_prog: Child process > /sbin/sefcontext_compile did not exit cleanly. (No such file or directory). > libsemanage.sefcontext_compile: sefcontext_compile returned > error code -1. Compiling > /etc/selinux/targeted/contexts/files/file_contexts.local (No such file > or directory). > specfiles SHA1 digest: 5097e1780892f53aedb6d30d5d61206a159a20e7 > calculated using the following specfile(s): > /etc/selinux/targeted/contexts/files/file_contexts.subs_dist > /etc/selinux/targeted/contexts/files/file_contexts.subs > /etc/selinux/targeted/contexts/files/file_contexts.bin > /etc/selinux/targeted/contexts/files/file_contexts.homedirs > /etc/selinux/targeted/contexts/files/file_contexts.local > libsemanage.semanage_exec_prog: Child process > /sbin/sefcontext_compile did not exit cleanly. (No such file or directory). > libsemanage.sefcontext_compile: sefcontext_compile returned > error code -1. Compiling > /etc/selinux/targeted/contexts/files/file_contexts.local (No such file > or directory). > FileNotFoundError: [Errno 2] No such file or directory > # semanage fcontext -l -C > - > > # cat /etc/selinux/targeted/contexts/files/file_contexts.local > # This file is auto-generated by libsemanage > # Do not edit directly. > > (/.*)? system_u:object_r:httpd_exec_t:s0 > > # semanage fcontext -d -t httpd_exec_t "(/.*)?" > ValueError: File context for (/.*)? is not defined > It seems like there are several different bugs here: 1) pcre_study() returning NULL is not necessarily an error. We did fix the handling in libselinux compile_regex() in commit 14342674191ca11c4455ff7ac9b76b05173eb575 but it appears that sefcontext_compile and libselinux load_mmap() don't handle a NULL study result correctly. 2) The file_contexts.local file should be validated earlier, before copying any files to /etc/selinux. 3) If errors are possible after copying files to /etc/selinux, then we need to unlink any of the local files as part of rolling back the transaction. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
