Regression in selabel_lookup after "rework selabel

All of lore.kernel.org
 help / color / mirror / Atom feed

* Regression in selabel_lookup after "rework selabel_file database"
@ 2025-04-16 20:01 Petr Lautrbach
  2025-04-17 19:36 ` Christian Göttsche
  0 siblings, 1 reply; 3+ messages in thread
From: Petr Lautrbach @ 2025-04-16 20:01 UTC (permalink / raw)
  To: selinux, Christian Göttsche

Hi,

we have a report [1] that in specific cases local fcontext modifications
are not considered or correctly resolved in `selabel_lookup`:

    [root@default-0 selinux]# matchpathcon /usr/bin/cloud-init
    /usr/bin/cloud-init     system_u:object_r:cloud_init_exec_t:s0
    [root@default-0 selinux]# semanage fcontext -a -t bin_t /usr/bin/cloud-init
    [root@default-0 selinux]# semanage fcontext -l -C
    SELinux fcontext                                   type               Context
    
    /usr/bin/cloud-init                                all files          system_u:object_r:bin_t:s0 
    [root@default-0 selinux]# matchpathcon /usr/bin/cloud-init
    /usr/bin/cloud-init     system_u:object_r:cloud_init_exec_t:s0


The bad commit seems to be 92306daf5219e73f6 ("libselinux: rework selabel_file(5) database")

Please take a look.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=2360183

Thanks,

Petr


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Regression in selabel_lookup after "rework selabel_file database"
  2025-04-16 20:01 Regression in selabel_lookup after "rework selabel_file database" Petr Lautrbach
@ 2025-04-17 19:36 ` Christian Göttsche
  2025-04-18 19:05   ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Göttsche @ 2025-04-17 19:36 UTC (permalink / raw)
  To: Petr Lautrbach; +Cc: selinux

On Wed, 16 Apr 2025 at 22:01, Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> Hi,
>
> we have a report [1] that in specific cases local fcontext modifications
> are not considered or correctly resolved in `selabel_lookup`:
>
>     [root@default-0 selinux]# matchpathcon /usr/bin/cloud-init
>     /usr/bin/cloud-init     system_u:object_r:cloud_init_exec_t:s0
>     [root@default-0 selinux]# semanage fcontext -a -t bin_t /usr/bin/cloud-init
>     [root@default-0 selinux]# semanage fcontext -l -C
>     SELinux fcontext                                   type               Context
>
>     /usr/bin/cloud-init                                all files          system_u:object_r:bin_t:s0
>     [root@default-0 selinux]# matchpathcon /usr/bin/cloud-init
>     /usr/bin/cloud-init     system_u:object_r:cloud_init_exec_t:s0
>
>
> The bad commit seems to be 92306daf5219e73f6 ("libselinux: rework selabel_file(5) database")

Should be resolved by
https://lore.kernel.org/selinux/20250417190812.41263-1-cgoettsche@seltendoof.de/T/#u

Note that depending on the original file context defintion in order to
take priority one might need to specify the file type (i.e. add the
semanage arguments `-f f`).

> Please take a look.
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=2360183
>
> Thanks,
>
> Petr
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Regression in selabel_lookup after "rework selabel_file database"
  2025-04-17 19:36 ` Christian Göttsche
@ 2025-04-18 19:05   ` James Carter
  0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2025-04-18 19:05 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: Petr Lautrbach, selinux

On Thu, Apr 17, 2025 at 3:36 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> On Wed, 16 Apr 2025 at 22:01, Petr Lautrbach <lautrbach@redhat.com> wrote:
> >
> > Hi,
> >
> > we have a report [1] that in specific cases local fcontext modifications
> > are not considered or correctly resolved in `selabel_lookup`:
> >
> >     [root@default-0 selinux]# matchpathcon /usr/bin/cloud-init
> >     /usr/bin/cloud-init     system_u:object_r:cloud_init_exec_t:s0
> >     [root@default-0 selinux]# semanage fcontext -a -t bin_t /usr/bin/cloud-init
> >     [root@default-0 selinux]# semanage fcontext -l -C
> >     SELinux fcontext                                   type               Context
> >
> >     /usr/bin/cloud-init                                all files          system_u:object_r:bin_t:s0
> >     [root@default-0 selinux]# matchpathcon /usr/bin/cloud-init
> >     /usr/bin/cloud-init     system_u:object_r:cloud_init_exec_t:s0
> >
> >
> > The bad commit seems to be 92306daf5219e73f6 ("libselinux: rework selabel_file(5) database")
>
> Should be resolved by
> https://lore.kernel.org/selinux/20250417190812.41263-1-cgoettsche@seltendoof.de/T/#u
>
> Note that depending on the original file context defintion in order to
> take priority one might need to specify the file type (i.e. add the
> semanage arguments `-f f`).
>

No, it should work like it did before.

After testing, it seems like the bug only occurs when neither the path
in the policy nor the path in the fcontext has a regex in it. If
either, or both do, then it works as expected.

Jim

> > Please take a look.
> >
> > [1] https://bugzilla.redhat.com/show_bug.cgi?id=2360183
> >
> > Thanks,
> >
> > Petr
> >
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-04-18 19:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-16 20:01 Regression in selabel_lookup after "rework selabel_file database" Petr Lautrbach
2025-04-17 19:36 ` Christian Göttsche
2025-04-18 19:05   ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.