View Issue Details

IDProjectCategoryView StatusLast Update
0012898CentOS-7policycoreutilspublic2017-03-16 13:26
Reporterseidler 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012898: fcontext rules for sockets break semanage export
DescriptionWhenever a custom fcontext rule with file type "socket" is added, semanage fcontext -E stops working until the rule is removed. This is particularly unfortunate as it breaks Puppet which relies on the export functionality to determine whether a rule needs to be added or not.
Steps To Reproduce1. Run
semanage fcontext -E
-> output is correct, shows custom rules
2. Run
semanage fcontext -a -f s -t httpd_var_run_t '/var/apps/\.sockets(/.*)?'
3. Run
semanage fcontext -E
-> prints "KeyError: socket"
Additional InformationThe root cause is in /usr/lib/python2.7/site-packages/seobject/__init__.py

Not sure if that fix is correct or if the lookup is wrong, but when I change the "s" value entry in file_type_str_to_option from "socket file" (which is technically wrong anyway) to "socket", it works as expected.

My first guess is that the lookup in that hash in line 2134 either needs to operate on a different hash, or that the input data is wrong, or that simply the hash is wrong and the above change is the correct fix.
Tagsselinux
abrt_hash
URL

Activities

seidler

seidler

2017-03-16 13:26

reporter   ~0028873

So it was a bug. It's fixed upstream now:
https://github.com/SELinuxProject/selinux/commit/317743bbe2a235a5c68f1066b4153e0726a3118f

Any chance of backporting that change?

Issue History

Date Modified Username Field Change
2017-02-27 21:46 seidler New Issue
2017-02-27 21:46 seidler Tag Attached: selinux
2017-03-16 13:26 seidler Note Added: 0028873