2017-08-18 01:20 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0012898CentOS-7policycoreutilspublic2017-03-16 13:26
Reporterseidler 
PrioritynormalSeveritymajorReproducibilityalways
StatusnewResolutionopen 
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012898: fcontext rules for sockets break semanage export
DescriptionWhenever a custom fcontext rule with file type "socket" is added, semanage fcontext -E stops working until the rule is removed. This is particularly unfortunate as it breaks Puppet which relies on the export functionality to determine whether a rule needs to be added or not.
Steps To Reproduce1. Run
semanage fcontext -E
-> output is correct, shows custom rules
2. Run
semanage fcontext -a -f s -t httpd_var_run_t '/var/apps/\.sockets(/.*)?'
3. Run
semanage fcontext -E
-> prints "KeyError: socket"
Additional InformationThe root cause is in /usr/lib/python2.7/site-packages/seobject/__init__.py

Not sure if that fix is correct or if the lookup is wrong, but when I change the "s" value entry in file_type_str_to_option from "socket file" (which is technically wrong anyway) to "socket", it works as expected.

My first guess is that the lookup in that hash in line 2134 either needs to operate on a different hash, or that the input data is wrong, or that simply the hash is wrong and the above change is the correct fix.
Tagsselinux
abrt_hash
URL
Attached Files

-Relationships
+Relationships

-Notes

~0028873

seidler (reporter)

So it was a bug. It's fixed upstream now:
https://github.com/SELinuxProject/selinux/commit/317743bbe2a235a5c68f1066b4153e0726a3118f

Any chance of backporting that change?
+Notes

-Issue History
Date Modified Username Field Change
2017-02-27 21:46 seidler New Issue
2017-02-27 21:46 seidler Tag Attached: selinux
2017-03-16 13:26 seidler Note Added: 0028873
+Issue History