Ready to prevent the next vendor outage? Learn more
OPERATIONAL DEFECT DATABASE
...
...
What were you trying to do that didn't work? Dogtag PKI installation, when using a custom folder name, will update the file context during the installation in order to allow the execution but the "restorecon" method do not work. What is the impact of this issue to you? Dogtag PKI cannot be installed with custom names. Please provide the package NVR for which the bug is seen: [root@pki1 pki]# rpm -qa | grep selinux libselinux-utils-2.9-9.el8_10.x86_64 selinux-policy-3.14.3-139.el8_10.1.noarch libselinux-2.9-9.el8_10.x86_64 python3-libselinux-2.9-9.el8_10.x86_64 rpm-plugin-selinux-4.14.3-32.el8_10.x86_64 selinux-policy-targeted-3.14.3-139.el8_10.1.noarch How reproducible is this bug?: Steps to reproduce Create a folder in /etc/pki called test and a file inside. Copy the following script in the VM (this perform similar action done inside DogtagPKI code): #!/usr/bin/python3 import sys import selinux import seobject def update_context(file_dir, new_context): suffix = '(/.*)?' trans = seobject.semanageRecords('targeted') trans.start() fcon = seobject.fcontextRecords(trans) fcon.add( file_dir + suffix, new_context, '', 's0', '') trans.finish() selinux.restorecon(file_dir, True, True, True) if __name__ == "__main__": update_context(sys.argv[1], sys.argv[2]) run the script with: [root@pki1 pki]# python3 update_context.py $PWD/test pki_tomcat_etc_rw_t Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0 Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0 Updated digest for: /etc/pki/test *no* further _formatting_ is done here The context is replaced with the same old value. Expected results Running the same steps in Fedora41 the final step is: [root@vm-10-0-185-55 pki]# python update_context.py $PWD/test pki_tomcat_etc_rw_t Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0 Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0 The context is properly configured. Actual results The context is not updated properly. Addtionally, if the resorecon CLI is executed after the script the context is properly updated: [root@pki1 pki]# ls -lZr test total 0 -rw-r--r--. 1 root root system_u:object_r:cert_t:s0 0 Jan 9 05:31 alias [root@pki1 pki]# restorecon -Rv test Relabeled /etc/pki/test from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0 Relabeled /etc/pki/test/alias from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Done-Errata