Issue
What were you trying to do that didn't work?
Dogtag PKI installation, when using a custom folder name, will update the file context during the installation in order to allow the execution but the "restorecon" method do not work.
What is the impact of this issue to you?
Dogtag PKI cannot be installed with custom names.
Please provide the package NVR for which the bug is seen:
[root@pki1 pki]# rpm -qa | grep selinux
libselinux-utils-2.9-9.el8_10.x86_64
selinux-policy-3.14.3-139.el8_10.1.noarch
libselinux-2.9-9.el8_10.x86_64
python3-libselinux-2.9-9.el8_10.x86_64
rpm-plugin-selinux-4.14.3-32.el8_10.x86_64
selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
How reproducible is this bug?:
Steps to reproduce
Create a folder in /etc/pki called test and a file inside.
Copy the following script in the VM (this perform similar action done inside DogtagPKI code):
#!/usr/bin/python3
import sys
import selinux
import seobject
def update_context(file_dir, new_context):
suffix = '(/.*)?'
trans = seobject.semanageRecords('targeted')
trans.start()
fcon = seobject.fcontextRecords(trans)
fcon.add(
file_dir + suffix,
new_context, '', 's0', '')
trans.finish()
selinux.restorecon(file_dir, True, True, True)
if __name__ == "__main__":
update_context(sys.argv[1], sys.argv[2])
run the script with:
[root@pki1 pki]# python3 update_context.py $PWD/test pki_tomcat_etc_rw_t
Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0
Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:cert_t:s0
Updated digest for: /etc/pki/test
*no* further _formatting_ is done here
The context is replaced with the same old value.
Expected results
Running the same steps in Fedora41 the final step is:
[root@vm-10-0-185-55 pki]# python update_context.py $PWD/test pki_tomcat_etc_rw_t
Relabeled /etc/pki/test from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Relabeled /etc/pki/test/alias from unconfined_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
The context is properly configured.
Actual results
The context is not updated properly.
Addtionally, if the resorecon CLI is executed after the script the context is properly updated:
[root@pki1 pki]# ls -lZr test
total 0
-rw-r--r--. 1 root root system_u:object_r:cert_t:s0 0 Jan 9 05:31 alias
[root@pki1 pki]# restorecon -Rv test
Relabeled /etc/pki/test from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
Relabeled /etc/pki/test/alias from system_u:object_r:cert_t:s0 to system_u:object_r:pki_tomcat_etc_rw_t:s0
