<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class="">Package: libselinux1</div><div class=""><div class="">Version: 3.4-1</div></div><div class="">SELinux: deactivated</div><div class=""><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">Src: </span><a href="https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c" class="">https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c</a></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Hey,</div><div class=""><br class=""></div><div class="">after today’s updated of „libselinux1“ to upstream version 3.4 in Debian Testing we encounter issues while setting contexts using „setfiles“ which seems to be related in <a href="https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c#L711-716" class="">https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c#L711-716</a> where „lgetfilecon_raw“ got replaced by the new function „fgetfilecon_raw“. However, this seems to need an active SELinux environment for „fgetxattr“ function that needs /proc for „xattr“. </div><div class=""><br class=""></div><div class="">As a result this fails with (example):</div><div class="">/sbin/setfiles: Could not set context for /etc/hosts: No such file or directory</div><div class=""><br class=""></div><div class="">Example trace (another file):</div><div class=""><div class="">openat(AT_FDCWD, "/etc/idmapd.conf", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 4</div><div class="">newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=171, ...}, AT_EMPTY_PATH) = 0</div><div class="">fgetxattr(4, "security.selinux", 0x55c65d6e3eb0, 255) = -1 EBADF (Bad file descriptor)</div><div class="">fcntl(4, F_GETFL) = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)</div><div class="">getxattr("/proc/self/fd/4", "security.selinux", 0x55c65d6e3eb0, 255) = -1 ENOENT (No such file or directory)</div><div class="">write(2, "/sbin/setfiles: ", 16/sbin/setfiles: ) = 16</div><div class="">write(2, "Could not set context for /etc/i"..., 71Could not set context for /etc/idmapd.conf: No such file or directory) = 71</div><div class="">close(4)</div></div><div class=""><br class=""></div><div class="">While I can understand that most SELinux users would use this command(s) more or less only on SELinux activated systems, there’re still some scenarios left where this may be important like „chroots“ or similar.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">gyptazy</div></body></html>