[DSE-Dev] Bug#1013261: libselinux1 - restorecon fails with: No such file or directory

gyptazy gyptazy at gyptazy.ch
Mon Jun 20 10:45:40 BST 2022 

Package: libselinux1
Version: 3.4-1
SELinux: deactivated
Src: https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c <https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c>


Hey,

after today’s updated of „libselinux1“ to upstream version 3.4 in Debian Testing we encounter issues while setting contexts using „setfiles“ which seems to be related in https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c#L711-716 <https://salsa.debian.org/selinux-team/libselinux/-/blob/debian/src/selinux_restorecon.c#L711-716> where „lgetfilecon_raw“ got replaced by the new function „fgetfilecon_raw“. However, this seems to need an active SELinux environment for „fgetxattr“ function that needs /proc for „xattr“. 

As a result this fails with (example):
/sbin/setfiles: Could not set context for /etc/hosts:  No such file or directory

Example trace (another file):
openat(AT_FDCWD, "/etc/idmapd.conf", O_RDONLY|O_EXCL|O_NOFOLLOW|O_PATH) = 4
newfstatat(4, "", {st_mode=S_IFREG|0644, st_size=171, ...}, AT_EMPTY_PATH) = 0
fgetxattr(4, "security.selinux", 0x55c65d6e3eb0, 255) = -1 EBADF (Bad file descriptor)
fcntl(4, F_GETFL)                       = 0x220000 (flags O_RDONLY|O_NOFOLLOW|O_PATH)
getxattr("/proc/self/fd/4", "security.selinux", 0x55c65d6e3eb0, 255) = -1 ENOENT (No such file or directory)
write(2, "/sbin/setfiles: ", 16/sbin/setfiles: )        = 16
write(2, "Could not set context for /etc/i"..., 71Could not set context for /etc/idmapd.conf:  No such file or directory) = 71
close(4)

While I can understand that most SELinux users would use this command(s) more or less only on SELinux activated systems, there’re still some scenarios left where this may be important like „chroots“ or similar.

Thanks,
gyptazy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20220620/1c442fe3/attachment.htm>

More information about the SELinux-devel mailing list