Re: Fixing /.autorelabel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I don't exactly know where to post this, but I guess I have everyone's
attention on this thread.

Attached are patches which work for me.  They could really do with
review from someone who knows what they're doing.  They also need much
more testing than I've done, but I'll be doing that myself later.

The first patch (against libselinux) sets SELinux to Permissive mode
early in boot if the /.autorelabel file is found (or autorelabel on
the command line).

The second patch (against policycoreutils in Fedora) implements the
generator itself.

Some problems I found:

 - It would be nice if systemd defined a %{_generatorsdir} RPM macro.

 - I couldn't get it to work only depending on local-fs.target.  I had
   to depend on sysinit.target.  With local-fs.target, /boot could not
   be mounted, so there may be something broken/missing in
   local-fs.target.

 - There seems to be no upstream for selinux-autorelabel* since it was
   moved from systemd.  It looks like the only upstream is Fedora's
   policycoreutils itself.  Maybe I missed something there.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v

>From c9b8d9da73d8f530df9a8672413d1db842ff45d5 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@xxxxxxxxxx>
Date: Mon, 4 Jul 2016 11:42:14 +0100
Subject: [PATCH] libselinux: If autorelabel, force permissive mode.

Signed-off-by: Richard W.M. Jones <rjones@xxxxxxxxxx>
---
 libselinux/src/load_policy.c | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 4f39fc7..337a8a9 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -315,7 +315,8 @@ hidden_def(selinux_mkload_policy)
  */
 int selinux_init_load_policy(int *enforce)
 {
-	int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1;
+	int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1,
+		seautorelabel = -1;
 	FILE *cfg;
 	char *buf;
 
@@ -332,6 +333,17 @@ int selinux_init_load_policy(int *enforce)
 	 */
 	selinux_getenforcemode(&seconfig);
 
+	/*
+	 * If /.autorelabel exists then we should start in permissive
+	 * mode because (a) the labels on the filesystem are known to
+	 * be bogus and so should not be trusted to make security
+	 * decisions, but more practically (b) mislabelled files may
+	 * cause services & processes required for relabelling to fail.
+	 */
+	if (access("/.autorelabel", F_OK) == 0) {
+		seautorelabel = 0;
+	}
+
 	/* Check for an override of the mode via the kernel command line. */
 	rc = mount("proc", "/proc", "proc", 0, 0);
 	cfg = fopen("/proc/cmdline", "r");
@@ -342,12 +354,18 @@ int selinux_init_load_policy(int *enforce)
 			fclose(cfg);
 			return -1;
 		}
-		if (fgets(buf, selinux_page_size, cfg) &&
-		    (tmp = strstr(buf, "enforcing="))) {
-			if (tmp == buf || isspace(*(tmp - 1))) {
+		if (fgets(buf, selinux_page_size, cfg)) {
+			if ((tmp = strstr(buf, "enforcing=")) &&
+			    (tmp == buf || isspace(*(tmp - 1)))) {
 				secmdline =
 				    atoi(tmp + sizeof("enforcing=") - 1);
 			}
+			else if ((tmp = strstr(buf, "autorelabel")) &&
+				 (tmp == buf || isspace(*(tmp - 1))) &&
+				 (tmp + sizeof("autorelabel") - 1 == '\0' ||
+				  isspace(tmp + sizeof("autorelabel") - 1))) {
+				seautorelabel = 0;
+			}
 		}
 		fclose(cfg);
 		free(buf);
@@ -357,7 +375,9 @@ int selinux_init_load_policy(int *enforce)
 	 * Determine the final desired mode.
 	 * Command line argument takes precedence, then config file. 
 	 */
-	if (secmdline >= 0)
+	if (seautorelabel >= 0)
+		*enforce = seautorelabel;
+	else if (secmdline >= 0)
 		*enforce = secmdline;
 	else if (seconfig >= 0)
 		*enforce = seconfig;
-- 
2.7.4


>From f1f5cf751c72b658bae08161934ffac13aee8c5f Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@xxxxxxxxxx>
Date: Mon, 4 Jul 2016 13:15:08 +0100
Subject: [PATCH] Use generator approach to fix autorelabel.

See:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx/message/CHCEGB2RUPHFCE4FVGIRO3CJYGNS75T7/
---
 policycoreutils.spec             | 13 ++++++++++---
 selinux-autorelabel-generator.sh | 29 +++++++++++++++++++++++++++++
 selinux-autorelabel.service      |  9 +++------
 selinux-autorelabel.target       |  7 +++++++
 4 files changed, 49 insertions(+), 9 deletions(-)
 create mode 100755 selinux-autorelabel-generator.sh
 create mode 100644 selinux-autorelabel.target

diff --git a/policycoreutils.spec b/policycoreutils.spec
index a77c243..cb784d9 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -4,10 +4,12 @@
 %global	libselinuxver	2.5-7
 %global	sepolgenver	1.2.3
 
+%global generatorsdir %{_prefix}/lib/systemd/system-generators
+
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.5
-Release: 11%{?dist}
+Release: 11.rwmj1%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -20,6 +22,8 @@ Source4: sepolicy-icons.tgz
 Source5: selinux-autorelabel
 Source6: selinux-autorelabel.service
 Source7: selinux-autorelabel-mark.service
+Source8: selinux-autorelabel.target
+Source9: selinux-autorelabel-generator.sh
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
 # $ VERSION=2.5 ./make-fedora-selinux-patch.sh policycoreutils
@@ -123,10 +127,12 @@ rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.deskto
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1328825
 mkdir   -m 755 -p %{buildroot}/%{_unitdir}/basic.target.wants/
+mkdir   -m 755 -p %{buildroot}/%{generatorsdir}
 install -m 644 -p %{SOURCE6} %{buildroot}/%{_unitdir}/
 install -m 644 -p %{SOURCE7} %{buildroot}/%{_unitdir}/
+install -m 644 -p %{SOURCE8} %{buildroot}/%{_unitdir}/
+install -m 755 -p %{SOURCE9} %{buildroot}/%{generatorsdir}/
 install -m 755 -p %{SOURCE5} %{buildroot}/%{_libexecdir}/selinux/
-ln -s ../selinux-autorelabel.service %{buildroot}/%{_unitdir}/basic.target.wants/
 ln -s ../selinux-autorelabel-mark.service %{buildroot}/%{_unitdir}/basic.target.wants/
 
 %find_lang %{name}
@@ -371,7 +377,8 @@ fi
 %{_unitdir}/selinux-autorelabel-mark.service
 %{_unitdir}/basic.target.wants/selinux-autorelabel-mark.service
 %{_unitdir}/selinux-autorelabel.service
-%{_unitdir}/basic.target.wants/selinux-autorelabel.service
+%{_unitdir}/selinux-autorelabel.target
+%{generatorsdir}/selinux-autorelabel-generator.sh
 %config(noreplace) %{_sysconfdir}/sestatus.conf
 # selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
 %{_mandir}/man5/selinux_config.5.gz
diff --git a/selinux-autorelabel-generator.sh b/selinux-autorelabel-generator.sh
new file mode 100755
index 0000000..be60487
--- /dev/null
+++ b/selinux-autorelabel-generator.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# This systemd.generator(7) detects if SELinux is running and if the
+# user requested an autorelabel, and if so sets the default target to
+# selinux-autorelabel.target, which will cause the filesystem to be
+# relabelled and then the system will reboot again and boot into the
+# real default target.
+
+PATH=/usr/sbin:$PATH
+unitdir=/usr/lib/systemd/system
+
+# If invoked with no arguments (for testing) write to /tmp.
+earlydir="/tmp"
+if [ -n "$2" ]; then
+    earlydir="$2"
+fi
+
+set_target ()
+{
+    ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+}
+
+if selinuxenabled; then
+    if test -f /.autorelabel; then
+        set_target
+    elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
+        set_target
+    fi
+fi
diff --git a/selinux-autorelabel.service b/selinux-autorelabel.service
index a6cc332..b8461e6 100644
--- a/selinux-autorelabel.service
+++ b/selinux-autorelabel.service
@@ -1,13 +1,10 @@
 [Unit]
-Description=Relabel all filesystems, if necessary
+Description=Relabel all filesystems
 DefaultDependencies=no
-Requires=local-fs.target
 Conflicts=shutdown.target
-After=local-fs.target
-Before=sysinit.target shutdown.target
+After=sysinit.target
+Before=shutdown.target
 ConditionSecurity=selinux
-ConditionKernelCommandLine=|autorelabel
-ConditionPathExists=|/.autorelabel
 
 [Service]
 ExecStart=/usr/libexec/selinux/selinux-autorelabel
diff --git a/selinux-autorelabel.target b/selinux-autorelabel.target
new file mode 100644
index 0000000..a4f63ab
--- /dev/null
+++ b/selinux-autorelabel.target
@@ -0,0 +1,7 @@
+[Unit]
+Description=Relabel all filesystems and reboot
+DefaultDependencies=no
+Requires=sysinit.target selinux-autorelabel.service
+Conflicts=shutdown.target
+After=sysinit.target selinux-autorelabel.service
+ConditionSecurity=selinux
-- 
2.7.4


--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux