On 04/12/2018 11:07 AM, Stephen Smalley wrote: > On 04/12/2018 06:26 AM, Vit Mojzis wrote: >> Commit 8702a865e08b5660561e194a83e4a363061edc03 causes file mode of >> seusers and users_extra to change based on the value defined in config >> file whenever direct_commit is called and policy is not rebuilt. >> (e.g. when setting a boolean). >> >> Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1512639 > > I think this patch is correct and expect to apply it, but am left wondering about the permissions > on /var/lib/selinux/targeted in general. It appears that we are inconsistent in our file modes > on files under /var/lib/selinux/targeted/active, e.g. file_contexts.homedirs, *.local, and modules/*/* are 0644, > whereas other files are 0600. Of course, given that the directories are 0600, only root can even lookup files under > these directories regardless of their individual file modes so it isn't as though those files are truly accessible. > Looks like there are other uses of sh->conf->file_mode that are suspect in semanage_direct_commit() for files > in the store, whereas I think it should only be used for installed files (i.e. /etc/selinux/targeted/*). Actually, we seem to be inconsistent even among different modules; some seem to be 0600 and others 0644, likely due to some being prebuilt/prepackaged that way and others installed via semodule -i. Also, policy.kern and policy.linked are presently 0644. On a separate but related note, rpm -V selinux-policy-targeted output seems somewhat surprising, e.g. wouldn't expect file_contexts.local, commit_num, etc to be managed by rpm itself. Not sure it should be managing /var/lib/selinux at all. > >> >> $ ll /var/lib/selinux/targeted/active/users_extra >> -rw-------. 1 root root 101 11. dub 17.31 /var/lib/selinux/targeted/active/users_extra >> $ ll /var/lib/selinux/targeted/active/seusers >> -rw-------. 1 root root 73 11. dub 17.31 /var/lib/selinux/targeted/active/seusers >> $ semanage boolean -m --on httpd_can_network_connect >> $ ll /var/lib/selinux/targeted/active/seusers >> -rw-r--r--. 1 root root 73 23. bře 16.59 /var/lib/selinux/targeted/active/seusers >> $ ll /var/lib/selinux/targeted/active/users_extra >> -rw-r--r--. 1 root root 101 23. bře 16.59 /var/lib/selinux/targeted/active/users_extra >> $ rpm -Vq selinux-policy-targeted >> .M.....T. /var/lib/selinux/targeted/active/seusers >> .M.....T. /var/lib/selinux/targeted/active/users_extra >> >> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx> >> --- >> libsemanage/src/direct_api.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c >> index e7ec952f..c58961be 100644 >> --- a/libsemanage/src/direct_api.c >> +++ b/libsemanage/src/direct_api.c >> @@ -1481,7 +1481,7 @@ rebuild: >> retval = semanage_copy_file(path, >> semanage_path(SEMANAGE_TMP, >> SEMANAGE_STORE_SEUSERS), >> - sh->conf->file_mode); >> + 0); >> if (retval < 0) >> goto cleanup; >> pseusers->dtable->drop_cache(pseusers->dbase); >> @@ -1499,7 +1499,7 @@ rebuild: >> retval = semanage_copy_file(path, >> semanage_path(SEMANAGE_TMP, >> SEMANAGE_USERS_EXTRA), >> - sh->conf->file_mode); >> + 0); >> if (retval < 0) >> goto cleanup; >> pusers_extra->dtable->drop_cache(pusers_extra->dbase); >> >
