On 7/22/20 6:48 PM, Stephen Smalley wrote: > On Tue, Jul 21, 2020 at 4:14 PM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >>> +context for both subjects and objects when their label is invalidated >>> +by a policy reload (their SID is unchanged but the SID is >>> +transparently remapped to the unlabeled context). >> >> I will note here that I suspect there is currently something broken >> with libselinux / unlabeled sids >> >> libselinux consumers still use *invalidated* contexts associated with >> inodes to compute access vectors. >> >> for example rpm will not consistently work until the filesystems are >> relabeled after a new policy is loaded that invalidates contexts >> currently associated with /bin/sh (entrypoint for setfscreatecon to >> "rpm_script_t") >> >> systemd will not consistently work until the filesystems are relabeled >> after a new policy loaded that invalidates contexts currently associated >> with (i suspect) parent directories for socket activated sock files >> (maybe setfscreatecon?) > > That's because userspace doesn't pass SIDs to the kernel (they aren't > exported by the kernel); it passes security contexts, and the kernel > refuses to accept invalid contexts. So a context previously used by > userspace that is invalidated by a policy reload and then later passed > in again to a kernel interface will produce an error. IIRC, the Can we not just assume that if that happens, that the kernel should just treat the context as if it were the context of the unlabeled isid. I mean that is what it boils down to anyway: everything always needs a valid context. so might as well treat invalid contexts as unlabeled isids? Not sure how "state" is relevant here as invalid is invalid. Regardless, this current behavior makes things less robust. I wont pretent that I am qualified to judge whether addressing this is technically possible or not. > security_get_initial_context() and avc_get_initial_sid() interfaces > were added to allow userspace object managers like SEPostgreSQL to get > the context associated with an initial SID like the unlabeled SID for > their own internal use/handling, but libselinux doesn't try to remap > like that internally and it wouldn't always know whether the context > was previously valid unless it maintained state on all calls. >
