On 7/11/24 20:22, Stephen Smalley wrote:
On Thu, Jul 11, 2024 at 10:57 AM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
Hello,
I'm trying to address a known "issue" where SELinux context of files in
SELinux store gets changed on policy rebuild. This triggers some system
verification tools and unnecessarily raises concerns in users.
I created a patch using getfilecon and setfscreatecon, but am not sure
if this is the best approach since it will not fix a context that has
already been changed. Also, any files created as a result of execve
need to be addressed separately (e.g. file_contexts.bin), maybe using
selabel_lookup to get the proper label since that way sefcontext_compile
does not need to know the path to the SELinux store (only to sandbox).
I considered relabeling the whole sandbox before semanage_commit_sandbox,
but that seems wasteful.
Would a name-based type transition work? This would avoid the need for
any code changes (to libsemanage or sefcontext_compile).
Otherwise, I think doing a selabel_lookup() followed by
setfscreatecon() makes the most sense if you want to ensure that the
file has the correct label at creation time, or calling
selinux_restorecon(3) on the file after it is created prior to copying
data to it would be even simpler.
Thank you for the suggestions. I haven't found a way to include the
SELinux user and role in a type transition rule (and the type is not
affected by this issue). But selinux_restorecon works just fine.
Then there is a related issue where the rebuild is performed as a
non-root user, causing files in the policy store to change ownership.
\# capsh --user=testuser --caps="cap_dac_override+eip cap_setpcap+ep" --addamb=cap_dac_override -- -c "semodule -B"
This can actually cause issues in some scenarios (e.g. remote login failing).
Addressing this seems to require more drastic measures. My attempts to
use "chown" failed, even with the CAP_CHOWN capability and using
seteuid/setegid does not seem safe. Any suggestions would be
appreciated.
setfsuid() is a safer option than seteuid() for filesystem operations,
but what is preventing the chown() from working?
Sorry, that was my bad. I didn't realize I had to also add dac_chown to
"capsh --addamb".
It works fine when I change the capabilities on the "semodule" binary,
or use:
# sudo capsh --user=testuser --caps="cap_dac_override,cap_chown+eip"
--addamb=cap_dac_override,cap_chown -- -c "semodule -B"
Thank you.
Vit
