Re: [PATCH v4] libsemanage: Preserve file context and ownership in policy store

Stephen Smalley <stephen.smalley.work@xxxxxxxxx> · Fri, 26 Jul 2024 13:54:09 -0400

On Fri, Jul 26, 2024 at 1:50 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Thu, Jul 25, 2024 at 12:11 PM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
> >
> > Make sure that file context (all parts) and ownership of
> > files/directories in policy store does not change no matter which user
> > and under which context executes policy rebuild.
> >
> > Fixes:
> >   # semodule -B
> >   # ls -lZ  /etc/selinux/targeted/contexts/files
> >
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0  14704 Jul 11 09:57 file_contexts.homedirs
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0  20289 Jul 11 09:57 file_contexts.homedirs.bin
> >
> >   SELinux user changed from system_u to the user used to execute semodule
> >
> >   # capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B"
> >   # ls -lZ  /etc/selinux/targeted/contexts/files
> >
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0  14704 Jul 19 09:10 file_contexts.homedirs
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0  20289 Jul 19 09:10 file_contexts.homedirs.bin
> >
> >   Both file context and ownership changed -- causes remote login
> >   failures and other issues in some scenarios.
> >
> > Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
>
> With the selinux/restorecon.h fix applied first,
>
> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>

Ah, spoke too soon. The GitHub CI testing failed with this:
semanage_store.c: In function ‘semanage_setfiles’:
520 semanage_store.c:3047:25: error: ignoring return value of ‘fchown’
declared with attribute ‘warn_unused_result’ [-Werror=unused-result]
521 3047 | fchown(fd, 0, 0);
522 | ^~~~~~~~~~~~~~~~