On Mon, Jul 29, 2024 at 7:44 AM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Mon, Jul 29, 2024 at 7:33 AM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote: > > > > Make sure that file context (all parts) and ownership of > > files/directories in policy store does not change no matter which user > > and under which context executes policy rebuild. > > > > Fixes: > > # semodule -B > > # ls -lZ /etc/selinux/targeted/contexts/files > > > > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts > > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin > > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 14704 Jul 11 09:57 file_contexts.homedirs > > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 20289 Jul 11 09:57 file_contexts.homedirs.bin > > > > SELinux user changed from system_u to the user used to execute semodule > > > > # capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B" > > # ls -lZ /etc/selinux/targeted/contexts/files > > > > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts > > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin > > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 14704 Jul 19 09:10 file_contexts.homedirs > > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 20289 Jul 19 09:10 file_contexts.homedirs.bin > > > > Both file context and ownership changed -- causes remote login > > failures and other issues in some scenarios. > > > > Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx> > > Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx> > > > --- > > Changes in V5: > > - Check return value of fchown and warn user if it fails > > > > Should I start creating github pull requests for each patch to catch this > > type of issue in the future (so that I don't waste your time)? > > You don't need to create a PR to trigger the GitHub CI testing; just > push the change to a branch of your own fork of the selinux repo and > it will run the tests for you. And this patch has also been applied to main. Thanks!
