On Mon, 29 Jul 2024 at 13:33, Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
>
> Make sure that file context (all parts) and ownership of
> files/directories in policy store does not change no matter which user
> and under which context executes policy rebuild.
>
> Fixes:
> # semodule -B
> # ls -lZ /etc/selinux/targeted/contexts/files
>
> -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts
> -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin
> -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 14704 Jul 11 09:57 file_contexts.homedirs
> -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 20289 Jul 11 09:57 file_contexts.homedirs.bin
>
> SELinux user changed from system_u to the user used to execute semodule
>
> # capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B"
> # ls -lZ /etc/selinux/targeted/contexts/files
>
> -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts
> -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin
> -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 14704 Jul 19 09:10 file_contexts.homedirs
> -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 20289 Jul 19 09:10 file_contexts.homedirs.bin
>
> Both file context and ownership changed -- causes remote login
> failures and other issues in some scenarios.
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
> ---
> Changes in V5:
> - Check return value of fchown and warn user if it fails
>
> Should I start creating github pull requests for each patch to catch this
> type of issue in the future (so that I don't waste your time)?
>
> libsemanage/src/semanage_store.c | 32 ++++++++++++++++++++++++++++++++
> libsemanage/src/semanage_store.h | 1 +
> 2 files changed, 33 insertions(+)
>
> diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> index 27c5d349..0ac2e5b2 100644
> --- a/libsemanage/src/semanage_store.c
> +++ b/libsemanage/src/semanage_store.c
> @@ -36,6 +36,7 @@ typedef struct dbase_policydb dbase_t;
> #include "database_policydb.h"
> #include "handle.h"
>
> +#include <selinux/restorecon.h>
> #include <selinux/selinux.h>
> #include <sepol/policydb.h>
> #include <sepol/module.h>
> @@ -767,6 +768,7 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode,
> if (!retval && rename(tmp, dst) == -1)
> return -1;
>
> + semanage_setfiles(dst);
> out:
> errno = errsv;
> return retval;
> @@ -819,6 +821,8 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
> goto cleanup;
> }
> umask(mask);
> +
> + semanage_setfiles(dst);
> }
>
> for (i = 0; i < len; i++) {
> @@ -837,6 +841,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
> goto cleanup;
> }
> umask(mask);
> + semanage_setfiles(path2);
> } else if (S_ISREG(sb.st_mode) && flag == 1) {
> mask = umask(0077);
> if (semanage_copy_file(path, path2, sb.st_mode,
> @@ -938,6 +943,7 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path)
>
> }
> umask(mask);
> + semanage_setfiles(path);
> }
> else {
> /* check that it really is a directory */
> @@ -1614,16 +1620,19 @@ static int semanage_validate_and_compile_fcontexts(semanage_handle_t * sh)
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)) != 0) {
> goto cleanup;
> }
> + semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_BIN));
>
> if (sefcontext_compile(sh,
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL)) != 0) {
> goto cleanup;
> }
> + semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL_BIN));
>
> if (sefcontext_compile(sh,
> semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS)) != 0) {
> goto cleanup;
> }
> + semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS_BIN));
>
> status = 0;
> cleanup:
> @@ -3018,3 +3027,26 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
>
> return 0;
> }
> +
> +/* Make sure the file context and ownership of files in the policy
> + * store does not change */
> +void semanage_setfiles(const char *path){
> + struct stat sb;
> + int fd;
> + /* Fix the user and role portions of the context, ignore errors
> + * since this is not a critical operation */
> + selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY);
> +
> + /* Make sure "path" is owned by root */
> + if ((geteuid() != 0 || getegid() != 0) &&
I currently do not understand this condition.
Doesn't it check that we run *not* as root (in which case fchown(2)
will probably fail)?
> + ((fd = open(path, O_RDONLY)) != -1)){
> + /* Skip files with the SUID or SGID bit set -- abuse protection */
> + if ((fstat(fd, &sb) != -1) &&
> + !(S_ISREG(sb.st_mode) &&
> + (sb.st_mode & (S_ISUID | S_ISGID))) &&
> + (fchown(fd, 0, 0) == -1))
> + fprintf(stderr, "Warning! Could not set ownership of %s to root\n", path);
> +
> + close(fd);
> + }
> +}
> diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
> index 1fc77da8..e21dadeb 100644
> --- a/libsemanage/src/semanage_store.h
> +++ b/libsemanage/src/semanage_store.h
> @@ -124,6 +124,7 @@ int semanage_get_cil_paths(semanage_handle_t * sh, semanage_module_info_t *modin
> int semanage_get_active_modules(semanage_handle_t *sh,
> semanage_module_info_t **modinfo, int *num_modules);
>
> +void semanage_setfiles(const char *path);
>
> /* lock file routines */
> int semanage_get_trans_lock(semanage_handle_t * sh);
> --
> 2.43.0
>
>
