On Mon, Jul 29, 2024 at 11:00 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On Mon, 29 Jul 2024 at 13:33, Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
> >
> > Make sure that file context (all parts) and ownership of
> > files/directories in policy store does not change no matter which user
> > and under which context executes policy rebuild.
> >
> > Fixes:
> > # semodule -B
> > # ls -lZ /etc/selinux/targeted/contexts/files
> >
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 14704 Jul 11 09:57 file_contexts.homedirs
> > -rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 20289 Jul 11 09:57 file_contexts.homedirs.bin
> >
> > SELinux user changed from system_u to the user used to execute semodule
> >
> > # capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B"
> > # ls -lZ /etc/selinux/targeted/contexts/files
> >
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 14704 Jul 19 09:10 file_contexts.homedirs
> > -rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 20289 Jul 19 09:10 file_contexts.homedirs.bin
> >
> > Both file context and ownership changed -- causes remote login
> > failures and other issues in some scenarios.
> >
> > Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
> > ---
> > Changes in V5:
> > - Check return value of fchown and warn user if it fails
> >
> > Should I start creating github pull requests for each patch to catch this
> > type of issue in the future (so that I don't waste your time)?
> >
> > libsemanage/src/semanage_store.c | 32 ++++++++++++++++++++++++++++++++
> > libsemanage/src/semanage_store.h | 1 +
> > 2 files changed, 33 insertions(+)
> >
> > diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
> > index 27c5d349..0ac2e5b2 100644
> > --- a/libsemanage/src/semanage_store.c
> > +++ b/libsemanage/src/semanage_store.c
> > @@ -36,6 +36,7 @@ typedef struct dbase_policydb dbase_t;
> > #include "database_policydb.h"
> > #include "handle.h"
> >
> > +#include <selinux/restorecon.h>
> > #include <selinux/selinux.h>
> > #include <sepol/policydb.h>
> > #include <sepol/module.h>
> > @@ -767,6 +768,7 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode,
> > if (!retval && rename(tmp, dst) == -1)
> > return -1;
> >
> > + semanage_setfiles(dst);
> > out:
> > errno = errsv;
> > return retval;
> > @@ -819,6 +821,8 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
> > goto cleanup;
> > }
> > umask(mask);
> > +
> > + semanage_setfiles(dst);
> > }
> >
> > for (i = 0; i < len; i++) {
> > @@ -837,6 +841,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
> > goto cleanup;
> > }
> > umask(mask);
> > + semanage_setfiles(path2);
> > } else if (S_ISREG(sb.st_mode) && flag == 1) {
> > mask = umask(0077);
> > if (semanage_copy_file(path, path2, sb.st_mode,
> > @@ -938,6 +943,7 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path)
> >
> > }
> > umask(mask);
> > + semanage_setfiles(path);
> > }
> > else {
> > /* check that it really is a directory */
> > @@ -1614,16 +1620,19 @@ static int semanage_validate_and_compile_fcontexts(semanage_handle_t * sh)
> > semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)) != 0) {
> > goto cleanup;
> > }
> > + semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_BIN));
> >
> > if (sefcontext_compile(sh,
> > semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL)) != 0) {
> > goto cleanup;
> > }
> > + semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL_BIN));
> >
> > if (sefcontext_compile(sh,
> > semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS)) != 0) {
> > goto cleanup;
> > }
> > + semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS_BIN));
> >
> > status = 0;
> > cleanup:
> > @@ -3018,3 +3027,26 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
> >
> > return 0;
> > }
> > +
> > +/* Make sure the file context and ownership of files in the policy
> > + * store does not change */
> > +void semanage_setfiles(const char *path){
> > + struct stat sb;
> > + int fd;
> > + /* Fix the user and role portions of the context, ignore errors
> > + * since this is not a critical operation */
> > + selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY);
> > +
> > + /* Make sure "path" is owned by root */
> > + if ((geteuid() != 0 || getegid() != 0) &&
>
> I currently do not understand this condition.
> Doesn't it check that we run *not* as root (in which case fchown(2)
> will probably fail)?
See the patch description. He is trying to run it with just
capabilities and not as root.
