Bug 1011843

Summary: RFE: restorecon secure mode
Product: [Fedora] Fedora Reporter: James Patterson <jamespatterson>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-14 13:11:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description James Patterson 2013-09-25 08:47:55 UTC 
Description of problem:
selinux policies get updated. I want to apply those new labels to files and directories which, but I don't want to assign a good label to a malicious file.

A longer explanation:

Let's say I have a filesytem which an attacker has managed to place a malicious file on.

Let's also say that a new selinux policy has been released, and I want to update to it.

If I install that new selinux-policy, there will be some new labels for files, some deprecated labels, and so on. Like this one:

restorecon reset /usr/bin/package-cleanup context system_u:object_r:bin_t:s0->system_u:object_r:rpm_exec_t:s0

I need a way of telling restorecon to make those changes that are as a result of a change in the selinux policy, but without accidentally giving a good label to a malicious file.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2013-09-25 14:46:34 UTC 
Do you want to have a type like untrusted_t, which you can give to a file or directory, and then have restorecon ignore it?

If you added that type to  /etc/selinux/targeted/contexts/customizable_types, you would get mostly what you want.

create a policy untrusted.te

policy_module(untrusted,1.0)
type untrusted_file_t;
files_type(untrusted_file_t)


Now compile the code

# make -f /usr/share/selinux/devel/Makefile untrusted.pp
# semodule -i untrusted.pp

echo untrusted_t >>  /etc/selinux/targeted/contexts/customizable_types

# touch /etc/badfile
# chcon -t untrusted_t /etc/badfile
# restorecon -v /etc/badfile
# ls -Z /etc/badfile

Should work.

restorecon -F /etc/badfile

Will still change the label.
Comment 2 James Patterson 2013-09-29 20:43:38 UTC 
No, I'd like to be able to run restorecon to update old labels to new ones, but without accidentally giving files with the wrong label the correct one.
Comment 3 Daniel Walsh 2013-09-30 12:47:38 UTC 
James how would restorecon no the difference unless a administrator told them?
Comment 4 James Patterson 2013-09-30 14:57:38 UTC 
Because the policy would tell them.

Say you have /opt/blah with label t_stuff and you update the policy to give files under that directory the new label t_blah.

What would be good is if all the files under /opt/blah with the old t_stuff label got the new more-specific t_blah label - but without other files under /opt/blah accidentally getting the new label.
Comment 5 Daniel Walsh 2013-09-30 15:14:54 UTC 
Well that is what is supposed to happen, but based on regular expressions.

The way we tell restorecon about labels is based on regular expressions, so we can change the labels on /opt/blah/.secret to one label versus the default label for all content under '/opt/blah(/.*)?'
Comment 6 James Patterson 2013-09-30 19:54:42 UTC 
Really? So in this scenario, what will happen?

/opt/blah/one  stuff_t
/opt/blah/evil httpd_sys_content_t

New policy comes along, everything under /opt/blah(/.*)? should now be blah_t.

restorecon -R /opt/blah

What I expect to happen:

/opt/blah/one  blah_t
/opt/blah/evil blah_t

What I hope would happen:

/opt/blah/one  blah_t
/opt/blah/evil httpd_sys_content_t
Comment 7 Daniel Walsh 2013-10-04 19:12:34 UTC 
Not sure how that could happen.  Perhaps we should talk in IRC.
Comment 8 Fedora End Of Life 2015-01-09 19:58:27 UTC 
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.