Bug 1406439
| Summary: | the /sbin symlink is not labelled in the targeted policy | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | (GalaxyMaster) <gm.outside+redhat> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-124.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 15:20:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
(GalaxyMaster)
2016-12-20 14:18:18 UTC
I looked into that a bit further and the following does not look right: === # rpm -qf /etc/selinux/targeted/contexts/files/file_contexts.homedirsselinux-policy-targeted-3.13.1-102.el7_3.7.noarch # grep -A5 -E 'for user (halt|shutdown)' /etc/selinux/targeted/contexts/files/file_contexts.homedirs # Home Context for user halt # /sbin/.+ root:object_r:user_home_t:s0 /sbin/.maildir(/.*)? root:object_r:mail_home_rw_t:s0 /sbin/.*/plugins/nppdf\.so.* -- root:object_r:textrel_shlib_t:s0 -- # Home Context for user shutdown # /sbin/.+ root:object_r:user_home_t:s0 /sbin/.maildir(/.*)? root:object_r:mail_home_rw_t:s0 /sbin/.*/plugins/nppdf\.so.* -- root:object_r:textrel_shlib_t:s0 # grep -E '(halt|shutdown)' /etc/passwd shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt # === It seems that the parts for home contexts were generated by a script that was looking up the home directories in /etc/passwd and using that as the base directory for the context. When it comes to security, such an approach is questionable and at least should be double-checked by a human being -- otherwise we are risking to get too many surprises in the system wide policies. Is it possible that genhomedircon caused it?
DESCRIPTION
genhomedircon is a script that executes semodule to rebuild the cur‐
rently active SELinux policy (without reloading it) and to create the
labels for each user home directory based on directory paths returned
by calls to getpwent().
Reproducible on clean RHEL-7.3 machine: # semanage export boolean -D login -D interface -D user -D port -D node -D fcontext -D module -D # matchpathcon /sbin/ /sbin system_u:object_r:bin_t:s0 # genhomedircon # matchpathcon /sbin/ /sbin system_u:object_r:bin_t:s0 # semanage import login -a -s root -r 's0-s0:c0.c1023' %root login -a -s user_u -r 's0' __default__ login -a -s user_u -r 's0' root # matchpathcon /sbin/ /sbin root:object_r:user_home_dir_t:s0 # grep -A5 -E 'for user (halt|shutdown)' /etc/selinux/targeted/contexts/files/file_contexts.homedirs # Home Context for user halt # /sbin/.+ root:object_r:user_home_t:s0 /sbin/.maildir(/.*)? root:object_r:mail_home_rw_t:s0 /sbin/.*/plugins/nppdf\.so.* -- root:object_r:textrel_shlib_t:s0 -- # Home Context for user shutdown # /sbin/.+ root:object_r:user_home_t:s0 /sbin/.maildir(/.*)? root:object_r:mail_home_rw_t:s0 /sbin/.*/plugins/nppdf\.so.* -- root:object_r:textrel_shlib_t:s0 Forgotten line which should have been part of comment#4 too: # restorecon -v /sbin restorecon reset /sbin context system_u:object_r:bin_t:s0->system_u:object_r:user_home_dir_t:s0 # Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1861 |