Bug 1690527

Err, well the reproducer is not acurate ...

You would need to leverage it properly first, like so:

echo '(filecon "/var/spool/mail/%{USERNAME}" file (system_u object_r mail_spool_t ((s0)(s0))))' > mytest.cil && sudo semodule -i mytest.cil
useradd -Z user_u joe
matchpathcon /var/spool/mail/joe
ls -alZ /var/spool/mail/joe

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

I have a fix for this issue. Would you be willing to test a scratch build?

heck yes! Can I have URL to scratch built?

I am patiently awaiting the URL of the scratch built so that i can test to see whether the patch address the requested functionality

Sorry, when I was on the point of generating the scratch build I got some comments on the pull-request that I created to fix this bug. I'm still trying to figure out how to make the improvements from the comment and keep the fix working as it should. I will come back to you as soon as everything is ready.

The patch from PR looks good, however it would also need to update selinux-policy in order to provide a template file context for /var/spool/mail/USER

I'd expect something like:

--- a/mta.fc
+++ b/mta.fc
@@ -41,4 +41,5 @@ ifdef(`distro_redhat',`
 /var/spool/(client)?mqueue(/.*)?       gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?    gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?          gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail/USER           --      gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/smtpd(/.*)?         gen_context(system_u:object_r:mail_spool_t,s0)

https://koji.fedoraproject.org/koji/taskinfo?taskID=41459946

before

$ matchpathcon /var/spool/mail/user
/var/spool/mail/user    system_u:object_r:mail_spool_t:s0

after

$ matchpathcon /var/spool/mail/user
/var/spool/mail/user    user_u:object_r:mail_spool_t:s0

Looks good. Thanks. I guess i don't have to test it.

selinux-policy does not necessarily have to leverage this functionality though. Without a patch to the policy things should work the way it alway has, and aside from me no one seems to have an issue with it. (also i suppose it should be used for MLS)

i requested this functionality because i enforce separation based on roles in my personal policy and i wanted that to also apply to mail spool files.

This is the scratch-build of shadow-utils with the patch that I created: https://koji.fedoraproject.org/koji/taskinfo?taskID=41469131

Are you sure that https://kojipkgs.fedoraproject.org//work/tasks/9139/41469139/shadow-utils-4.6-17.fc31.x86_64.rpm has the patch? It does not work for me:

```
[root@brutus ~]# rpm -qa | grep shadow-utils
shadow-utils-4.6-17.fc31.x86_64
[root@brutus ~]# useradd joe
Creating mailbox file: Permission denied
[root@brutus ~]# journalctl -rb --grep denied | head -n 1
-- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:52:12 CET. --
[root@brutus ~]# journalctl -rb --grep denied | head -n 2
-- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:52:12 CET. --
Feb 12 17:52:12 brutus audit[1336027]: AVC avc:  denied  { create } for  pid=1336027 comm="useradd" name="joe" scontext=wheel.id:sysadm.role:usermanage.useradd.subj:s0 tcontext=wheel.id:sysadm.role:files.generic_var_spool.var_spool_file:s0 tclass=file permissive=0
[root@brutus ~]# semodule -B
libsemanage.add_user: user gdm not in password file
libsemanage.add_user: user gnome-initial-setup not in password file
[root@brutus ~]# matchpathcon /var/spool/mail/joe
/var/spool/mail/joe     unprivuser.id:unprivuser.role:users.mail_spool.var_spool_file:s0
[root@brutus ~]# userdel -r joe
userdel: joe mail spool (/var/spool/mail/joe) not found
[root@brutus ~]# useradd joe
Creating mailbox file: Permission denied
[root@brutus ~]# journalctl -rb --grep denied | head -n 2
-- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:53:26 CET. --
Feb 12 17:53:26 brutus audit[1336433]: AVC avc:  denied  { create } for  pid=1336433 comm="useradd" name="joe" scontext=wheel.id:sysadm.role:usermanage.useradd.subj:s0 tcontext=wheel.id:sysadm.role:files.generic_var_spool.var_spool_file:s0 tclass=file permissive=0
```

I think so because I have also installed it and tested it and it seems to work. At least I don't get the following message: "Creating mailbox file: Permission denied"

You also need Petr's patch for SELinux to make it work. Have you tried with both packages installed?

I suspect that scratch built does not have the patch. I think I know how to test this, I reported the bug. I can tell that this is not a proper scratch built because the spec is not bumped.

https://kojipkgs.fedoraproject.org//work/tasks/9139/41469139/build.log seems to confirm:

This is the lastest patch and that is not yours:

Patch #41 (shadow-4.6-use-lckpwdf.patch):
+ echo 'Patch #41 (shadow-4.6-use-lckpwdf.patch):'
+ /usr/bin/patch --no-backup-if-mismatch -p1 -b --suffix .use-lckpwdf --fuzz=0
patching file lib/commonio.c
Hunk #1 succeeded at 367 (offset 3 lines).
Hunk #2 succeeded at 418 (offset 3 lines).
Hunk #3 succeeded at 477 (offset 3 lines).
patching file lib/commonio.h
patching file lib/groupio.c
patching file lib/pwio.c
Hunk #1 succeeded at 117 (offset 3 lines).
patching file lib/sgroupio.c
patching file lib/shadowio.c
Hunk #1 succeeded at 116 (offset 2 lines).
patching file lib/subordinateio.c
+ iconv -f ISO88591 -t utf-8 doc/HOWTO
+ cp -f doc/HOWTO.utf8 doc/HOWTO

My bad, I'm sorry for that. I'm trying to fix it but I'm facing other errors while doing the scratch build, which unfortunately I won't be able to fix until Monday.

The problem is that Fedora ships shadow-4.8-selinux.patch which changes set_selinux_file_context () api:

useradd.c:2154:7: error: too few arguments to function 'set_selinux_file_context'
 2154 |   if (set_selinux_file_context (file) != 0) {
      |       ^~~~~~~~~~~~~~~~~~~~~~~~
In file included from useradd.c:64:
../lib/prototypes.h:346:12: note: declared here
  346 | extern int set_selinux_file_context (const char *dst_name, const char *orig_name);

Finally, I have been able to compile the package in Koji. So if you want to test it please feel free to do it: https://koji.fedoraproject.org/koji/taskinfo?taskID=41542191

Works! Thanks very much!

[root@brutus ~]# useradd joe
[root@brutus ~]# ls -alZ /var/spool/mail/joe
-rw-rw----. 1 joe mail unprivuser.id:unprivuser.role:users.mail_spool.var_spool_file:s0 0 Feb 17 12:44 /var/spool/mail/joe
[root@brutus ~]#

FEDORA-2020-51f31e0c19 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-51f31e0c19

FEDORA-2020-b257bf174c has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b257bf174c

shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b257bf174c

shadow-utils-4.6-17.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-51f31e0c19

shadow-utils-4.6-17.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.