Bug 1690527
Summary: | useradd: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home() | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | dac.override | |
Component: | shadow-utils | Assignee: | Iker Pedrosa <ipedrosa> | |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 31 | CC: | ipedrosa, lvrabec, plautrba, pvrabec, tmraz, zpytela | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | shadow-utils-4.6-17.fc31 shadow-utils-4.6-9.fc30 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1801846 (view as bug list) | Environment: | ||
Last Closed: | 2020-03-04 21:31:07 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1801846 |
Description
dac.override
2019-03-19 16:04:50 UTC
Err, well the reproducer is not acurate ... You would need to leverage it properly first, like so: echo '(filecon "/var/spool/mail/%{USERNAME}" file (system_u object_r mail_spool_t ((s0)(s0))))' > mytest.cil && sudo semodule -i mytest.cil useradd -Z user_u joe matchpathcon /var/spool/mail/joe ls -alZ /var/spool/mail/joe This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'. This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to 31. I have a fix for this issue. Would you be willing to test a scratch build? heck yes! Can I have URL to scratch built? I am patiently awaiting the URL of the scratch built so that i can test to see whether the patch address the requested functionality Sorry, when I was on the point of generating the scratch build I got some comments on the pull-request that I created to fix this bug. I'm still trying to figure out how to make the improvements from the comment and keep the fix working as it should. I will come back to you as soon as everything is ready. The patch from PR looks good, however it would also need to update selinux-policy in order to provide a template file context for /var/spool/mail/USER I'd expect something like: --- a/mta.fc +++ b/mta.fc @@ -41,4 +41,5 @@ ifdef(`distro_redhat',` /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mqueue\.in(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) +/var/spool/mail/USER -- gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/smtpd(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) https://koji.fedoraproject.org/koji/taskinfo?taskID=41459946 before $ matchpathcon /var/spool/mail/user /var/spool/mail/user system_u:object_r:mail_spool_t:s0 after $ matchpathcon /var/spool/mail/user /var/spool/mail/user user_u:object_r:mail_spool_t:s0 Looks good. Thanks. I guess i don't have to test it. selinux-policy does not necessarily have to leverage this functionality though. Without a patch to the policy things should work the way it alway has, and aside from me no one seems to have an issue with it. (also i suppose it should be used for MLS) i requested this functionality because i enforce separation based on roles in my personal policy and i wanted that to also apply to mail spool files. This is the scratch-build of shadow-utils with the patch that I created: https://koji.fedoraproject.org/koji/taskinfo?taskID=41469131 Are you sure that https://kojipkgs.fedoraproject.org//work/tasks/9139/41469139/shadow-utils-4.6-17.fc31.x86_64.rpm has the patch? It does not work for me: ``` [root@brutus ~]# rpm -qa | grep shadow-utils shadow-utils-4.6-17.fc31.x86_64 [root@brutus ~]# useradd joe Creating mailbox file: Permission denied [root@brutus ~]# journalctl -rb --grep denied | head -n 1 -- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:52:12 CET. -- [root@brutus ~]# journalctl -rb --grep denied | head -n 2 -- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:52:12 CET. -- Feb 12 17:52:12 brutus audit[1336027]: AVC avc: denied { create } for pid=1336027 comm="useradd" name="joe" scontext=wheel.id:sysadm.role:usermanage.useradd.subj:s0 tcontext=wheel.id:sysadm.role:files.generic_var_spool.var_spool_file:s0 tclass=file permissive=0 [root@brutus ~]# semodule -B libsemanage.add_user: user gdm not in password file libsemanage.add_user: user gnome-initial-setup not in password file [root@brutus ~]# matchpathcon /var/spool/mail/joe /var/spool/mail/joe unprivuser.id:unprivuser.role:users.mail_spool.var_spool_file:s0 [root@brutus ~]# userdel -r joe userdel: joe mail spool (/var/spool/mail/joe) not found [root@brutus ~]# useradd joe Creating mailbox file: Permission denied [root@brutus ~]# journalctl -rb --grep denied | head -n 2 -- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:53:26 CET. -- Feb 12 17:53:26 brutus audit[1336433]: AVC avc: denied { create } for pid=1336433 comm="useradd" name="joe" scontext=wheel.id:sysadm.role:usermanage.useradd.subj:s0 tcontext=wheel.id:sysadm.role:files.generic_var_spool.var_spool_file:s0 tclass=file permissive=0 ``` I think so because I have also installed it and tested it and it seems to work. At least I don't get the following message: "Creating mailbox file: Permission denied" You also need Petr's patch for SELinux to make it work. Have you tried with both packages installed? I suspect that scratch built does not have the patch. I think I know how to test this, I reported the bug. I can tell that this is not a proper scratch built because the spec is not bumped. https://kojipkgs.fedoraproject.org//work/tasks/9139/41469139/build.log seems to confirm: This is the lastest patch and that is not yours: Patch #41 (shadow-4.6-use-lckpwdf.patch): + echo 'Patch #41 (shadow-4.6-use-lckpwdf.patch):' + /usr/bin/patch --no-backup-if-mismatch -p1 -b --suffix .use-lckpwdf --fuzz=0 patching file lib/commonio.c Hunk #1 succeeded at 367 (offset 3 lines). Hunk #2 succeeded at 418 (offset 3 lines). Hunk #3 succeeded at 477 (offset 3 lines). patching file lib/commonio.h patching file lib/groupio.c patching file lib/pwio.c Hunk #1 succeeded at 117 (offset 3 lines). patching file lib/sgroupio.c patching file lib/shadowio.c Hunk #1 succeeded at 116 (offset 2 lines). patching file lib/subordinateio.c + iconv -f ISO88591 -t utf-8 doc/HOWTO + cp -f doc/HOWTO.utf8 doc/HOWTO My bad, I'm sorry for that. I'm trying to fix it but I'm facing other errors while doing the scratch build, which unfortunately I won't be able to fix until Monday. The problem is that Fedora ships shadow-4.8-selinux.patch which changes set_selinux_file_context () api: useradd.c:2154:7: error: too few arguments to function 'set_selinux_file_context' 2154 | if (set_selinux_file_context (file) != 0) { | ^~~~~~~~~~~~~~~~~~~~~~~~ In file included from useradd.c:64: ../lib/prototypes.h:346:12: note: declared here 346 | extern int set_selinux_file_context (const char *dst_name, const char *orig_name); Finally, I have been able to compile the package in Koji. So if you want to test it please feel free to do it: https://koji.fedoraproject.org/koji/taskinfo?taskID=41542191 Works! Thanks very much! [root@brutus ~]# useradd joe [root@brutus ~]# ls -alZ /var/spool/mail/joe -rw-rw----. 1 joe mail unprivuser.id:unprivuser.role:users.mail_spool.var_spool_file:s0 0 Feb 17 12:44 /var/spool/mail/joe [root@brutus ~]# FEDORA-2020-51f31e0c19 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-51f31e0c19 FEDORA-2020-b257bf174c has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b257bf174c shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b257bf174c shadow-utils-4.6-17.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-51f31e0c19 shadow-utils-4.6-17.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report. shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |