Bug 1871786

Summary: Creating a user mapped explicitly with home directory in /tmp breaks the system
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: libsemanageAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: medium    
Version: 8.2CC: dwalsh, lvrabec, mmalik, omosnace, plautrba, ssekidde, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libsemanage-2.9-5.el8 Doc Type: Enhancement
Doc Text:
Feature: Stop generating home directory context definitions for all sub-directories of "/" Reason: Home directory file context definitions have higher priority than other file context definitions and effectively override them. SELinux automatically generates home directory file contexts for all login mappings. This may cause file contexts to be redefined in directories that are set as user homes (for users with SELinux login mapping). Redefining SELinux contexts of root sub-directories may lead to issues with core system functionality. Result: SELinux will by default not generate file context definitions for home directories of users that have their home directory set to one of the following directories: /root, /bin, /boot, /dev, /etc, /lib, /lib64, /proc, /run, /sbin, /sys, /tmp, /usr, /var Note: This feature was introduces via a change in /etc/selinux/semanage.conf file and may not be applied automatically on systems, where the file has been customised (please check semanage.conf.rpmnew file if this is the case).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:05:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1894575    

Description Renaud Métrich 2020-08-24 10:12:43 UTC 
This bug was initially created as a copy of Bug #1871784

I am copying this bug because: 

Also applies to RHEL8 (libsemanage-2.9-2.el8.x86_64)

Description of problem:

Creating a user mapped explicitly with home directory being /tmp breaks the context of /tmp:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# useradd -Z unconfined_u -d /tmp test

# matchpathcon /tmp
/tmp	unconfined_u:object_r:user_home_dir_t:s0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens even though the default "usepasswd=False" is used in /etc/selinux/semanage.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# usepasswd check tells semanage to scan all pass word records for home directories
# and setup the labeling correctly.  If this is turned off, SELinux will label /home 
# correctly only.  You will need to use semanage fcontext command.  
# For example, if you had home dirs in /althome directory you would have to execute
# semanage fcontext -a -e /home /althome
usepasswd=False
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

With "usepasswd=False", from the comment in the file, the tools are not supposed to change anything that is outside "/home".


Version-Release number of selected component (if applicable):

libsemanage-2.5-14.el7.x86_64


How reproducible:

Always, see above.

Additional info:

This issue is critical when updating Red Hat software such as RHVH: internally RHVH update procedure uses temporary mounts in /tmp/XXX that get all their files relabeled with "user_home_dir_t" due to this bug.

A workaround is to amend "ignoredirs" to specify "/tmp" as well:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ignoredirs=/root;/tmp
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 2 Petr Lautrbach 2020-10-07 08:10:38 UTC 
We'll investigate problem with using usepasswd=Flase and /tmp. If it's confirmed as a bug, we'll try to fix it, otherwise we'll probably update default semanage.conf to use ignoredirs=/root;/tmp as a simple fix.
Comment 12 Petr Lautrbach 2020-12-17 10:19:46 UTC 
The behaviour described in #c0 is actually correct.

# useradd -Z unconfined_u -d /tmp test

This command creates a SELinux user mapping for *test* user to unconfined_u as you can see in `semanage login` output:

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
test                 unconfined_u         s0-s0:c0.c1023       *

`genhomedircon` uses these mappings to generate user related file contexts based on templates. Therefore a new fc for '/tmp' is created

# matchpathcon /tmp
/tmp    unconfined_u:object_r:user_home_dir_t:s0


If you remove the SELinux mapping for *test*, this user is ignored as /etc/passwd is ignored:

# semanage login -d test

# matchpathcon /tmp
/tmp    system_u:object_r:tmp_t:s0
Comment 16 Petr Lautrbach 2020-12-18 13:17:04 UTC 
I'm going to revert the original patch and *semanage.conf* will be updated to use 

ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var

Also the comment in *semanage.conf* related to *usepasswd* is not correct and needs to be fixed:

Original sentence:

# If this is turned off, SELinux will label /home correctly only.

New sentence:

# If this is turned off, SELinux will label /home and home directories of users with SELinux login mappings defined as in `semanage login -l`.
Comment 29 errata-xmlrpc 2021-05-18 15:05:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsemanage bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1672