Bug 2224251

Summary: User's temporary files are not labeled correctly
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 8.8CC: lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-09 12:59:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2023-07-20 09:32:26 UTC 
Description of problem:

There is the following context in the database:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/home/[^/]+/tmp                                    directory          unconfined_u:object_r:user_tmp_t:s0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This makes all files created under the user's "tmp/" directory be labeled appropriately with "user_tmp_t".
But executing restorecon wants to relabel the files back to "user_home_t", which is probably not appropriate:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# restorecon -Frvn /home/admin/tmp
Would relabel /home/admin/tmp/foo from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Same issue happens for other similar locations:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/home/[^/]+/\.tmp                                  directory          unconfined_u:object_r:user_tmp_t:s0 
/home/[^/]+/tmp                                    directory          unconfined_u:object_r:user_tmp_t:s0 
/home/staff/\.tmp                                  directory          staff_u:object_r:user_tmp_t:s0 
/home/staff/tmp                                    directory          staff_u:object_r:user_tmp_t:s0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-117.el8_8.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Create a user and create temporary files

  # useradd admin
  # sudo -u admin -i
  $ mkdir tmp
  $ touch tmp/foo

2. Check labels

  # ls -Zd1 /home/admin/tmp /home/admin/tmp/foo
  unconfined_u:object_r:user_tmp_t:s0 /home/admin/tmp
  unconfined_u:object_r:user_tmp_t:s0 /home/admin/tmp/foo

3. Execute restorecon

  # restorecon -Frnv /home/admin/tmp

Actual results:

Would relabel /home/admin/tmp/foo from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0

Expected results:

No relabeling
Comment 1 Zdenek Pytela 2023-08-01 16:50:45 UTC 
I think it is correct the user_tmp_t type is not assigned to /home/login/tmp/file, but using <<none>> is an option.