Bug 359531

Summary: corrupting file context database
Product: [Fedora] Fedora Reporter: Hynek Černoch <hynek>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-21 15:42:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hynek Černoch 2007-10-31 02:41:53 UTC 
File context database became corrupted after an mistaken semanage fcontext..
command containing \n character. Afterwards it is not possible to execute any
semanage fcontext.. command, neither to delete it nor to list.

policycoreutils-2.0.16-11.fc7

Steps to Reproduce:
  semanage fcontext -a -t samba_share_t       '/samba
  semanage fcontext -a -t public_content_rw_t '/samba/www
(Some ending apostrophes forgotten, when two commands were pasted from editor to
commandline.)

It is also possible to corrupt the users* database by "semanage user.." and
probably others.

Please forbid the passing of line feed to parameters of libsemanage library
manipulating autogenerated data files (file_contexts  file_contexts.local)

How can I repair the binary policy, which still contains bad strings?
Comment 1 Daniel Walsh 2007-10-31 10:42:51 UTC 
You can remove the lines by editing

vi /etc/selinux/targeted/modules/active/file_contexts.local
semodule -B


Should fix the problem.  I will look into preventing \n in input.
Comment 2 Daniel Walsh 2007-10-31 11:28:19 UTC 
policycoreutils-2.0.16-14.fc7
Comment 3 Hynek Černoch 2007-10-31 12:47:52 UTC 
1) you wrote: "You can remove the lines by editing.."
It was necessary to edit also 
/etc/selinux/targeted/modules/active/file_contexts.local

2)
Yes. In usernames, interfaces, transitions etc _except filenames_ should
definitely be prevented.
It may be better to transparently escape \n by \\n by libsemodule in filenames
to keep the possibility to create context patterns for all filenames the kernel
can handle. It is not good to pass more possibilities to hackers than to
administrators.

- I have an idea for a new security feature by selinux: -
It would be useful for additional security of many applications, especially
httpd scripts and email clients the capability of selinux to optionally forbid
creating of filenames with \n.

Please keep the possibility to write some experimental filecontext and modules:
eg:
  semodule fcontext -a -t insecure_name_t '.*
    .*'
libsemodule => file_contexts:
.*\n.*      system_u:object_r:insecure_name_t:s0

newmodule => something.te
...
   disallow ... insecure_name_t:file create;