Bug 825221
| Summary: | restorecon disregards custom rules for sym links | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Marko Myllynen <myllynen> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | dwalsh, jkalliya, ksrot, mgrepl, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-160.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 08:35:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Marko Myllynen
2012-05-25 11:45:53 UTC
Maybe restorecon ignores symlinks completely.
# man restorecon | col -b | grep -A 2 NOTE
NOTE
restorecon does not follow symbolic links.
#
We just fixed this in F17. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. ---Problem Description--- restorecon ignores symbolic link rules. ---uname output--- Linux horn.stglabs.ibm.com 2.6.32-279.1.1.el6.ppc64 #1 SMP Wed Jun 20 11:42:00 EDT 2012 ppc64 ppc64 ppc64 GNU/Linux Machine Type = Power 7 ---Debugger--- A debugger is not configured ---Steps to Reproduce--- [root@f0523p3 ?]# ls -lZ /etc/localtime -rw-r--r--. root root system_u:object_r:locale_t:s0 /etc/localtime [root@f0523p3 ?]# mkdir /opt/etc [root@f0523p3 ?]# ln -fs /etc/localtime /opt/etc/localtime [root@f0523p3 ?]# ls -lZ /opt/etc/localtime lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0 /opt/etc/localtime -> /etc/localtime [root@f0523p3 ?]# semanage fcontext -a -f -l -t locale_t /opt/etc/localtime [root@f0523p3 ?]# restorecon /opt/etc/localtime [root@f0523p3 ?]# ls -lZ /opt/etc/localtime lrwxrwxrwx. root root unconfined_u:object_r:usr_t:s0 /opt/etc/localtime -> /etc/localtime Contact Information = gcwilson.com, kjerick.com rpm -qa | grep -i selinux output: libselinux-2.0.94-5.3.el6.ppc64 libselinux-utils-2.0.94-5.3.el6.ppc64 libselinux-devel-2.0.94-5.3.el6.ppc libselinux-python-2.0.94-5.3.el6.ppc64 libselinux-2.0.94-5.3.el6.ppc selinux-policy-3.7.19-155.el6_3.noarch selinux-policy-targeted-3.7.19-155.el6_3.noarch libselinux-devel-2.0.94-5.3.el6.ppc64 Userspace tool common name: restorecon getsebool output: abrt_anon_write --> off abrt_handle_event --> off allow_console_login --> on allow_cvs_read_shadow --> off allow_daemons_dump_core --> on allow_daemons_use_tcp_wrapper --> off allow_daemons_use_tty --> on allow_domain_fd_use --> on allow_execheap --> off allow_execmem --> on allow_execmod --> on allow_execstack --> on allow_ftpd_anon_write --> off allow_ftpd_full_access --> off allow_ftpd_use_cifs --> off allow_ftpd_use_nfs --> off allow_gssd_read_tmp --> on allow_guest_exec_content --> off allow_httpd_anon_write --> on allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> on allow_java_execstack --> off allow_kerberos --> on allow_mount_anyfile --> on allow_mplayer_execstack --> off allow_nsplugin_execmem --> on allow_polyinstantiation --> off allow_postfix_local_write_mail_spool --> on allow_ptrace --> off allow_rsync_anon_write --> off allow_saslauthd_read_shadow --> off allow_smbd_anon_write --> off allow_ssh_keysign --> off allow_staff_exec_content --> on allow_sysadm_exec_content --> on allow_unconfined_nsplugin_transition --> off allow_user_exec_content --> on allow_user_mysql_connect --> off allow_user_postgresql_connect --> off allow_write_xshm --> off allow_xguest_exec_content --> off allow_xserver_execmem --> off allow_ypbind --> off allow_zebra_write_config --> on authlogin_radius --> off cdrecord_read_content --> off clamd_use_jit --> off cobbler_anon_write --> off cobbler_can_network_connect --> off cobbler_use_cifs --> off cobbler_use_nfs --> off condor_domain_can_network_connect --> off cron_can_relabel --> off dhcpc_exec_iptables --> off domain_kernel_load_modules --> off exim_can_connect_db --> off exim_manage_user_files --> off exim_read_user_files --> off fcron_crond --> off fenced_can_network_connect --> off fenced_can_ssh --> off ftp_home_dir --> off ftpd_connect_db --> off ftpd_use_passive_mode --> off git_cgit_read_gitosis_content --> off git_session_bind_all_unreserved_ports --> off git_system_enable_homedirs --> off git_system_use_cifs --> off git_system_use_nfs --> off global_ssp --> off gpg_agent_env_file --> off gpg_web_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> on httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_manage_ipa --> off httpd_read_user_content --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off icecast_connect_any --> off init_upstart --> on irssi_use_full_network --> off logging_syslogd_can_sendmail --> off mmap_low_allowed --> off mozilla_read_content --> off mysql_connect_any --> off named_write_master_zones --> off ncftool_read_user_content --> off nscd_use_shm --> on nsplugin_can_network --> on openvpn_enable_homedirs --> on piranha_lvs_can_network_connect --> off pppd_can_insmod --> off pppd_for_user --> off privoxy_connect_any --> on puppet_manage_all_files --> off puppetmaster_use_db --> off qemu_full_network --> on qemu_use_cifs --> on qemu_use_comm --> off qemu_use_nfs --> on qemu_use_usb --> on racoon_read_shadow --> off rgmanager_can_network_connect --> off rsync_client --> off rsync_export_all_ro --> off rsync_use_cifs --> off rsync_use_nfs --> off samba_create_home_dirs --> off samba_domain_controller --> off samba_enable_home_dirs --> off samba_export_all_ro --> off samba_export_all_rw --> off samba_run_unconfined --> off samba_share_fusefs --> off samba_share_nfs --> off sanlock_use_nfs --> off sanlock_use_samba --> off secure_mode --> off secure_mode_insmod --> off secure_mode_policyload --> off sepgsql_enable_users_ddl --> on sepgsql_unconfined_dbadm --> on sge_domain_can_network_connect --> off sge_use_nfs --> off smartmon_3ware --> off spamassassin_can_network --> off spamd_enable_home_dirs --> on squid_connect_any --> on squid_use_tproxy --> off ssh_chroot_rw_homedirs --> off ssh_sysadm_login --> off telepathy_tcp_connect_generic_network_ports --> off tftp_anon_write --> off tor_bind_all_unreserved_ports --> off unconfined_login --> on unconfined_mmap_zero_ignore --> off unconfined_mozilla_plugin_transition --> off use_fusefs_home_dirs --> off use_lpd_server --> off use_nfs_home_dirs --> on use_samba_home_dirs --> off user_direct_dri --> on user_direct_mouse --> off user_ping --> on user_rw_noexattrfile --> on user_setrlimit --> on user_tcp_server --> off user_ttyfile_stat --> off varnishd_connect_any --> off vbetool_mmap_zero_ignore --> off virt_use_comm --> off virt_use_fusefs --> off virt_use_nfs --> off virt_use_samba --> off virt_use_sanlock --> off virt_use_sysfs --> on virt_use_usb --> on virt_use_xserver --> off webadm_manage_user_files --> off webadm_read_user_files --> off wine_mmap_zero_ignore --> off xdm_exec_bootloader --> off xdm_sysadm_login --> off xen_use_nfs --> off xguest_connect_network --> on xguest_mount_media --> on xguest_use_bluetooth --> on xserver_object_manager --> off The userspace tool has the following bit modes: 64-bit /etc/selinux/config output: # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted Userspace rpm: policycoreutils-2.0.83-19.24.el6.ppc64 Userspace tool obtained from project website: na *Additional Instructions for gcwilson.com, kjerick.com: -Attach ltrace and strace of userspace application. -Attach contents of /var/log/audit/audit.log Hi Dan, Is there any way this fix can be put into the service stream? Changed priority from block to high on our side since there's a workaround. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. That too doesn't change the context :- # restorecon -R -v /test/symlinked # ls -Z /test/symlinked/file1 -rw-r--r--. root root unconfined_u:object_r:default_t:s0 /test/symlinked/file1 restorecon is doing a realpath on the file, so it is translating the file via realpath. We are doing this so that a symbolic link attack will not cause the file to get mislabeled. strace restorecon /test/symlinked/file 2>&1 | grep /test
execve("/sbin/restorecon", ["restorecon", "/test/symlinked/file"], [/* 23 vars */]) = 0
lstat("/test/symlinked/file", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat("/test", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/test/symlinked", {st_mode=S_IFLNK|0777, st_size=14, ...}) = 0
readlink("/test/symlinked", "/test/original", 4095) = 14
lstat("/test", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/test/original", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/test/original/file", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat("/test/original/file", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lgetxattr("/test/original/file", "security.selinux", "staff_u:object_r:default_t:s0", 255) = 30
Just tested this on RHEL6.3 and Fedora 17. On RHEL6 restorecon doesn't restore the context of the symlink (when symlink is the actual item). On Fedora 17 the context is restored. I belive this is the problem mentioned in #c6. Dan, could you please confirm that this is what's is going to be fixed? Thank you. (In reply to comment #17) > Just tested this on RHEL6.3 and Fedora 17. > > On RHEL6 restorecon doesn't restore the context of the symlink (when symlink > is the actual item). On Fedora 17 the context is restored. I belive this is > the problem mentioned in #c6. > > Dan, could you please confirm that this is what's is going to be fixed? > Thank you. Karel, how did you get this working on Fedora17? It works how Dan wrote in the #comment 17. Another test # ls -lZ /usr/lib/satelite lrwxrwxrwx. root root unconfined_u:object_r:lib_t:SystemLow /usr/lib/satelite -> /usr/share/man/man8/httpd_selinux.8.gz # semanage fcontext -a -f -l -t httpd_sys_content_t /usr/lib/satelite # matchpathcon /usr/lib/satelite /usr/lib/satelite system_u:object_r:httpd_sys_content_t:SystemLow # restorecon -v /usr/lib/satelite restorecon reset /usr/lib/satelite context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 Ok, we discovered bug in the policy. We do not have the following rule on RHEL6
allow setfiles_t file_type : lnk_file { read getattr relabelfrom relabelto } ;
We have just
allow setfiles_t file_type : lnk_file { getattr relabelfrom relabelto } ;
So I am switching this bug to selinux-policy component.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |