Bug 972977

Summary: SELinux context on polyinstantiated directories is incorrect
Product: OpenShift Online Reporter: Rob Millner <rmillner>
Component: ContainersAssignee: Rob Millner <rmillner>
Status: CLOSED CURRENTRELEASE QA Contact: libra bugs <libra-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 2.xCC: bmeng, mfisher, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-24 14:52:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Millner 2013-06-11 00:42:03 UTC 
Description of problem:
The SELinux context on polyinstantiated directories (/tmp, /dev/shm) are incorrect on devenv.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create an app
2. ssh into the app
3. ls -ladZ /tmp

Actual results:
Something like:
drwxrwxrwt. 778471974781982305419264 root system_u:object_r:tmp_t:s0       /tmp

Expected results:
Something like:
drwxrwxrwt. 519a5c005004466c41000085 root system_u:object_r:openshift_tmp_t:s0:c5,c751 /tmp

Additional info:

It appears to be correct on prod, and there are other indicators that polydir is working but the init script appears to be failing.
Comment 1 Rob Millner 2013-06-11 00:59:15 UTC 
This bug may exist in prod.  At least one problem was observed with the use of all numeric usernames.  The oo-namespace-init script cannot get the password information to determine whether the directory is openshift.


+ '[' 0 = 1 ']'
+ exit 0
+ '[' 1 = 1 ']'
++ getent passwd 512884330434630336380928
+ passwd=
[HIDDEN] echo ''
++ cut -f6 -d:
+ homedir=
++ getfattr --only-values -n security.selinux ''
+ context=
++ echo ''
++ cut -f 3 -d:
+ setype=
+ cartvers=1
+ '[' -e /.env/CARTRIDGE_VERSION_2 ']'
+ '[' tmpfs '!=' tmpfs ']'
+ /sbin/restorecon /dev/shm
+ '[' '' = openshift_var_lib_t ']'
+ exit 0
+ '[' 0 = 1 ']'
+ exit 0
Comment 3 Rob Millner 2013-06-11 02:05:51 UTC 
Pull request:

https://github.com/openshift/origin-server/pull/2808
Comment 4 Rob Millner 2013-06-11 21:54:53 UTC 
The old pull request was failing and was closed for further hand testing.  Here's the latest pull request.
https://github.com/openshift/origin-server/pull/2818


Note on Q/E, you may have to create several apps to get one which has an all numeric user ID or create the gear by hand with oo-app-create.
Comment 5 Meng Bo 2013-06-14 06:29:49 UTC 
Checked on devenv_3360,

App with numeric uuid has correct context for its /tmp and /sandbox dir.

[php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /tmp/
drwxrwxrwt. 2 system_u:object_r:openshift_tmp_t:s0:c0,c502 337603337419803013939200 root 4096 Jun 14 02:26 /tmp/

[php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /sandbox/
drwxr-xr-x. 2 system_u:object_r:openshift_tmp_t:s0 337603337419803013939200 root 4096 Jun 14 02:25 /sandbox/
Comment 6 Kurt Seifried 2013-06-27 20:39:25 UTC 
This issue is classified as security hardening and not a security vulnerability due to the fact that it cannot be exploited without an additional vulnerability.