Bug 972977
Summary: | SELinux context on polyinstantiated directories is incorrect | ||
---|---|---|---|
Product: | OpenShift Online | Reporter: | Rob Millner <rmillner> |
Component: | Containers | Assignee: | Rob Millner <rmillner> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | libra bugs <libra-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 2.x | CC: | bmeng, mfisher, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-24 14:52:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rob Millner
2013-06-11 00:42:03 UTC
This bug may exist in prod. At least one problem was observed with the use of all numeric usernames. The oo-namespace-init script cannot get the password information to determine whether the directory is openshift. + '[' 0 = 1 ']' + exit 0 + '[' 1 = 1 ']' ++ getent passwd 512884330434630336380928 + passwd= [HIDDEN] echo '' ++ cut -f6 -d: + homedir= ++ getfattr --only-values -n security.selinux '' + context= ++ echo '' ++ cut -f 3 -d: + setype= + cartvers=1 + '[' -e /.env/CARTRIDGE_VERSION_2 ']' + '[' tmpfs '!=' tmpfs ']' + /sbin/restorecon /dev/shm + '[' '' = openshift_var_lib_t ']' + exit 0 + '[' 0 = 1 ']' + exit 0 Pull request: https://github.com/openshift/origin-server/pull/2808 The old pull request was failing and was closed for further hand testing. Here's the latest pull request. https://github.com/openshift/origin-server/pull/2818 Note on Q/E, you may have to create several apps to get one which has an all numeric user ID or create the gear by hand with oo-app-create. Checked on devenv_3360, App with numeric uuid has correct context for its /tmp and /sandbox dir. [php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /tmp/ drwxrwxrwt. 2 system_u:object_r:openshift_tmp_t:s0:c0,c502 337603337419803013939200 root 4096 Jun 14 02:26 /tmp/ [php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /sandbox/ drwxr-xr-x. 2 system_u:object_r:openshift_tmp_t:s0 337603337419803013939200 root 4096 Jun 14 02:25 /sandbox/ This issue is classified as security hardening and not a security vulnerability due to the fact that it cannot be exploited without an additional vulnerability. |