1271209 – add file context for /usr/libexec/mock/mock

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1271209 - add file context for /usr/libexec/mock/mock

Summary: add file context for /usr/libexec/mock/mock

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:	1270972 1271211
Blocks:	1246810
TreeView+	depends on / blocked

Reported:	2015-10-13 11:46 UTC by Miroslav Suchý
Modified:	2016-11-04 02:23 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-93.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1270972
Environment:
Last Closed:	2016-11-04 02:23:13 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Miroslav Suchý 2015-10-13 11:46:08 UTC

+++ This bug was initially created as a clone of Bug #1270972 +++

Description of problem:
In bug 1246810 we are thinking about moving /usr/sbin/mock to /usr/libexec/mock/mock. But before we do that, we need to have correct selinux context for /usr/libexec/mock/mock.

Can you please add new selinux file context for:
  /usr/libexec/mock/mock
and make it the same type as file
  /usr/sbin/mock
?

However we will need this on all platforms where mock run: all Fedoras, EL6 and EL7.
Is this possible?

--- Additional comment from Miroslav Grepl on 2015-10-13 07:36:00 EDT ---

Thank you for this info.

Could you create clone bugs for RHELs?

--- Additional comment from Miroslav Grepl on 2015-10-13 07:39:20 EDT ---

https://github.com/fedora-selinux/selinux-policy/commit/b86a01ab16c3d6d90c7e8975e0143a3a238c7ff7

Comment 2 Mike McCune 2016-03-28 22:59:28 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 7 Miroslav Suchý 2016-04-27 06:24:17 UTC

The test is IMHO incorrect. Mock does not yet have the script in /usr/libexec/mock/mock. The script can be moved only and only after the selinux policy will change.
So you cannot test functionality of mock per se.

Test should be as simple as
  touch /usr/libexec/mock/mock
  ls -lZ /usr/libexec/mock/mock
  ls -lZ /usr/sbin/mock
and compare that those files have identical selinux context.

Comment 8 Milos Malik 2016-04-27 06:37:43 UTC

Both files have the same context:

# matchpathcon /usr/libexec/mock/mock
/usr/libexec/mock/mock	system_u:object_r:mock_exec_t:s0
# matchpathcon /usr/sbin/mock
/usr/sbin/mock	system_u:object_r:mock_exec_t:s0
#

There are several transitions into the mock_t domain. I chose one of them (staff_t, one of the confined users) and the AVCs were results of running the mock program in that domain:

# sesearch -t mock_exec_t -T
Found 5 semantic te rules:
   type_transition staff_consolehelper_t mock_exec_t : process mock_t; 
   type_transition abrt_retrace_worker_t mock_exec_t : process mock_t; 
   type_transition rhev_agentd_consolehelper_t mock_exec_t : process mock_t; 
   type_transition realmd_consolehelper_t mock_exec_t : process mock_t; 
   type_transition staff_t mock_exec_t : process mock_t; 
# rpm -qa selinux-policy\*
selinux-policy-doc-3.13.1-68.el7.noarch
selinux-policy-3.13.1-68.el7.noarch
selinux-policy-targeted-3.13.1-68.el7.noarch
selinux-policy-mls-3.13.1-68.el7.noarch
selinux-policy-sandbox-3.13.1-68.el7.noarch
selinux-policy-minimum-3.13.1-68.el7.noarch
selinux-policy-devel-3.13.1-68.el7.noarch
#

Comment 13 Lukas Vrabec 2016-07-11 15:05:20 UTC

Milos,
Could you run it in permissive mode? 

Thank you.

Comment 14 Miroslav Grepl 2016-07-12 08:04:20 UTC

I believe you will need to run it also with

semodule -DB

to collect all needed AVCs.

Comment 16 Lukas Vrabec 2016-07-12 13:15:27 UTC

This is weird, that you don't catch AVCs from comment 12. 

Milos,
Could you create local policy to check if it working with these rules? 

Thank you!

Comment 24 Miroslav Suchý 2016-08-08 17:29:43 UTC

Hmm what does it mean? That mock_t is trying to open /etc/pki/nssdb/key4.db? This seems to do urlgrabber, which should be ok. Does this happen when urlgrabber is trying to access https pages? Or I am reading the logs incorrectly?

Comment 25 Milos Malik 2016-08-09 07:07:37 UTC

The AVCs mentioned in comment#22 are generated by urlgrabber (comm=urlgrabber-ext-), but the urlgrabber process still runs under mock_t, because transition from mock_t to rpm_t (yum) is not allowed. If it was allowed then urlgrabber would run under the same context as yum and everything would be fine.

Comment 26 Miroslav Grepl 2016-08-09 08:36:14 UTC

I don't see a way for this transition. There is no rpm_exec_t labeling for urlgrabber.

Comment 27 Miroslav Grepl 2016-08-09 08:40:09 UTC

Milos,
does it work correctly though AVC msgs.

Comment 32 errata-xmlrpc 2016-11-04 02:23:13 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.