1275727 – homedir polyinstantiation (pam_namespace) doesn't work in mls

Bug 1275727 - homedir polyinstantiation (pam_namespace) doesn't work in mls

Summary: homedir polyinstantiation (pam_namespace) doesn't work in mls

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Jiri Jaburek
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1218420
TreeView+	depends on / blocked

Reported:	2015-10-27 15:01 UTC by Jiri Jaburek
Modified:	2018-10-30 10:00 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-203.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 09:59:15 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:3111	0	None	None	None	2018-10-30 10:00:02 UTC

Description Jiri Jaburek 2015-10-27 15:01:38 UTC

Description of problem:

(note: while this was tested in mls, the problem might technically appear with targeted policy as well!)

According to SELinux Users and Administrators Guide [1] for RHEL7, the user can configure polyinstation on /tmp and /var/tmp as

/tmp     /tmp-inst/            level      root,adm
/var/tmp /var/tmp/tmp-inst/    level      root,adm

and when searching the policy, there's support for that:

# semanage fcontext -l | grep inst | grep -v install
/tmp-inst                                          all files          system_u:object_r:tmp_t:s0 
/var/tmp-inst                                      directory          system_u:object_r:tmp_t:s0 

(which could be technically achieved by using selinux fcontext equivalency, but either works).

The guide also mentions home dir instantiation,

$HOME    $HOME/$USER.inst/     level

which isn't supported by the policy (no fcontext rules as far as I see), presumably due to the variable nature of $HOME or $USER.

One way to support it would be to use a non-variable instantiation root dir (ie. /home/home-inst) and define it as home_root_t in the policy - like tmp_t for /tmp-inst - or let the admin simply add fcontext equivalency from /home to wherever the destination is.

The issue is that (tty) login / sshd isn't allowed (via pam_namespace) to create instantiated homedirs in home_root_t, which also needs to be fixed:

----
time->Tue Oct 27 15:17:46 2015
type=SYSCALL msg=audit(1445955466.781:1203): arch=c000003e syscall=83 success=no exit=-13 a0=7fc75948f640 a1=100 a2=7fc7574f4780 a3=0 items=0 ppid=3149 pid=3151 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm="ssh-keycat" exe="/usr/libexec/openssh/ssh-keycat" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1445955466.781:1203): avc:  denied  { create } for  pid=3151 comm="ssh-keycat" name="staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_eal" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
----
time->Tue Oct 27 15:17:48 2015
type=SYSCALL msg=audit(1445955468.901:1216): arch=c000003e syscall=83 success=no exit=-13 a0=7f2d2f8d21a0 a1=100 a2=7f2d2c416780 a3=0 items=0 ppid=1003 pid=3149 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1445955468.901:1216): avc:  denied  { create } for  pid=3149 comm="sshd" name="staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_eal" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

and

----
time->Tue Oct 27 15:20:51 2015
type=SYSCALL msg=audit(1445955651.355:1368): arch=c000003e syscall=83 success=no exit=-13 a0=1558610 a1=100 a2=7f3fd73ac780 a3=0 items=0 ppid=1 pid=3304 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=20 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1445955651.355:1368): avc:  denied  { create } for  pid=3304 comm="login" name="staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_eal" scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

When both are allowed via a custom module,

------------------8<----------------------
policy_module(testmod,1.0);

require {
        type home_root_t;
        type local_login_t;
        type sshd_t;
        class dir create;
}

#============= local_login_t ==============
allow local_login_t home_root_t:dir create;

#============= sshd_t ==============
allow sshd_t home_root_t:dir create;
------------------8<----------------------

both ssh and tty console login (creation of instantiated home) work as expected under home_root_t.


There's also one related issue - currently, due to missing home-inst (or $USER.inst) rules in the policy, new files/dirs inside the instantiated home dir get created with correct context only thanks to user_home_dir_t and type transition rules, so with our theoretical /home/home-inst/, it "just works" during runtime because sshd/login creates /home/home-inst/staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_username/ correctly with user_home_dir_t, so that ie. ~/.screen gets screen_home_t thanks to:

# sesearch -T -s staff_screen_t -t user_home_dir_t
Found 1 semantic te rules:
   type_transition staff_screen_t user_home_dir_t : dir screen_home_t; 

However if the admin runs restorecon (even without -F) or autorelabel, on /home/home-inst, all dirs under /home/home-inst get user_home_t instead of user_home_dir_t, making all users unable to log in. This - again - is solved either by putting /home/home-inst (or $HOME/$USER.inst) into the policy or defining a fcontext equivalency by the admin, as mentioned before.


(So, to mention it explicitly, if an admin configures polyinstation for user homedirs according to the guide [1], the system becomes unusable/broken after the first restorecon/autorelabel.)


[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/SELinux_Users_and_Administrators_Guide/index.html#polyinstantiated-directories


My suggestion would be to implement the AVC fixes from above into the policy + define a static /home/home-inst or /home-inst for user homedir polyinstantiation (like with /tmp-inst) with home_root_t fcontext (either as a separate rule or via equivalency from /home). And also fix the guide.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7

Comment 1 Jiri Jaburek 2015-10-27 16:42:36 UTC

(In reply to Jiri Jaburek from comment #0)
> My suggestion would be to implement the AVC fixes from above into the policy
> + define a static /home/home-inst or /home-inst for user homedir
> polyinstantiation (like with /tmp-inst) with home_root_t fcontext (either as
> a separate rule or via equivalency from /home). And also fix the guide.

Actually, a separate fcontext rule won't do because of file_contexts.homedirs, there needs to be an equivalency rule.

Comment 9 errata-xmlrpc 2018-10-30 09:59:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111

Note You need to log in before you can comment on or make changes to this bug.