RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1275727 - homedir polyinstantiation (pam_namespace) doesn't work in mls
Summary: homedir polyinstantiation (pam_namespace) doesn't work in mls
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Jiri Jaburek
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks: 1218420
TreeView+ depends on / blocked
 
Reported: 2015-10-27 15:01 UTC by Jiri Jaburek
Modified: 2018-10-30 10:00 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-203.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:59:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 0 None None None 2018-10-30 10:00:02 UTC

Description Jiri Jaburek 2015-10-27 15:01:38 UTC 
Description of problem:

(note: while this was tested in mls, the problem might technically appear with targeted policy as well!)

According to SELinux Users and Administrators Guide [1] for RHEL7, the user can configure polyinstation on /tmp and /var/tmp as

/tmp     /tmp-inst/            level      root,adm
/var/tmp /var/tmp/tmp-inst/    level      root,adm

and when searching the policy, there's support for that:

# semanage fcontext -l | grep inst | grep -v install
/tmp-inst                                          all files          system_u:object_r:tmp_t:s0 
/var/tmp-inst                                      directory          system_u:object_r:tmp_t:s0 

(which could be technically achieved by using selinux fcontext equivalency, but either works).

The guide also mentions home dir instantiation,

$HOME    $HOME/$USER.inst/     level

which isn't supported by the policy (no fcontext rules as far as I see), presumably due to the variable nature of $HOME or $USER.

One way to support it would be to use a non-variable instantiation root dir (ie. /home/home-inst) and define it as home_root_t in the policy - like tmp_t for /tmp-inst - or let the admin simply add fcontext equivalency from /home to wherever the destination is.

The issue is that (tty) login / sshd isn't allowed (via pam_namespace) to create instantiated homedirs in home_root_t, which also needs to be fixed:

----
time->Tue Oct 27 15:17:46 2015
type=SYSCALL msg=audit(1445955466.781:1203): arch=c000003e syscall=83 success=no exit=-13 a0=7fc75948f640 a1=100 a2=7fc7574f4780 a3=0 items=0 ppid=3149 pid=3151 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=15 comm="ssh-keycat" exe="/usr/libexec/openssh/ssh-keycat" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1445955466.781:1203): avc:  denied  { create } for  pid=3151 comm="ssh-keycat" name="staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_eal" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
----
time->Tue Oct 27 15:17:48 2015
type=SYSCALL msg=audit(1445955468.901:1216): arch=c000003e syscall=83 success=no exit=-13 a0=7f2d2f8d21a0 a1=100 a2=7f2d2c416780 a3=0 items=0 ppid=1003 pid=3149 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=16 comm="sshd" exe="/usr/sbin/sshd" subj=system_u:system_r:sshd_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1445955468.901:1216): avc:  denied  { create } for  pid=3149 comm="sshd" name="staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_eal" scontext=system_u:system_r:sshd_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

and

----
time->Tue Oct 27 15:20:51 2015
type=SYSCALL msg=audit(1445955651.355:1368): arch=c000003e syscall=83 success=no exit=-13 a0=1558610 a1=100 a2=7f3fd73ac780 a3=0 items=0 ppid=1 pid=3304 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS0 ses=20 comm="login" exe="/usr/bin/login" subj=system_u:system_r:local_login_t:s0-s15:c0.c1023 key=(null)
type=AVC msg=audit(1445955651.355:1368): avc:  denied  { create } for  pid=3304 comm="login" name="staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_eal" scontext=system_u:system_r:local_login_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir

When both are allowed via a custom module,

------------------8<----------------------
policy_module(testmod,1.0);

require {
        type home_root_t;
        type local_login_t;
        type sshd_t;
        class dir create;
}

#============= local_login_t ==============
allow local_login_t home_root_t:dir create;

#============= sshd_t ==============
allow sshd_t home_root_t:dir create;
------------------8<----------------------

both ssh and tty console login (creation of instantiated home) work as expected under home_root_t.


There's also one related issue - currently, due to missing home-inst (or $USER.inst) rules in the policy, new files/dirs inside the instantiated home dir get created with correct context only thanks to user_home_dir_t and type transition rules, so with our theoretical /home/home-inst/, it "just works" during runtime because sshd/login creates /home/home-inst/staff_u:object_r:user_home_dir_t:s0-s15:c0.c1023_username/ correctly with user_home_dir_t, so that ie. ~/.screen gets screen_home_t thanks to:

# sesearch -T -s staff_screen_t -t user_home_dir_t
Found 1 semantic te rules:
   type_transition staff_screen_t user_home_dir_t : dir screen_home_t; 

However if the admin runs restorecon (even without -F) or autorelabel, on /home/home-inst, all dirs under /home/home-inst get user_home_t instead of user_home_dir_t, making all users unable to log in. This - again - is solved either by putting /home/home-inst (or $HOME/$USER.inst) into the policy or defining a fcontext equivalency by the admin, as mentioned before.


(So, to mention it explicitly, if an admin configures polyinstation for user homedirs according to the guide [1], the system becomes unusable/broken after the first restorecon/autorelabel.)


[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/SELinux_Users_and_Administrators_Guide/index.html#polyinstantiated-directories


My suggestion would be to implement the AVC fixes from above into the policy + define a static /home/home-inst or /home-inst for user homedir polyinstantiation (like with /tmp-inst) with home_root_t fcontext (either as a separate rule or via equivalency from /home). And also fix the guide.


Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-60.el7
Comment 1 Jiri Jaburek 2015-10-27 16:42:36 UTC 
(In reply to Jiri Jaburek from comment #0)
> My suggestion would be to implement the AVC fixes from above into the policy
> + define a static /home/home-inst or /home-inst for user homedir
> polyinstantiation (like with /tmp-inst) with home_root_t fcontext (either as
> a separate rule or via equivalency from /home). And also fix the guide.

Actually, a separate fcontext rule won't do because of file_contexts.homedirs, there needs to be an equivalency rule.
Comment 9 errata-xmlrpc 2018-10-30 09:59:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111
Note You need to log in before you can comment on or make changes to this bug.