1406439 – the /sbin symlink is not labelled in the targeted policy

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1406439 - the /sbin symlink is not labelled in the targeted policy

Summary: the /sbin symlink is not labelled in the targeted policy

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-12-20 14:18 UTC by (GalaxyMaster)
Modified:	2017-08-01 15:20 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-124.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-01 15:20:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1861	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-08-01 17:50:24 UTC

Description (GalaxyMaster) 2016-12-20 14:18:18 UTC

Description of problem:

The /sbin symlink is not defined in the provided targeted policy

Version-Release number of selected component (if applicable):


How reproducible:

[root@server ~]# ls -ldZ /sbin
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin -> usr/sbin
[root@server ~]# restorecon -v /sbin
restorecon reset /sbin context system_u:object_r:bin_t:s0->system_u:object_r:user_home_dir_t:s0


Actual results:

The /sbin symlink got labelled as user_home_dir_t .


Expected results:

It was expected that restorecon would not touch the /sbin symlink since it was properly labelled during the installation


Additional info:

[root@server ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch
[root@server ~]# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
boolean -m -1 deny_execmem
boolean -m -1 polyinstantiation_enabled
boolean -m -0 selinuxuser_execmod
boolean -m -0 selinuxuser_execstack
login -a -s root -r 's0-s0:c0.c1023' %root
login -a -s user_u -r 's0' __default__
login -a -s user_u -r 's0' root
port -a -t ssh_port_t -p tcp 940
fcontext -a -f a -t ssh_home_t '/root/.users/[^/].+/\.ssh(/.*)?'
fcontext -a -e /var/tmp-inst /var/tmp/.private
fcontext -a -e /tmp-inst /tmp/.private
[root@server ~]#

Comment 2 (GalaxyMaster) 2016-12-23 04:09:03 UTC

I looked into that a bit further and the following does not look right:
===
# rpm -qf /etc/selinux/targeted/contexts/files/file_contexts.homedirsselinux-policy-targeted-3.13.1-102.el7_3.7.noarch
# grep -A5 -E 'for user (halt|shutdown)' /etc/selinux/targeted/contexts/files/file_contexts.homedirs
# Home Context for user halt
#

/sbin/.+	root:object_r:user_home_t:s0
/sbin/.maildir(/.*)?	root:object_r:mail_home_rw_t:s0
/sbin/.*/plugins/nppdf\.so.*	--	root:object_r:textrel_shlib_t:s0
--
# Home Context for user shutdown
#

/sbin/.+	root:object_r:user_home_t:s0
/sbin/.maildir(/.*)?	root:object_r:mail_home_rw_t:s0
/sbin/.*/plugins/nppdf\.so.*	--	root:object_r:textrel_shlib_t:s0
# grep -E '(halt|shutdown)' /etc/passwd
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
#
===

It seems that the parts for home contexts were generated by a script that was looking up the home directories in /etc/passwd and using that as the base directory for the context.

When it comes to security, such an approach is questionable and at least should be double-checked by a human being -- otherwise we are risking to get too many surprises in the system wide policies.

Comment 3 Milos Malik 2017-01-02 14:32:45 UTC

Is it possible that genhomedircon caused it?

DESCRIPTION
       genhomedircon is a script that executes semodule to  rebuild  the  cur‐
       rently  active  SELinux policy (without reloading it) and to create the
       labels for each user home directory based on directory  paths  returned
       by calls to getpwent().

Comment 4 Milos Malik 2017-01-02 14:42:05 UTC

Reproducible on clean RHEL-7.3 machine:

# semanage export
boolean -D
login -D
interface -D
user -D
port -D
node -D
fcontext -D
module -D
# matchpathcon /sbin/
/sbin	system_u:object_r:bin_t:s0
# genhomedircon 
# matchpathcon /sbin/
/sbin	system_u:object_r:bin_t:s0
# semanage import
login -a -s root -r 's0-s0:c0.c1023' %root
login -a -s user_u -r 's0' __default__
login -a -s user_u -r 's0' root
# matchpathcon /sbin/
/sbin	root:object_r:user_home_dir_t:s0
# grep -A5 -E 'for user (halt|shutdown)' /etc/selinux/targeted/contexts/files/file_contexts.homedirs
# Home Context for user halt
#

/sbin/.+	root:object_r:user_home_t:s0
/sbin/.maildir(/.*)?	root:object_r:mail_home_rw_t:s0
/sbin/.*/plugins/nppdf\.so.*	--	root:object_r:textrel_shlib_t:s0
--
# Home Context for user shutdown
#

/sbin/.+	root:object_r:user_home_t:s0
/sbin/.maildir(/.*)?	root:object_r:mail_home_rw_t:s0
/sbin/.*/plugins/nppdf\.so.*	--	root:object_r:textrel_shlib_t:s0

Comment 5 Milos Malik 2017-01-02 14:45:19 UTC

Forgotten line which should have been part of comment#4 too:

# restorecon -v /sbin
restorecon reset /sbin context system_u:object_r:bin_t:s0->system_u:object_r:user_home_dir_t:s0
#

Comment 8 errata-xmlrpc 2017-08-01 15:20:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1861

Note You need to log in before you can comment on or make changes to this bug.