1409813 – file context policy does not honor globs for /home based entries

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1409813 - file context policy does not honor globs for /home based entries

Summary: file context policy does not honor globs for /home based entries

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	Jan Zarsky
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1420851
TreeView+	depends on / blocked

Reported:	2017-01-03 14:00 UTC by Zdenek Pytela
Modified:	2022-03-13 14:10 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 16:36:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	3006381	0	None	None	None	2017-04-19 12:29:18 UTC
Red Hat Product Errata	RHSA-2018:0913	0	None	None	None	2018-04-10 16:37:27 UTC

Description Zdenek Pytela 2017-01-03 14:00:40 UTC

Description of problem:
A custom built selinux policy module does not follow file context labeling rules for /home based files  when globs are required

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-102.el7_3.7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a policy module with file context labeling statements
# using HOME_ROOT
HOME_ROOT/squia                 gen_context(system_u:object_r:squid_cache_t,s0)
HOME_ROOT/squia/data            gen_context(system_u:object_r:squid_conf_t,s0)
HOME_ROOT/squia/data/.*         gen_context(system_u:object_r:squid_conf_t,s0)
HOME_ROOT/squib(/.*)?           gen_context(system_u:object_r:squid_cache_t,s0)
HOME_ROOT/squib/data(/.*)?      gen_context(system_u:object_r:squid_conf_t,s0)
# using /home
/home/squic                     gen_context(system_u:object_r:squid_cache_t,s0)
/home/squic/data                gen_context(system_u:object_r:squid_conf_t,s0)
/home/squic/data/.*             gen_context(system_u:object_r:squid_conf_t,s0)
/home/squid(/.*)?               gen_context(system_u:object_r:squid_cache_t,s0)
/home/squid/data(/.*)?          gen_context(system_u:object_r:squid_conf_t,s0)

2. Insert the module
3. Run matchpathcon or restorecon
matchpathcon /home/squia/data/a /home/squib/data/a /home/squic/data/a /home/squid/data/a

Actual results:
statements are ignored by matchpathcon or restorecon when globs && /home was used, displayed correctly by semanage fcontext command though:
matchpathcon /home/squia/data/a /home/squib/data/a /home/squic/data/a /home/squid/data/a
semanage fcontext -l | grep ^/home/squid

Expected results:
statements are honored by all tools

Additional info:
Using HOME_ROOT in place of /home works as expected
Not reproducible for entries in other than /home directories
Same results in F25

Comment 2 Zdenek Pytela 2017-01-03 14:09:39 UTC

Also (as noticed by Milos) does not seem to work correctly for the snapper module shipped by RH:

  # semanage fcontext -l | grep ^/home
/home/(.*/)?\.snapshots(/.*)?                      all files          system_u:object_r:snapperd_data_t:s0 
/home/\.snapshots(/.*)?                            all files          system_u:object_r:snapperd_data_t:s0 

  # mkdir -p /home/.snapshots /home/a/.snapshots
  # ls -Zd /home/.snapshots /home/a/.snapshots
drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 /home/a/.snapshots
drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 /home/.snapshots

  # matchpathcon /home/.snapshots /home/a/.snapshots
/home/.snapshots        unconfined_u:object_r:user_home_dir_t:s0
/home/a/.snapshots      unconfined_u:object_r:user_home_t:s0

  # restorecon -Rvn /home/.snapshots /home/a/.snapshots
restorecon reset /home/.snapshots context unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_dir_t:s0
restorecon reset /home/a/.snapshots context unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_t:s0

Comment 3 Milos Malik 2017-01-03 15:45:10 UTC

Why semanage fcontext -l prints only 2 file context patterns related to home directories?

# semanage fcontext -l | grep ^/home
/home/(.*/)?\.snapshots(/.*)?                      all files          system_u:object_r:snapperd_data_t:s0 
/home/\.snapshots(/.*)?                            all files          system_u:object_r:snapperd_data_t:s0 
#

When matchpathcon knows many file context patterns related to home directories. For example:

# matchpathcon /home/tester/.fetchmailrc
/home/tester/.fetchmailrc	unconfined_u:object_r:fetchmail_home_t:s0
# matchpathcon /home/tester/bin
/home/tester/bin	unconfined_u:object_r:home_bin_t:s0
# matchpathcon /home/tester/.config
/home/tester/.config	unconfined_u:object_r:config_home_t:s0
# matchpathcon /home/tester/.k5login
/home/tester/.k5login	unconfined_u:object_r:krb5_home_t:s0
# 

It seems that I have to define 2 file context patterns to make 1 file context pattern visible to both tools (matchpathcon and semanage):

/home/squid(/.*)?                        gen_context(system_u:object_r:squid_cache_t,s0)
HOME_ROOT/squid(/.*)?                        gen_context(system_u:object_r:squid_cache_t,s0)

Comment 4 Petr Lautrbach 2017-02-01 22:15:29 UTC

I will try to explain how does it work right now.

All .fc entries from selinux-policy and its modules are extracted to file_contexts.template file which is then used to build the following files:

- contexts/files/file_contexts.homedirs - this file is generated from homedir_template which contains all lines from file_contexts.template with HOME_ROOT, HOME_DIR and/or USER keywords

- contexts/files/file_contexts file -  all other lines from the generated file_contexts.template.

And then there's another file:

- contexts/files/file_contexts.local file - local modifications made by 'semanage fcontext [-a|m]'


When a labeling utility, like matchpathcon or restorecon, looks for a label, it looks for local changes/modifications first. If it doesn't find a matching pattern, it looks into file_contexts.homedirs and finally it looks into file_contexts file.

Given that file_contexts.homedirs defines a label for everything in HOME_ROOT, it overrides everything with '/home' specified in modules .fc so you need to use 'HOME_ROOT' instead of '/home'.

Unfortunately, 'semanage fcontext -l' doesn't list records from file_contexts.homedirs now.

I guess that what Milos suggested - use 2 records, 1 with /home, 1 with HOME_ROOT - could be used as a workaround for this issue:

/home/squid(/.*)?         gen_context(system_u:object_r:squid_cache_t,s0)
HOME_ROOT/squid(/.*)?     gen_context(system_u:object_r:squid_cache_t,s0)

Comment 5 Petr Lautrbach 2017-02-01 22:17:00 UTC

(In reply to Zdenek Pytela from comment #2)
> Also (as noticed by Milos) does not seem to work correctly for the snapper
> module shipped by RH:

snapper.pp should be probably updated to use HOME_ROOT instead of or together with /home

> 
>   # semanage fcontext -l | grep ^/home
> /home/(.*/)?\.snapshots(/.*)?                      all files         
> system_u:object_r:snapperd_data_t:s0 
> /home/\.snapshots(/.*)?                            all files         
> system_u:object_r:snapperd_data_t:s0 
> 
>   # mkdir -p /home/.snapshots /home/a/.snapshots
>   # ls -Zd /home/.snapshots /home/a/.snapshots
> drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0
> /home/a/.snapshots
> drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0
> /home/.snapshots
> 
>   # matchpathcon /home/.snapshots /home/a/.snapshots
> /home/.snapshots        unconfined_u:object_r:user_home_dir_t:s0
> /home/a/.snapshots      unconfined_u:object_r:user_home_t:s0
> 
>   # restorecon -Rvn /home/.snapshots /home/a/.snapshots
> restorecon reset /home/.snapshots context
> unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:
> user_home_dir_t:s0
> restorecon reset /home/a/.snapshots context
> unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_t:
> s0

Comment 6 Zdenek Pytela 2017-02-02 09:36:54 UTC

Petr,

Thanks for the info. Do I understand correctly you don't find this issue as such being a bug? From my point of view it is inconsistent at least as it occurs only if both the conditions are met - an entry is in /home and regex is used. See also my example in this bug description and matchpathcon command output:

  # matchpathcon /home/squic/data/a /home/squic/data /home/squic
/home/squic/data/a      unconfined_u:object_r:user_home_t:s0
/home/squic/data        system_u:object_r:squid_conf_t:s0
/home/squic     system_u:object_r:squid_cache_t:s0

In that case:
1. Documentation should be updated to point to the fact
2. semanage fcontext should be fixed as it does not take file_contexts.homedirs into account

Comment 7 Lukas Vrabec 2017-02-02 11:35:57 UTC

Petr, 
Thanks for investigation. 

I think we should fix this in poliycoreutils. Moving to policycoreutils component.

Comment 14 errata-xmlrpc 2018-04-10 16:36:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0913

Note You need to log in before you can comment on or make changes to this bug.