Red Hat Bugzilla – Bug 1409813
file context policy does not honor globs for /home based entries
Last modified: 2018-04-10 12:37:28 EDT
Description of problem: A custom built selinux policy module does not follow file context labeling rules for /home based files when globs are required Version-Release number of selected component (if applicable): selinux-policy-3.13.1-102.el7_3.7.noarch How reproducible: Always Steps to Reproduce: 1. Create a policy module with file context labeling statements # using HOME_ROOT HOME_ROOT/squia gen_context(system_u:object_r:squid_cache_t,s0) HOME_ROOT/squia/data gen_context(system_u:object_r:squid_conf_t,s0) HOME_ROOT/squia/data/.* gen_context(system_u:object_r:squid_conf_t,s0) HOME_ROOT/squib(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) HOME_ROOT/squib/data(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) # using /home /home/squic gen_context(system_u:object_r:squid_cache_t,s0) /home/squic/data gen_context(system_u:object_r:squid_conf_t,s0) /home/squic/data/.* gen_context(system_u:object_r:squid_conf_t,s0) /home/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) /home/squid/data(/.*)? gen_context(system_u:object_r:squid_conf_t,s0) 2. Insert the module 3. Run matchpathcon or restorecon matchpathcon /home/squia/data/a /home/squib/data/a /home/squic/data/a /home/squid/data/a Actual results: statements are ignored by matchpathcon or restorecon when globs && /home was used, displayed correctly by semanage fcontext command though: matchpathcon /home/squia/data/a /home/squib/data/a /home/squic/data/a /home/squid/data/a semanage fcontext -l | grep ^/home/squid Expected results: statements are honored by all tools Additional info: Using HOME_ROOT in place of /home works as expected Not reproducible for entries in other than /home directories Same results in F25
Also (as noticed by Milos) does not seem to work correctly for the snapper module shipped by RH: # semanage fcontext -l | grep ^/home /home/(.*/)?\.snapshots(/.*)? all files system_u:object_r:snapperd_data_t:s0 /home/\.snapshots(/.*)? all files system_u:object_r:snapperd_data_t:s0 # mkdir -p /home/.snapshots /home/a/.snapshots # ls -Zd /home/.snapshots /home/a/.snapshots drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 /home/a/.snapshots drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 /home/.snapshots # matchpathcon /home/.snapshots /home/a/.snapshots /home/.snapshots unconfined_u:object_r:user_home_dir_t:s0 /home/a/.snapshots unconfined_u:object_r:user_home_t:s0 # restorecon -Rvn /home/.snapshots /home/a/.snapshots restorecon reset /home/.snapshots context unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_dir_t:s0 restorecon reset /home/a/.snapshots context unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_t:s0
Why semanage fcontext -l prints only 2 file context patterns related to home directories? # semanage fcontext -l | grep ^/home /home/(.*/)?\.snapshots(/.*)? all files system_u:object_r:snapperd_data_t:s0 /home/\.snapshots(/.*)? all files system_u:object_r:snapperd_data_t:s0 # When matchpathcon knows many file context patterns related to home directories. For example: # matchpathcon /home/tester/.fetchmailrc /home/tester/.fetchmailrc unconfined_u:object_r:fetchmail_home_t:s0 # matchpathcon /home/tester/bin /home/tester/bin unconfined_u:object_r:home_bin_t:s0 # matchpathcon /home/tester/.config /home/tester/.config unconfined_u:object_r:config_home_t:s0 # matchpathcon /home/tester/.k5login /home/tester/.k5login unconfined_u:object_r:krb5_home_t:s0 # It seems that I have to define 2 file context patterns to make 1 file context pattern visible to both tools (matchpathcon and semanage): /home/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) HOME_ROOT/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
I will try to explain how does it work right now. All .fc entries from selinux-policy and its modules are extracted to file_contexts.template file which is then used to build the following files: - contexts/files/file_contexts.homedirs - this file is generated from homedir_template which contains all lines from file_contexts.template with HOME_ROOT, HOME_DIR and/or USER keywords - contexts/files/file_contexts file - all other lines from the generated file_contexts.template. And then there's another file: - contexts/files/file_contexts.local file - local modifications made by 'semanage fcontext [-a|m]' When a labeling utility, like matchpathcon or restorecon, looks for a label, it looks for local changes/modifications first. If it doesn't find a matching pattern, it looks into file_contexts.homedirs and finally it looks into file_contexts file. Given that file_contexts.homedirs defines a label for everything in HOME_ROOT, it overrides everything with '/home' specified in modules .fc so you need to use 'HOME_ROOT' instead of '/home'. Unfortunately, 'semanage fcontext -l' doesn't list records from file_contexts.homedirs now. I guess that what Milos suggested - use 2 records, 1 with /home, 1 with HOME_ROOT - could be used as a workaround for this issue: /home/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0) HOME_ROOT/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
(In reply to Zdenek Pytela from comment #2) > Also (as noticed by Milos) does not seem to work correctly for the snapper > module shipped by RH: snapper.pp should be probably updated to use HOME_ROOT instead of or together with /home > > # semanage fcontext -l | grep ^/home > /home/(.*/)?\.snapshots(/.*)? all files > system_u:object_r:snapperd_data_t:s0 > /home/\.snapshots(/.*)? all files > system_u:object_r:snapperd_data_t:s0 > > # mkdir -p /home/.snapshots /home/a/.snapshots > # ls -Zd /home/.snapshots /home/a/.snapshots > drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 > /home/a/.snapshots > drwxr-xr-x. root root unconfined_u:object_r:snapperd_data_t:s0 > /home/.snapshots > > # matchpathcon /home/.snapshots /home/a/.snapshots > /home/.snapshots unconfined_u:object_r:user_home_dir_t:s0 > /home/a/.snapshots unconfined_u:object_r:user_home_t:s0 > > # restorecon -Rvn /home/.snapshots /home/a/.snapshots > restorecon reset /home/.snapshots context > unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r: > user_home_dir_t:s0 > restorecon reset /home/a/.snapshots context > unconfined_u:object_r:snapperd_data_t:s0->unconfined_u:object_r:user_home_t: > s0
Petr, Thanks for the info. Do I understand correctly you don't find this issue as such being a bug? From my point of view it is inconsistent at least as it occurs only if both the conditions are met - an entry is in /home and regex is used. See also my example in this bug description and matchpathcon command output: # matchpathcon /home/squic/data/a /home/squic/data /home/squic /home/squic/data/a unconfined_u:object_r:user_home_t:s0 /home/squic/data system_u:object_r:squid_conf_t:s0 /home/squic system_u:object_r:squid_cache_t:s0 In that case: 1. Documentation should be updated to point to the fact 2. semanage fcontext should be fixed as it does not take file_contexts.homedirs into account
Petr, Thanks for investigation. I think we should fix this in poliycoreutils. Moving to policycoreutils component.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0913