Bug 1690527 - useradd: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
Summary: useradd: use set_selinux_file_context() and reset_selinux_file_context() for ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shadow-utils
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1801846
TreeView+ depends on / blocked
 
Reported: 2019-03-19 16:04 UTC by dac.override
Modified: 2020-03-13 02:29 UTC (History)
6 users (show)

Fixed In Version: shadow-utils-4.6-17.fc31 shadow-utils-4.6-9.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1801846 (view as bug list)
Environment:
Last Closed: 2020-03-04 21:31:07 UTC
Type: Bug


Attachments (Terms of Use)

Description dac.override 2019-03-19 16:04:50 UTC
Description of problem:

useradd does not "create_mail()" (create /var/spool/mail/$USER) with a proper context currently

create_home() calls set_selinux_file_context() and reset_selinux_file_context()
when user home is created to ensure that user home is labeled properly.

https://github.com/shadow-maint/shadow/blob/master/src/useradd.c#L2042

create_mail() however does not, and so user mail spool files end up mislabeled.

https://github.com/shadow-maint/shadow/blob/master/src/useradd.c#L2131

Version-Release number of selected component (if applicable):

shadow-utils-4.6-9.fc31.x86_64

How reproducible:
useradd -Z user_u joe

Steps to Reproduce:
1. useradd -Z user_u joe
2. ls -alZ /var/spool/mail/joe
3. note now the selinux user identity in the context of /var/spool/mail/joe is not user_u 

Actual results:
the selinux user identity of /var/spool/mail/joe is not "user_u"

Expected results:
the selinux user identity of /var/spool/mail/joe is "user_u"

Additional info:
Access control can be enforced based on selinux user identities, roles and security levels (just as on types). It is important that the labels are acurate

Comment 1 dac.override 2019-03-19 16:25:51 UTC
Err, well the reproducer is not acurate ...

You would need to leverage it properly first, like so:

echo '(filecon "/var/spool/mail/%{USERNAME}" file (system_u object_r mail_spool_t ((s0)(s0))))' > mytest.cil && sudo semodule -i mytest.cil
useradd -Z user_u joe
matchpathcon /var/spool/mail/joe
ls -alZ /var/spool/mail/joe

Comment 2 Ben Cotton 2019-08-13 17:06:31 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 3 Ben Cotton 2019-08-13 19:31:00 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 4 Iker Pedrosa 2020-02-06 14:37:35 UTC
I have a fix for this issue. Would you be willing to test a scratch build?

Comment 5 dac.override 2020-02-06 16:59:40 UTC
heck yes! Can I have URL to scratch built?

Comment 6 dac.override 2020-02-10 12:11:20 UTC
I am patiently awaiting the URL of the scratch built so that i can test to see whether the patch address the requested functionality

Comment 7 Iker Pedrosa 2020-02-10 12:26:02 UTC
Sorry, when I was on the point of generating the scratch build I got some comments on the pull-request that I created to fix this bug. I'm still trying to figure out how to make the improvements from the comment and keep the fix working as it should. I will come back to you as soon as everything is ready.

Comment 8 Petr Lautrbach 2020-02-11 13:53:19 UTC
The patch from PR looks good, however it would also need to update selinux-policy in order to provide a template file context for /var/spool/mail/USER

Comment 9 Petr Lautrbach 2020-02-11 17:36:25 UTC
I'd expect something like:

--- a/mta.fc
+++ b/mta.fc
@@ -41,4 +41,5 @@ ifdef(`distro_redhat',`
 /var/spool/(client)?mqueue(/.*)?       gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?    gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?          gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/mail/USER           --      gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/smtpd(/.*)?         gen_context(system_u:object_r:mail_spool_t,s0)

Comment 10 Petr Lautrbach 2020-02-11 17:58:57 UTC
https://koji.fedoraproject.org/koji/taskinfo?taskID=41459946

before

$ matchpathcon /var/spool/mail/user
/var/spool/mail/user    system_u:object_r:mail_spool_t:s0

after

$ matchpathcon /var/spool/mail/user
/var/spool/mail/user    user_u:object_r:mail_spool_t:s0

Comment 11 dac.override 2020-02-11 19:11:14 UTC
Looks good. Thanks. I guess i don't have to test it.

Comment 12 dac.override 2020-02-11 19:15:38 UTC
selinux-policy does not necessarily have to leverage this functionality though. Without a patch to the policy things should work the way it alway has, and aside from me no one seems to have an issue with it. (also i suppose it should be used for MLS)

i requested this functionality because i enforce separation based on roles in my personal policy and i wanted that to also apply to mail spool files.

Comment 13 Iker Pedrosa 2020-02-12 16:07:36 UTC
This is the scratch-build of shadow-utils with the patch that I created: https://koji.fedoraproject.org/koji/taskinfo?taskID=41469131

Comment 14 dac.override 2020-02-12 16:54:25 UTC
Are you sure that https://kojipkgs.fedoraproject.org//work/tasks/9139/41469139/shadow-utils-4.6-17.fc31.x86_64.rpm has the patch? It does not work for me:

```
[root@brutus ~]# rpm -qa | grep shadow-utils
shadow-utils-4.6-17.fc31.x86_64
[root@brutus ~]# useradd joe
Creating mailbox file: Permission denied
[root@brutus ~]# journalctl -rb --grep denied | head -n 1
-- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:52:12 CET. --
[root@brutus ~]# journalctl -rb --grep denied | head -n 2
-- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:52:12 CET. --
Feb 12 17:52:12 brutus audit[1336027]: AVC avc:  denied  { create } for  pid=1336027 comm="useradd" name="joe" scontext=wheel.id:sysadm.role:usermanage.useradd.subj:s0 tcontext=wheel.id:sysadm.role:files.generic_var_spool.var_spool_file:s0 tclass=file permissive=0
[root@brutus ~]# semodule -B
libsemanage.add_user: user gdm not in password file
libsemanage.add_user: user gnome-initial-setup not in password file
[root@brutus ~]# matchpathcon /var/spool/mail/joe
/var/spool/mail/joe     unprivuser.id:unprivuser.role:users.mail_spool.var_spool_file:s0
[root@brutus ~]# userdel -r joe
userdel: joe mail spool (/var/spool/mail/joe) not found
[root@brutus ~]# useradd joe
Creating mailbox file: Permission denied
[root@brutus ~]# journalctl -rb --grep denied | head -n 2
-- Logs begin at Fri 2019-10-18 17:35:24 CEST, end at Wed 2020-02-12 17:53:26 CET. --
Feb 12 17:53:26 brutus audit[1336433]: AVC avc:  denied  { create } for  pid=1336433 comm="useradd" name="joe" scontext=wheel.id:sysadm.role:usermanage.useradd.subj:s0 tcontext=wheel.id:sysadm.role:files.generic_var_spool.var_spool_file:s0 tclass=file permissive=0
```

Comment 15 Iker Pedrosa 2020-02-12 17:22:00 UTC
I think so because I have also installed it and tested it and it seems to work. At least I don't get the following message: "Creating mailbox file: Permission denied"

You also need Petr's patch for SELinux to make it work. Have you tried with both packages installed?

Comment 16 dac.override 2020-02-12 17:27:45 UTC
I suspect that scratch built does not have the patch. I think I know how to test this, I reported the bug. I can tell that this is not a proper scratch built because the spec is not bumped.

Comment 17 dac.override 2020-02-12 18:16:59 UTC
https://kojipkgs.fedoraproject.org//work/tasks/9139/41469139/build.log seems to confirm:

This is the lastest patch and that is not yours:

Patch #41 (shadow-4.6-use-lckpwdf.patch):
+ echo 'Patch #41 (shadow-4.6-use-lckpwdf.patch):'
+ /usr/bin/patch --no-backup-if-mismatch -p1 -b --suffix .use-lckpwdf --fuzz=0
patching file lib/commonio.c
Hunk #1 succeeded at 367 (offset 3 lines).
Hunk #2 succeeded at 418 (offset 3 lines).
Hunk #3 succeeded at 477 (offset 3 lines).
patching file lib/commonio.h
patching file lib/groupio.c
patching file lib/pwio.c
Hunk #1 succeeded at 117 (offset 3 lines).
patching file lib/sgroupio.c
patching file lib/shadowio.c
Hunk #1 succeeded at 116 (offset 2 lines).
patching file lib/subordinateio.c
+ iconv -f ISO88591 -t utf-8 doc/HOWTO
+ cp -f doc/HOWTO.utf8 doc/HOWTO

Comment 18 Iker Pedrosa 2020-02-13 06:52:13 UTC
My bad, I'm sorry for that. I'm trying to fix it but I'm facing other errors while doing the scratch build, which unfortunately I won't be able to fix until Monday.

Comment 19 Petr Lautrbach 2020-02-13 16:08:08 UTC
The problem is that Fedora ships shadow-4.8-selinux.patch which changes set_selinux_file_context () api:

useradd.c:2154:7: error: too few arguments to function 'set_selinux_file_context'
 2154 |   if (set_selinux_file_context (file) != 0) {
      |       ^~~~~~~~~~~~~~~~~~~~~~~~
In file included from useradd.c:64:
../lib/prototypes.h:346:12: note: declared here
  346 | extern int set_selinux_file_context (const char *dst_name, const char *orig_name);

Comment 20 Iker Pedrosa 2020-02-17 11:38:01 UTC
Finally, I have been able to compile the package in Koji. So if you want to test it please feel free to do it: https://koji.fedoraproject.org/koji/taskinfo?taskID=41542191

Comment 21 dac.override 2020-02-17 11:46:48 UTC
Works! Thanks very much!

[root@brutus ~]# useradd joe
[root@brutus ~]# ls -alZ /var/spool/mail/joe
-rw-rw----. 1 joe mail unprivuser.id:unprivuser.role:users.mail_spool.var_spool_file:s0 0 Feb 17 12:44 /var/spool/mail/joe
[root@brutus ~]#

Comment 22 Fedora Update System 2020-02-25 08:27:04 UTC
FEDORA-2020-51f31e0c19 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-51f31e0c19

Comment 23 Fedora Update System 2020-02-27 15:08:49 UTC
FEDORA-2020-b257bf174c has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b257bf174c

Comment 24 Fedora Update System 2020-02-27 18:11:34 UTC
shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b257bf174c

Comment 25 Fedora Update System 2020-02-27 18:34:39 UTC
shadow-utils-4.6-17.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-51f31e0c19

Comment 26 Fedora Update System 2020-03-04 21:31:07 UTC
shadow-utils-4.6-17.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 27 Fedora Update System 2020-03-12 22:12:53 UTC
shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2020-03-13 02:29:56 UTC
shadow-utils-4.6-9.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.