1871786 – Creating a user mapped explicitly with home directory in /tmp breaks the system

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1871786 - Creating a user mapped explicitly with home directory in /tmp breaks the system

Summary: Creating a user mapped explicitly with home directory in /tmp breaks the system

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libsemanage
Sub Component:
Version:	8.2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Vit Mojzis
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1894575
TreeView+	depends on / blocked

Reported:	2020-08-24 10:12 UTC by Renaud Métrich
Modified:	2021-05-18 15:10 UTC (History)
CC List:	7 users (show)
Fixed In Version:	libsemanage-2.9-5.el8
Doc Type:	Enhancement
Doc Text:	Feature: Stop generating home directory context definitions for all sub-directories of "/" Reason: Home directory file context definitions have higher priority than other file context definitions and effectively override them. SELinux automatically generates home directory file contexts for all login mappings. This may cause file contexts to be redefined in directories that are set as user homes (for users with SELinux login mapping). Redefining SELinux contexts of root sub-directories may lead to issues with core system functionality. Result: SELinux will by default not generate file context definitions for home directories of users that have their home directory set to one of the following directories: /root, /bin, /boot, /dev, /etc, /lib, /lib64, /proc, /run, /sbin, /sys, /tmp, /usr, /var Note: This feature was introduces via a change in /etc/selinux/semanage.conf file and may not be applied automatically on systems, where the file has been customised (please check semanage.conf.rpmnew file if this is the case).
Clone Of:
Environment:
Last Closed:	2021-05-18 15:05:26 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2021:1672	0	None	None	None	2021-05-18 15:05:34 UTC

Description Renaud Métrich 2020-08-24 10:12:43 UTC

This bug was initially created as a copy of Bug #1871784

I am copying this bug because: 

Also applies to RHEL8 (libsemanage-2.9-2.el8.x86_64)

Description of problem:

Creating a user mapped explicitly with home directory being /tmp breaks the context of /tmp:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# useradd -Z unconfined_u -d /tmp test

# matchpathcon /tmp
/tmp	unconfined_u:object_r:user_home_dir_t:s0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This happens even though the default "usepasswd=False" is used in /etc/selinux/semanage.conf:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# usepasswd check tells semanage to scan all pass word records for home directories
# and setup the labeling correctly.  If this is turned off, SELinux will label /home 
# correctly only.  You will need to use semanage fcontext command.  
# For example, if you had home dirs in /althome directory you would have to execute
# semanage fcontext -a -e /home /althome
usepasswd=False
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

With "usepasswd=False", from the comment in the file, the tools are not supposed to change anything that is outside "/home".


Version-Release number of selected component (if applicable):

libsemanage-2.5-14.el7.x86_64


How reproducible:

Always, see above.

Additional info:

This issue is critical when updating Red Hat software such as RHVH: internally RHVH update procedure uses temporary mounts in /tmp/XXX that get all their files relabeled with "user_home_dir_t" due to this bug.

A workaround is to amend "ignoredirs" to specify "/tmp" as well:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
ignoredirs=/root;/tmp
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Comment 2 Petr Lautrbach 2020-10-07 08:10:38 UTC

We'll investigate problem with using usepasswd=Flase and /tmp. If it's confirmed as a bug, we'll try to fix it, otherwise we'll probably update default semanage.conf to use ignoredirs=/root;/tmp as a simple fix.

Comment 12 Petr Lautrbach 2020-12-17 10:19:46 UTC

The behaviour described in #c0 is actually correct.

# useradd -Z unconfined_u -d /tmp test

This command creates a SELinux user mapping for *test* user to unconfined_u as you can see in `semanage login` output:

# semanage login -l

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
test                 unconfined_u         s0-s0:c0.c1023       *

`genhomedircon` uses these mappings to generate user related file contexts based on templates. Therefore a new fc for '/tmp' is created

# matchpathcon /tmp
/tmp    unconfined_u:object_r:user_home_dir_t:s0


If you remove the SELinux mapping for *test*, this user is ignored as /etc/passwd is ignored:

# semanage login -d test

# matchpathcon /tmp
/tmp    system_u:object_r:tmp_t:s0

Comment 16 Petr Lautrbach 2020-12-18 13:17:04 UTC

I'm going to revert the original patch and *semanage.conf* will be updated to use 

ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var

Also the comment in *semanage.conf* related to *usepasswd* is not correct and needs to be fixed:

Original sentence:

# If this is turned off, SELinux will label /home correctly only.

New sentence:

# If this is turned off, SELinux will label /home and home directories of users with SELinux login mappings defined as in `semanage login -l`.

Comment 29 errata-xmlrpc 2021-05-18 15:05:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (libsemanage bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1672

Note You need to log in before you can comment on or make changes to this bug.