Bug 1919944 - RFE: make fixfiles polyinstantiation aware [NEEDINFO]
Summary: RFE: make fixfiles polyinstantiation aware
Keywords:
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: policycoreutils
Version: 8.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: Vit Mojzis
QA Contact: Milos Malik
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-25 12:27 UTC by Renaud Métrich
Modified: 2023-04-15 10:51 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:
vmojzis: needinfo? (rmetrich)

Attachments (Terms of Use)

Description Renaud Métrich 2021-01-25 12:27:31 UTC 
Description of problem:

fixfiles can do a number of operations, including deleting content in /tmp and relabeling files in /var/tmp.
Unfortunately the tool is not polyinstantiation aware, which causes issues when used in that context:
- /tmp-inst (or similar, as configured in /etc/security/namespace.conf) is not cleaned up

    fullrelabel() {
        echo "Cleaning out /tmp"
        find /tmp/ -mindepth 1 -delete
        restore Relabel
    }


- /var/tmp/tmp-inst (or similar) is not relabeled properly

    find /var/tmp \( -context "*:${UNLABELED}*" -o -context "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \;


Please implement this functionality. Note that the target directories (/tmp-inst and /var/tmp/tmp-inst) are to be read from /etc/security/namespace.conf (and /etc/security/namespace.d/*) and not hardcoded.


Version-Release number of selected component (if applicable):

policycoreutils-2.9-9.el8.x86_64
Comment 3 Petr Lautrbach 2021-03-03 10:10:55 UTC 
(In reply to Renaud Métrich from comment #0)
> Description of problem:
> 
> fixfiles can do a number of operations, including deleting content in /tmp
> and relabeling files in /var/tmp.
> Unfortunately the tool is not polyinstantiation aware, which causes issues
> when used in that content:
> - /tmp-inst (or similar, as configured in /etc/security/namespace.conf) is
> not cleaned up
> 
>     fullrelabel() {
>         echo "Cleaning out /tmp"
>         find /tmp/ -mindepth 1 -delete
>         restore Relabel
>     }
> 
> 
> - /var/tmp/tmp-inst (or similar) is not relabeled properly
> 
>     find /var/tmp \( -context "*:${UNLABELED}*" -o -context
> "*:${UNDEFINED}*" \) -exec chcon --no-dereference --reference /var/tmp {} \;
> 


There's an inconsistency between policy and default namespace.conf

https://bugzilla.redhat.com/show_bug.cgi?id=1934444


For non-standard directories, I'd suggest to use equivalence to avoid unlabeled files:

# semanage fcontext -a -e /var/tmp /var/tmp-inst



> Please implement this functionality. Note that the target directories
> (/tmp-inst and /var/tmp/tmp-inst) are to be read from
> /etc/security/namespace.conf (and /etc/security/namespace.d/*) and not
> hardcoded.
> 

It would mean to implement parser of namespace.conf and also pam configuration parses to detect whether pam_namespace is in use.

If it's possible please consider using tmpfiles.d - Configuration for creation, deletion and cleaning of volatile and temporary files, see  'man tmpfiles.d'
for cleaning tmp directories.




> Version-Release number of selected component (if applicable):
> 
> policycoreutils-2.9-9.el8.x86_64
Note You need to log in before you can comment on or make changes to this bug.