Bug 193996 - Deferred mapping of inodes
Deferred mapping of inodes
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
rawhide
All Linux
high Severity medium
: ---
: ---
Assigned To: Eric Paris
Brian Brock
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-04 02:30 EDT by James Morris
Modified: 2007-11-30 17:11 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-30 15:05:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Module dependency information (1.32 KB, text/plain)
2006-06-26 16:16 EDT, Karl MacMillan
no flags Details
Modules.conf used to generate the dependency information (21.17 KB, text/plain)
2006-06-26 16:19 EDT, Karl MacMillan
no flags Details

  None (edit)
Description James Morris 2006-06-04 02:30:57 EDT
See thread at 
http://marc.theaimsgroup.com/?l=selinux&m=114771094617968&w=2

This is required for proper distro integration with modular policy deployed via
RPM.  Status: needs resolution and to be implemented.
Comment 1 Eric Paris 2006-06-06 11:57:25 EDT
Indication from our userspace team that they will not have a valid userspace
tool using this patch before the 2.6.18 patch window.  Just not enough time. 
Jeremy, Paul are we certain that you can make rpm do what is needed?  Steven, is
their _plan_ on how rpm will work good enough to submit upstream?
Comment 2 Daniel Walsh 2006-06-06 12:14:20 EDT
The latest plan jeremy and I hatched to satisfy his requirement is to build a
new tool to wrap the policy load with a tool to do the equivalent of


if semodule -i mypolicy.pp fails
   restorecon -p mypolicy.pp
endif


Where restorecon -p mypolicy.pp reads the file context defined in the
mypolicy.pp file and relabels the files on disk with the
system defaults. 
Comment 3 James Morris 2006-06-06 12:19:32 EDT
(In reply to comment #1)
> Indication from our userspace team that they will not have a valid userspace
> tool using this patch before the 2.6.18 patch window.  Just not enough time. 
> Jeremy, Paul are we certain that you can make rpm do what is needed?  Steven, is
> their _plan_ on how rpm will work good enough to submit upstream?

A plan should be good enough, and it would help to have a timeframe for the
implementation of userspace support.
Comment 4 Jeremy Katz 2006-06-06 12:36:42 EDT
I'm quite certain that we can do it, just a matter of timing.  As for the
timeframe for doing it, between test1 and test2 (so targeting around 8 July to
definitely have it done)
Comment 5 Eric Paris 2006-06-14 10:07:54 EDT
Originaly from SDS
***************
Karl MacMillan raised the following concern during the selinux list discussion
last month, which I don't recall being resolved:

"Thinking through this more I realized that if we cannot guarantee ordering
within a transaction we cannot commit any policy modules until the end of the
transaction. Otherwise it will not be possible to have _any_ dependencies
between policy modules, which doesn't seem likely based on my recent
investigations into refpolicy dependencies.

If policy modules are only committed at the end of the transaction, verification
of the rpms will require going back through the headers of every rpm in the
transaction.

Dan, Jeremy, Paul, any thoughts about when the policy modules will be committed?"
Comment 6 Stephen Smalley 2006-06-14 10:25:45 EDT
(In reply to comment #2)
> The latest plan jeremy and I hatched to satisfy his requirement is to build a
> new tool to wrap the policy load with a tool to do the equivalent of
> 
> 
> if semodule -i mypolicy.pp fails
>    restorecon -p mypolicy.pp
> endif
> 
> 
> Where restorecon -p mypolicy.pp reads the file context defined in the
> mypolicy.pp file and relabels the files on disk with the
> system defaults. 

Under this approach, how does restorecon know which files were set down by rpm?
 The file contexts in the .pp file may contain pathname regexes.  How does this
approach deal with interdependent policy modules that need to be committed together?

We need to make sure that we have a good understanding of how these issues are
to be resolved.  I'd hate to upstream the kernel patch (which has no known
planned users other than rpm) only to find that we still can't solve the problem
of rpm handling of policy modules for other reasons (especially since the
solution to those other problems could lead us in a different direction even in
the kernel mechanism).


Comment 7 Joshua Brindle 2006-06-14 10:59:25 EDT
We need a solution to the policy dependancy problem before this can possibly
work. Since RPM assumes that it can lay down all the files within a transaction
and at the end of the transaction everything will work since there are no
inter-transaction dependancies this sort of situation can happen: (correct me if
I'm wrong)

RPM determines that package 2 (containing policy 2) depends on package 1
(containing policy 1) and puts those 2 packages in the same transaction. Policy
2 also depends on policy 1. Per the RPM guys the post scripts aren't guarenteed
to run in order so is it possible that package 1 and 2 files are put on disk and
package 2 postscript starts first. The semodule -i fails because the types
needed by policy 2 (which are declared in policy 1) aren't yet available.

The install can't be backed out so now the user has to intervene to install policy.

Second scenerio: mutually dependant policies. Same packages as above but policy
1 depends on policy 2 and policy 2 depends on policy 1. Then no matter what
order the postscripts are executed in the semodule -i fails. The policies must
be installed within the same semodule transaction (eg., semodule -i policy1.pp
-i policy2.pp) or they can't be installed. 

How is RPM going to solve these problems?
Comment 9 Stephen Smalley 2006-06-20 09:06:28 EDT
Any further thoughts on these issues?  If we are going to upstream the kernel
support, we need to do it soon for 2.6.18.

BTW, I noticed that over on rpm-devel list, jbj has several times mentioned
%pretrans and %posttrans as relevant to selinux policy.  I'm not familiar with
them myself, but assuming that they are pre-transaction and post-transaction
scriptlets, it seems like they could help with the policy module dependency issues.
Comment 10 Daniel Walsh 2006-06-22 13:25:54 EDT
Our current thoughts on this is to have a wrapper on semoudle -i which will be
called in the post install.  If it fails, it will automatcally relabel the
contented of the pp file to the system defaults.  

Is that satisfactory?
Comment 11 Stephen Smalley 2006-06-22 13:54:53 EDT
No, because it is no different than what you said before (in comment #2), and
doesn't deal with any of the issues that have been noted, e.g.
(1) handling inter-module dependencies requires being able to install multiple
policy modules from multiple packages as a single operation (either at the
beginning or the end of the transaction), and
(2) relabeling the unlabeled files to system defaults upon policy install
failure requires a list of all such files installed from all packages in the
transaction, not just the .pp files, as those don't necessarily enumerate
individual file paths, just pathname regexes.
Possibly %pretrans or %posttrans could be used to deal with (1), although I
don't know how they work.  For (2), we need rpm to maintain state in some manner
and provide that aggregate list of files to restorecon at the end.
We don't seem to be communicating.

Comment 12 Daniel Walsh 2006-06-22 15:38:27 EDT
No, because it is no different than what you said before (in comment #2), and
doesn't deal with any of the issues that have been noted, e.g.
(1) handling inter-module dependencies requires being able to install multiple
policy modules from multiple packages as a single operation (either at the
beginning or the end of the transaction)
> Circular dependancies between packages will not be supported.  If you have
Module A requiring Module B and Module B requiring A they have to be in the same
rpm.  
2) We will recursively restorecon over the file regex file paths in the PP
file(s) that fail in the current RPM.  Similarly to what we do now on policy update.
Comment 13 Eric Paris 2006-06-22 15:58:28 EDT
Where do the files that get laid down with 'illegal' contexts get those contexts? 

Inside the rpm do you have a list
filename1 - context1
filename2 - context2
filename3 - context3
and someone else you have the regex's from .fc's

or do you ONLY have filenames and regex's?

If files when they are laid down are being labeled by either a match to the
existing policy or the policy in the rpm then what dan is saying is fine.  If
the only way they got labeled 'illegally' when laid down on the fs is because
they matched an in .pp regex then using those same regex's to go back and check
is fine.  But if the files are laid down with a context stored seperately and
specifically for that file, and does not necessarily (even if it should) match a
regex in the .pp then you have to keep a list of all files laid down.
Comment 14 Stephen Smalley 2006-06-22 16:05:15 EDT
(1) Even without circular dependencies, it isn't clear that rpm will correctly
handle normal dependencies among policy modules presently when multiple packages
are installed in a transaction.  See Joshua's first scenario.  Also, even if rpm
will order things properly for us, this is going to be much slower than just
running semodule once, either at the beginning of the transaction or at the end
of it, on all of the modules at once.  So if rpm does support %pretrans and
%posttrans, why can't we use them?
(2) Applying restorecon to all files in the filesystem that match the pathname
regexes in the .pp file could relabel files that weren't installed by that
package, as the regex could match other files set down by earlier packages or
runtime files.  Runtime files are the larger concern there, although hopefully
they wouldn't overlap like that.  Not clear to me, but makes me nervous.
Why such resistance to any real integration with rpm?   I understand that
backward compatibility is paramount, but it seems that we can preserve
compatibility while still doing the right thing...
Comment 15 Stephen Smalley 2006-06-22 16:12:20 EDT
IIUC, rpmbuild will store the file and their contexts in the package header
(leveraging the old support introduced back in FC2) for files that match entries
in the per-package .pp file, and then rpm will use those contexts when available
at install time, otherwise falling back to system defaults.  Thus, the unlabeled
situation occurs when one of those header contexts is applied at install time
but the subsequent policy module insertion either fails completely or succeeds
but does not yield a policy that defines all of those contexts.  Inconsistency
between the header and the .pp is possible in the event of a buggy rpmbuild or
malicious package construction.  Further, we actually need a post check of
whether those contexts were all made valid by the policy update, so we need
those contexts to be available for such validation after the semodule -i completes.
Comment 16 James Morris 2006-06-26 14:49:40 EDT
We need some kind of executive decision from RH OS developers on this, today, so
we can get this patch into the 2.6.18 merge window, which is about to close.

Jeremy, Paul?
Comment 17 Karl MacMillan 2006-06-26 16:13:40 EDT
Just some additional information - I created a small tool that shows the
dependencies between policy modules. Using a small, but reasonable base there
are some, but not a lot of dependencies. So, in the normal case it looks like
module dependencies can be largely, but perhaps not completely, eliminated and
the dependencies are straightforward and non-circular. I will be submitting the
tool for upstream this week. I created an attachment with the output (in
graphviz format - http://www.graphviz.org) and the module.conf. Dependencies on
base are not shown (so any module that only depends on base is not shown).
Comment 18 Karl MacMillan 2006-06-26 16:16:29 EDT
Created attachment 131563 [details]
Module dependency information

Module dependency information (in graphviz format).
Comment 19 Karl MacMillan 2006-06-26 16:19:03 EDT
Created attachment 131564 [details]
Modules.conf used to generate the dependency information
Comment 20 Stephen Smalley 2006-06-26 16:51:56 EDT
Does this change the fundamental requirements:
(1) Need a way to run semodule once on all of the policy modules at the end of
the transaction to avoid ordering problems when there are dependencies (even
straightforward ones) and to avoid the policy rebuild/reload overhead on every
package.  Does %posttrans enable us to do this?
(2) Need a way to check the validity of all contexts set from package headers
after installing policy modules and to relabel any files set down in those
contexts if they are not valid.  This requires that rpm provide the list of
contexts and file paths to the helper/wrapper that performs the policy
installation; the .pp files aren't enough.
Note that (2) is particularly relevant to the kernel patch, as it provides the
safety net for the lack of checking provided by the kernel when labelpriv is used.
Comment 22 Eric Paris 2006-09-25 16:49:08 EDT
Since userspace was unable to come to a solution which allowed for inclusion of
SELinux policy in rpms which did not open the flood gates to additional attack
vectors by either buggy or maliciously crafted rpms this issue will not be
resolved in FC6.  I am going to leave this open against devel in case we are
better able to work together on this going forward in FC7.
Comment 23 Eric Paris 2007-04-30 15:05:39 EDT
I'm going to close this bug as there is currently little/no discussion about how
to handle policy inside and rpm going on.  If/when kernel work is needed to
allow such functionality we can re-open or open a new bug.
Comment 24 Jeff Johnson 2007-04-30 18:36:51 EDT
I'm ready to discuss whenever. I believe that selinux policy distribution needs reliable and sane packaging.

Note You need to log in before you can comment on or make changes to this bug.