2162313 – fixfiles does not take linked and bind mounted volumes into account

Bug 2162313 - fixfiles does not take linked and bind mounted volumes into account

Summary: fixfiles does not take linked and bind mounted volumes into account

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	policycoreutils
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vit Mojzis
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-01-19 10:44 UTC by Jiří Mencák
Modified:	2023-03-02 10:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-03-02 10:19:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-145759	0	None	None	None	2023-01-19 10:45:29 UTC

Internal Links: 2178968

Description Jiří Mencák 2023-01-19 10:44:15 UTC

Description of problem:
policycoreutils' fixfiles should take links and bindmounts into account.

Version-Release number of selected component (if applicable):
# rpm -q policycoreutils
policycoreutils-2.9-19.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
# restorecon -vRF /etc/sysconfig
# ls -ldZ /etc/sysconfig
drwxr-xr-x. 5 root root system_u:object_r:etc_t:s0 4096 Jan 19 05:15 /etc/sysconfig
# mkdir -p /var/lib/kubelet/bind-sysconfig
# mount --rbind /etc/sysconfig/ /var/lib/kubelet/bind-sysconfig
# rpm -q container-selinux
container-selinux-2.173.1-2.module+el8.6.0+13970+cccb6385.noarch
# rpm -Uvh container-selinux-2.173.2-1.module+el8.6.0+14033+23075a37.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:container-selinux-2:2.173.2-1.mod################################# [ 50%]
Cleaning up / removing...
   2:container-selinux-2:2.173.1-2.mod################################# [100%]
# ls -ldZ /etc/sysconfig
drwxr-xr-x. 5 root root system_u:object_r:container_var_lib_t:s0 4096 Jan 19 05:15 /etc/sysconfig
# restorecon -vRF /etc/sysconfig
Relabeled /etc/sysconfig from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network-scripts from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/network-scripts/ifcfg-eth0 from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/grub from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/kernel from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/selinux from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/rpcbind from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/cpupower from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/sshd from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/chronyd from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/run-parts from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/crond from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:bin_t:s0
Relabeled /etc/sysconfig/kdump from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/rsyslog from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/qemu-ga from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/irqbalance from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/man-db from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/console from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/modules from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/raid-check from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0

Expected results:
SELinux contexts of the linked or bind-mounted volumes should not be changed by fixfiles or (possibly better) they should be resolved to the original volume before relabelling first.

Additional info:
https://issues.redhat.com/browse/OCPBUGS-5255
Customer case: 03220372

Comment 1 Petr Lautrbach 2023-01-19 10:51:28 UTC

Would `fixfiles -M ...` help?

   -M     Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.

Comment 2 Jiří Mencák 2023-01-19 11:36:33 UTC

Thank you for looking Petr,

(In reply to Petr Lautrbach from comment #1)
> Would `fixfiles -M ...` help?
> 
>    -M     Bind mount filesystems before relabeling them, this allows fixing
> the context of files or directories that have been mounted over.

The short answer is NO.

Longer answer:
- the -M option doesn't ship with fixfiles in RHEL8.6
- looking at the (Fedora) manual page (and what you pasted) and the code suggests
  that it does the complete opposite of what I want it to do
- inspite of all the above, I still tried your suggestion and it failed as expected

Comment 3 Jiří Mencák 2023-01-19 12:13:00 UTC

A note to QE.

One way of testing a fix is to build your own container-selinux-2.173.2-1 RPM package and remove
%selinux_relabel_post -s %{selinuxtype}
by

# diff -Nura *.orig *.spec
--- container-selinux.spec.orig 2023-01-10 08:07:20.000000000 -0500
+++ container-selinux.spec      2023-01-10 10:02:44.000000000 -0500
@@ -98,7 +98,6 @@
 fi
 
 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}

This will not cause the invocation of
/usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore
during the upgrade of the container-selinux package.

Then you can run the fixfiles manually and see if the SELinux labels have changed.

Comment 5 Petr Lautrbach 2023-02-08 09:39:23 UTC

I don't think `fixfiles` should decide on its own whether a bind or any other mount should be relabeled or not.

`fixfiles` could be configured to exclude particular directories from relabeling, see `man fixfiles`:

    The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories excluded from relabeling.

# mount --rbind /etc/sysconfig/ /var/lib/kubelet/bind-sysconfig
# fixfiles -v restore /etc /var
Relabeled /var/lib/kubelet/bind-sysconfig from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/nftables.conf from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/selinux from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/raid-check from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/firewalld from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/network-scripts from system_u:object_r:net_conf_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/network-scripts/readme-ifcfg-rh.txt from system_u:object_r:net_conf_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/sshd from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/chronyd from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/man-db from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/kernel from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/anaconda from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/network from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/grub from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0

# umount /var/lib/kubelet/bind-sysconfig/
# fixfiles -v restore /etc /var
Relabeled /etc/sysconfig from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/nftables.conf from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/selinux from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/raid-check from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/firewalld from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network-scripts from system_u:object_r:var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/network-scripts/readme-ifcfg-rh.txt from system_u:object_r:var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/sshd from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/chronyd from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/man-db from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/kernel from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/anaconda from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/grub from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0

# echo /var/lib/kubelet/bind-sysconfig > /etc/selinux/fixfiles_exclude_dirs 
# mount --rbind /etc/sysconfig/ /var/lib/kubelet/bind-sysconfig
# fixfiles -v restore /etc /var
skipping the directory /var/lib/kubelet/bind-sysconfig
skipping the directory /var/lib/kubelet/bind-sysconfig


If there's non-standard mount configuration it should be also projected to /etc/selinux/fixfiles_exclude_dirs to avoid unwanted relabeling.

Note You need to log in before you can comment on or make changes to this bug.