Bug 2162313 - fixfiles does not take linked and bind mounted volumes into account
Summary: fixfiles does not take linked and bind mounted volumes into account
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: policycoreutils
Version: 8.6
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-19 10:44 UTC by Jiří Mencák
Modified: 2023-03-02 10:19 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-02 10:19:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-145759 0 None None None 2023-01-19 10:45:29 UTC

Internal Links: 2178968

Description Jiří Mencák 2023-01-19 10:44:15 UTC
Description of problem:
policycoreutils' fixfiles should take links and bindmounts into account.

Version-Release number of selected component (if applicable):
# rpm -q policycoreutils
policycoreutils-2.9-19.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
# restorecon -vRF /etc/sysconfig
# ls -ldZ /etc/sysconfig
drwxr-xr-x. 5 root root system_u:object_r:etc_t:s0 4096 Jan 19 05:15 /etc/sysconfig
# mkdir -p /var/lib/kubelet/bind-sysconfig
# mount --rbind /etc/sysconfig/ /var/lib/kubelet/bind-sysconfig
# rpm -q container-selinux
container-selinux-2.173.1-2.module+el8.6.0+13970+cccb6385.noarch
# rpm -Uvh container-selinux-2.173.2-1.module+el8.6.0+14033+23075a37.noarch.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:container-selinux-2:2.173.2-1.mod################################# [ 50%]
Cleaning up / removing...
   2:container-selinux-2:2.173.1-2.mod################################# [100%]
# ls -ldZ /etc/sysconfig
drwxr-xr-x. 5 root root system_u:object_r:container_var_lib_t:s0 4096 Jan 19 05:15 /etc/sysconfig
# restorecon -vRF /etc/sysconfig
Relabeled /etc/sysconfig from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network-scripts from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/network-scripts/ifcfg-eth0 from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/grub from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/kernel from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/selinux from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/rpcbind from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/cpupower from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/sshd from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/chronyd from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/run-parts from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/crond from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:bin_t:s0
Relabeled /etc/sysconfig/kdump from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/rsyslog from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/qemu-ga from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/irqbalance from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/man-db from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/console from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/modules from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/raid-check from system_u:object_r:container_var_lib_t:s0 to system_u:object_r:etc_t:s0

Expected results:
SELinux contexts of the linked or bind-mounted volumes should not be changed by fixfiles or (possibly better) they should be resolved to the original volume before relabelling first.

Additional info:
https://issues.redhat.com/browse/OCPBUGS-5255
Customer case: 03220372

Comment 1 Petr Lautrbach 2023-01-19 10:51:28 UTC
Would `fixfiles -M ...` help?

   -M     Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.

Comment 2 Jiří Mencák 2023-01-19 11:36:33 UTC
Thank you for looking Petr,

(In reply to Petr Lautrbach from comment #1)
> Would `fixfiles -M ...` help?
> 
>    -M     Bind mount filesystems before relabeling them, this allows fixing
> the context of files or directories that have been mounted over.

The short answer is NO.

Longer answer:
- the -M option doesn't ship with fixfiles in RHEL8.6
- looking at the (Fedora) manual page (and what you pasted) and the code suggests
  that it does the complete opposite of what I want it to do
- inspite of all the above, I still tried your suggestion and it failed as expected

Comment 3 Jiří Mencák 2023-01-19 12:13:00 UTC
A note to QE.

One way of testing a fix is to build your own container-selinux-2.173.2-1 RPM package and remove
%selinux_relabel_post -s %{selinuxtype}
by

# diff -Nura *.orig *.spec
--- container-selinux.spec.orig 2023-01-10 08:07:20.000000000 -0500
+++ container-selinux.spec      2023-01-10 10:02:44.000000000 -0500
@@ -98,7 +98,6 @@
 fi
 
 %posttrans
-%selinux_relabel_post -s %{selinuxtype}
 
 #define license tag if not already defined
 %{!?_licensedir:%global license %doc}

This will not cause the invocation of
/usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore
during the upgrade of the container-selinux package.

Then you can run the fixfiles manually and see if the SELinux labels have changed.

Comment 5 Petr Lautrbach 2023-02-08 09:39:23 UTC
I don't think `fixfiles` should decide on its own whether a bind or any other mount should be relabeled or not.

`fixfiles` could be configured to exclude particular directories from relabeling, see `man fixfiles`:

    The file /etc/selinux/fixfiles_exclude_dirs can contain a list of directories excluded from relabeling.

# mount --rbind /etc/sysconfig/ /var/lib/kubelet/bind-sysconfig
# fixfiles -v restore /etc /var
Relabeled /var/lib/kubelet/bind-sysconfig from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/nftables.conf from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/selinux from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/raid-check from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/firewalld from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/network-scripts from system_u:object_r:net_conf_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/network-scripts/readme-ifcfg-rh.txt from system_u:object_r:net_conf_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/sshd from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/chronyd from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/man-db from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/kernel from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/anaconda from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/network from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0
Relabeled /var/lib/kubelet/bind-sysconfig/grub from system_u:object_r:etc_t:s0 to system_u:object_r:var_lib_t:s0

# umount /var/lib/kubelet/bind-sysconfig/
# fixfiles -v restore /etc /var
Relabeled /etc/sysconfig from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/nftables.conf from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/selinux from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/raid-check from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/firewalld from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network-scripts from system_u:object_r:var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/network-scripts/readme-ifcfg-rh.txt from system_u:object_r:var_lib_t:s0 to system_u:object_r:net_conf_t:s0
Relabeled /etc/sysconfig/sshd from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/chronyd from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/man-db from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/kernel from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/anaconda from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/network from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0
Relabeled /etc/sysconfig/grub from system_u:object_r:var_lib_t:s0 to system_u:object_r:etc_t:s0

# echo /var/lib/kubelet/bind-sysconfig > /etc/selinux/fixfiles_exclude_dirs 
# mount --rbind /etc/sysconfig/ /var/lib/kubelet/bind-sysconfig
# fixfiles -v restore /etc /var
skipping the directory /var/lib/kubelet/bind-sysconfig
skipping the directory /var/lib/kubelet/bind-sysconfig


If there's non-standard mount configuration it should be also projected to /etc/selinux/fixfiles_exclude_dirs to avoid unwanted relabeling.


Note You need to log in before you can comment on or make changes to this bug.