This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2224251 - User's temporary files are not labeled correctly
Summary: User's temporary files are not labeled correctly
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.8
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-20 09:32 UTC by Renaud Métrich
Modified: 2023-08-09 13:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-09 12:59:51 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-1099 0 None None None 2023-08-09 12:59:50 UTC
Red Hat Issue Tracker RHELPLAN-162836 0 None None None 2023-07-20 09:33:51 UTC

Description Renaud Métrich 2023-07-20 09:32:26 UTC 
Description of problem:

There is the following context in the database:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/home/[^/]+/tmp                                    directory          unconfined_u:object_r:user_tmp_t:s0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This makes all files created under the user's "tmp/" directory be labeled appropriately with "user_tmp_t".
But executing restorecon wants to relabel the files back to "user_home_t", which is probably not appropriate:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# restorecon -Frvn /home/admin/tmp
Would relabel /home/admin/tmp/foo from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Same issue happens for other similar locations:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/home/[^/]+/\.tmp                                  directory          unconfined_u:object_r:user_tmp_t:s0 
/home/[^/]+/tmp                                    directory          unconfined_u:object_r:user_tmp_t:s0 
/home/staff/\.tmp                                  directory          staff_u:object_r:user_tmp_t:s0 
/home/staff/tmp                                    directory          staff_u:object_r:user_tmp_t:s0 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

selinux-policy-3.14.3-117.el8_8.2.noarch

How reproducible:

Always

Steps to Reproduce:
1. Create a user and create temporary files

  # useradd admin
  # sudo -u admin -i
  $ mkdir tmp
  $ touch tmp/foo

2. Check labels

  # ls -Zd1 /home/admin/tmp /home/admin/tmp/foo
  unconfined_u:object_r:user_tmp_t:s0 /home/admin/tmp
  unconfined_u:object_r:user_tmp_t:s0 /home/admin/tmp/foo

3. Execute restorecon

  # restorecon -Frnv /home/admin/tmp

Actual results:

Would relabel /home/admin/tmp/foo from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0

Expected results:

No relabeling
Comment 1 Zdenek Pytela 2023-08-01 16:50:45 UTC 
I think it is correct the user_tmp_t type is not assigned to /home/login/tmp/file, but using <<none>> is an option.
Note You need to log in before you can comment on or make changes to this bug.