Original context and information in https://github.com/coreos/fedora-coreos-tracker/issues/1806 When running semodule -N --refresh on Fedora CoreOS we are seeing files get created that have the wrong file contexts: ``` root@cosa-devsh:~# restorecon -rvn /etc/selinux root@cosa-devsh:~# semodule -N --refresh root@cosa-devsh:~# restorecon -rvn /etc/selinux Would relabel /etc/selinux/targeted/active/booleans.local from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0 ... ... ``` I traced the Fedora CoreOS rawhide history and found this behavior was introduced in: ``` BISECT TEST RESULTS: Last known good build: 42.20240911.91.0 First known bad build: 42.20240914.91.0 ``` which had the following changeset: ``` ostree diff commit from: 3a8acb2a5b7971084404216fb7c1d0282f626c7186618c361aa4545fbe3493b8 ostree diff commit to: 766159d55230282690a7e11cbe836fe06b26c62d846f9ba256bd4e9489e9e7d3 Upgraded: bootc 0.1.15-1.fc42 -> 0.1.16-1.fc42 conmon 2:2.1.12-2.fc41 -> 2:2.1.12-3.fc42 container-selinux 2:2.232.1-2.fc41 -> 2:2.233.0-1.fc42 crun 1.15-2.fc41 -> 1.17-1.fc42 crun-wasm 1.15-2.fc41 -> 1.17-1.fc42 curl 8.9.1-3.fc42 -> 8.10.0-1.fc42 gnutls 3.8.7-2.fc42 -> 3.8.7-4.fc42 kbd 2.6.4-4.fc41 -> 2.6.4-5.fc42 kbd-legacy 2.6.4-4.fc41 -> 2.6.4-5.fc42 kbd-misc 2.6.4-4.fc41 -> 2.6.4-5.fc42 kernel 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42 kernel-core 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42 kernel-modules 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42 kernel-modules-core 6.11.0-0.rc7.56.fc42 -> 6.11.0-0.rc7.20240913git196145c606d0.60.fc42 libcurl-minimal 8.9.1-3.fc42 -> 8.10.0-1.fc42 libgcc 14.2.1-2.fc42 -> 14.2.1-3.fc42 libldb 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42 libselinux 3.7-5.fc41 -> 3.7-6.fc42 libselinux-utils 3.7-5.fc41 -> 3.7-6.fc42 libsemanage 3.7-2.fc41 -> 3.7-3.fc42 libsepol 3.7-2.fc41 -> 3.7-3.fc42 libsmbclient 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42 libstdc++ 14.2.1-2.fc42 -> 14.2.1-3.fc42 libwbclient 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42 microcode_ctl 2:2.1-64.fc42 -> 2:2.1-65.fc42 openssl 1:3.2.2-5.fc41 -> 1:3.2.2-8.fc42 openssl-libs 1:3.2.2-5.fc41 -> 1:3.2.2-8.fc42 rpm 4.19.93-1.fc42 -> 4.19.94-1.fc42 rpm-libs 4.19.93-1.fc42 -> 4.19.94-1.fc42 rpm-plugin-selinux 4.19.93-1.fc42 -> 4.19.94-1.fc42 samba-client-libs 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42 samba-common 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42 samba-common-libs 2:4.21.0-7.fc42 -> 2:4.21.0-9.fc42 selinux-policy 41.16-1.fc42 -> 41.17-1.fc42 selinux-policy-targeted 41.16-1.fc42 -> 41.17-1.fc42 zlib-ng-compat 2.1.7-2.fc41 -> 2.1.7-3.fc42 ``` I realize that policycoreutils wasn't changed in that update so it's probably either the policy or selinux libraries so feel free to move this to the appropriate component. Reproducible: Always
Most likely related to https://github.com/SELinuxProject/selinux/commit/d96f27bf7cb918cfd3123c5281381ef8b5196ac3
Hi Petr. Any updates on this?
The problem seems to be in libsemanage which copies files from /active/ to /tmp/ and relabels them there. In standard system, this is not an issue as both locations translate to the same context, e.g. root@localhost:~# matchpathcon /var/lib/selinux/targeted/active/booleans.local /var/lib/selinux/targeted/tmp/booleans.local /var/lib/selinux/targeted/active/booleans.local system_u:object_r:semanage_store_t:s0 /var/lib/selinux/targeted/tmp/booleans.local system_u:object_r:semanage_store_t:s0 But it differs on coreos where semanage-store is set to /etc/selinux : root@localhost:~# matchpathcon /etc/selinux/targeted/active/booleans.local /etc/selinux/targeted/tmp/booleans.local /etc/selinux/targeted/active/booleans.local system_u:object_r:semanage_store_t:s0 /etc/selinux/targeted/tmp/booleans.local system_u:object_r:selinux_config_t:s0 I see two possible solutions for this and I guess both should be applied: 1. add fcontext mapping for '/etc/selinux/(minimum|mls|targeted)/tmp(/.*)?' this can be also used as a local workaround: root@localhost:~# semodule -N --refresh root@localhost:~# restorecon -rvn /etc/selinux | head Would relabel /etc/selinux/targeted/active/booleans.local from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0 Would relabel /etc/selinux/targeted/active/file_contexts from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0 Would relabel /etc/selinux/targeted/active/file_contexts.homedirs from system_u:object_r:selinux_config_t:s0 to system_u:object_r:semanage_store_t:s0 root@localhost:~# restorecon -rF /etc/selinux root@localhost:~# semanage fcontext -a -t semanage_store_t '/etc/selinux/(minimum|mls|targeted)/tmp(/.*)?' root@localhost:~# semodule -N --refresh root@localhost:~# restorecon -rvn /etc/selinux | head 2. fix libsemanage to set files context on final destination after /tmp/ is renamed to /active/
Hmm, another approach is to have rpm-ostree add an equivalency rule to file_contexts.subs_dist like '/etc/selinux/targeted /var/lib/selinux/targeted`. This seems the most appropriate since it's rpm-ostree which redirect /var/lib/selinux/targeted -> /etc/selinux/targeted in the first place. (Though in the past we've wanted to have that logic not live in rpm-ostree ideally -- see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1290659, but that's how things stand today at least).
> Hmm, another approach is to have rpm-ostree add an equivalency rule to file_contexts.subs_dist like '/etc/selinux/targeted /var/lib/selinux/targeted`. Looking at that, a problem with doing it like this actually is that selinux-policy-targeted itself also has files in `/etc/selinux/targeted` with valid labels (distinct from semanage_store_t). So the equivalency rule would have to be reduced to specific subdirectories like `active` and `tmp`, which is less appealing. So going back to comment #3, I'd vote for (2). (1) sounds OK too, but that should probably live in rpm-ostree instead for the same reason mentioned in comment #4.
The selinux-policy fix is simple and probably should be there from the beginning - https://bugzilla.redhat.com/show_bug.cgi?id=2323878 -> https://github.com/fedora-selinux/selinux-policy/pull/2420 - /etc/selinux/(minimum|mls|targeted)/active(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) + /etc/selinux/(minimum|mls|targeted)/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
Why we had not seen it before? There's a bunch of type transition rules in policy: # sesearch -T -t selinux_config_t | grep semanage_store_t ... type_transition unconfined_t selinux_config_t:dir semanage_store_t active; type_transition unconfined_t selinux_config_t:dir semanage_store_t policy; type_transition unconfined_t selinux_config_t:dir semanage_store_t previous; type_transition unconfined_t selinux_config_t:dir semanage_store_t tmp; ... it means that when libsemanage created new /tmp/ directory, the directory got semanage_store_t label and all files inside /tmp/ inherited this label. Since the libsemanage relabel change, directory /tmp/ and files in /tmp/ are relabeled to the default context which is currently selinux_config_t, but there's a fix to change it to semanage_store_t
(In reply to Petr Lautrbach from comment #7) > Why we had not seen it before? If this question is meant for the CoreOS team, I think we probably have had this problem for a while. We just recently starting doing more checks to identify files that don't match the policy on our systems in CI, including upgrade tests, which covers this case.
It was a rhetorical question and it's explained in the comment.
"the libsemanage relabel change" is meant to be https://github.com/SELinuxProject/selinux/commit/d96f27bf7cb918cfd3123c5281381ef8b5196ac3 and it was introduce in libsemanage-3.7-3
This bug appears to have been reported against 'rawhide' during the Fedora Linux 42 development cycle. Changing version to 42.