746637 – /var/log/rpmpkgs has wrong selinux context

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 746637 - /var/log/rpmpkgs has wrong selinux context

Summary: /var/log/rpmpkgs has wrong selinux context

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	rpm
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Panu Matilainen
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	750638
TreeView+	depends on / blocked

Reported:	2011-10-17 11:02 UTC by Karel Srot
Modified:	2012-06-20 14:23 UTC (History)
CC List:	5 users (show)
Fixed In Version:	rpm-4.8.0-25.el6
Doc Type:	Bug Fix
Doc Text:	No documentation needed (documentation should be provided via selinux-policy errata on bug 820535)
Clone Of:
Environment:
Last Closed:	2012-06-20 14:23:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0909	0	normal	SHIPPED_LIVE	rpm bug fix and enhancement update	2012-06-19 20:46:44 UTC

Description Karel Srot 2011-10-17 11:02:31 UTC

Description of problem:

# ls -Z /var/log/rpmpkgs
-rw-r--r--. root root system_u:object_r:cron_log_t:s0  /var/log/rpmpkgs
# matchpathcon /var/log/rpmpkgs
/var/log/rpmpkgs	system_u:object_r:rpm_log_t:s0

this is because in /etc/cron.daily/rpm there is:
/bin/mv "$tmpfile" /var/log/rpmpkgs
while keeps the original root_t context. After mv there should be also
restorecon /var/log/rpmpkgs.


Version-Release number of selected component (if applicable):
rpm-cron-4.8.0-19.el6.noarch

How reproducible:
always

Comment 3 Buchan Milne 2011-12-07 12:21:37 UTC

At least one security benchmark (CIS RHEL Benchmark, v1.1.2, available from https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf , section 6.3 p62 ) recommends that this file be made inaccessible to non-root users.

The approach taken by this script of:
-create temp file
-mv temp file over previous file
-assign specific permissions (overriding secured umask)

makes it inconvenient to achieve this control. Our security standard, maintained by a separate group, is based on the CIS benchmark. So far we have a package which implements our internal standard, however in some cases it becomes unnecessarily complex, as some of the files that need to be modified are not marked as config(noreplace) in the original package, and so we already have a number of triggers to re-fix files that need fixing (e.g. /etc/issue, /etc/login.defs). This will be another one I need to add ...


Alternatively, could the temporary file not instead be copied over the existing file, thus preserving all file meta-data:
-attributes (such as SELinux context)
-ACLs
-permissions

Also, why are the permissions explicitly set (to what they would be by default), without any configurability? If a different umask is set (ours is 077 for root by requirement), it should be obeyed by default, or a mechanism to control the permissions that will be set should be provided.

However, copying and deleting the temp tile, instead of moving it, would fix all the current problems (besides possibly the initial labeling).

Since this has been split out of the 'rpm' package itself in RHEL6 though, for now we will jut not install the cron subpackage ...

Comment 4 Panu Matilainen 2011-12-14 07:46:14 UTC

Making /var/log/rpmpkgs* unreadable by regular users doesn't accomplish a whole lot since those users can just do 'rpm -qa' to get actually up-to-date information about the currently installed packages.

But sure we can tweak the dumb script again to cater to the selinux policy of the day.

Comment 8 Karel Srot 2012-05-09 13:39:39 UTC

Actually, it is necessary to call restorecon. Copying into /var/log doesn't give /var/log/rpmpkgs correct context because /var/log/rpmpkgs should have context different from /var/log directory itself.

Therefore you should:
mv temp_file /var/log/rpmpkgs
restorecon /var/log/rpmpkgs
chmod 644 /var/log/rpmpkgs

Could you please respin as soon as possible?

Comment 18 Karel Srot 2012-05-10 10:30:47 UTC

To sum it up. We will stick with cron_log_t context and update permissions to 644. ATM we do not need another respin.

But also change is required in selinux-policy, filed as Bug 820535

Btw, I have tested it with rpm-cron-4.8.0-27.el6.noarch:

[root@auto-x86-64-002 etc]# ls -Z /var/log/rpmpkgs
-rw-r--r--. root root system_u:object_r:cron_log_t:s0  /var/log/rpmpkgs
[root@auto-x86-64-002 etc]# ls -l /var/log/rpmpkgs
-rw-r--r--. 1 root root 41337 May 10 06:16 /var/log/rpmpkgs

Comment 21 Daniel Walsh 2012-05-10 21:45:31 UTC

Just make it cron_log_t and be done with it.

Comment 22 Buchan Milne 2012-05-11 10:46:46 UTC

(In reply to comment #4)
> Making /var/log/rpmpkgs* unreadable by regular users doesn't accomplish a whole
> lot since those users can just do 'rpm -qa' to get actually up-to-date
> information about the currently installed packages.

Depending on the permissions of /var/lib/rpm.

> But sure we can tweak the dumb script again to cater to the selinux policy of
> the day.

Looks like we'll just make our internal initial configuration package conflict with rpm-cron.

Comment 23 Buchan Milne 2012-05-11 11:04:45 UTC

(In reply to comment #18)
> To sum it up. We will stick with cron_log_t context and update permissions to
> 644.

By default, the permissions will be 644, so why are they explicitly set? To knowingly override a more secure default umask that the administrator has specifically configured (in order to reduce the amount of information disclosed to all users)?

Comment 25 Panu Matilainen 2012-05-24 12:48:38 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed (documentation should be provided via selinux-policy errata on bug 820535)

Comment 26 errata-xmlrpc 2012-06-20 14:23:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0909.html

Note You need to log in before you can comment on or make changes to this bug.