Bug 972977 - SELinux context on polyinstantiated directories is incorrect
Summary: SELinux context on polyinstantiated directories is incorrect
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
(Show other bugs)
Version: 2.x
Hardware: Unspecified Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Rob Millner
QA Contact: libra bugs
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-11 00:42 UTC by Rob Millner
Modified: 2015-05-14 23:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-24 14:52:55 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Rob Millner 2013-06-11 00:42:03 UTC
Description of problem:
The SELinux context on polyinstantiated directories (/tmp, /dev/shm) are incorrect on devenv.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create an app
2. ssh into the app
3. ls -ladZ /tmp

Actual results:
Something like:
drwxrwxrwt. 778471974781982305419264 root system_u:object_r:tmp_t:s0       /tmp

Expected results:
Something like:
drwxrwxrwt. 519a5c005004466c41000085 root system_u:object_r:openshift_tmp_t:s0:c5,c751 /tmp

Additional info:

It appears to be correct on prod, and there are other indicators that polydir is working but the init script appears to be failing.

Comment 1 Rob Millner 2013-06-11 00:59:15 UTC
This bug may exist in prod.  At least one problem was observed with the use of all numeric usernames.  The oo-namespace-init script cannot get the password information to determine whether the directory is openshift.


+ '[' 0 = 1 ']'
+ exit 0
+ '[' 1 = 1 ']'
++ getent passwd 512884330434630336380928
+ passwd=
[HIDDEN] echo ''
++ cut -f6 -d:
+ homedir=
++ getfattr --only-values -n security.selinux ''
+ context=
++ echo ''
++ cut -f 3 -d:
+ setype=
+ cartvers=1
+ '[' -e /.env/CARTRIDGE_VERSION_2 ']'
+ '[' tmpfs '!=' tmpfs ']'
+ /sbin/restorecon /dev/shm
+ '[' '' = openshift_var_lib_t ']'
+ exit 0
+ '[' 0 = 1 ']'
+ exit 0

Comment 3 Rob Millner 2013-06-11 02:05:51 UTC
Pull request:

https://github.com/openshift/origin-server/pull/2808

Comment 4 Rob Millner 2013-06-11 21:54:53 UTC
The old pull request was failing and was closed for further hand testing.  Here's the latest pull request.
https://github.com/openshift/origin-server/pull/2818


Note on Q/E, you may have to create several apps to get one which has an all numeric user ID or create the gear by hand with oo-app-create.

Comment 5 Meng Bo 2013-06-14 06:29:49 UTC
Checked on devenv_3360,

App with numeric uuid has correct context for its /tmp and /sandbox dir.

[php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /tmp/
drwxrwxrwt. 2 system_u:object_r:openshift_tmp_t:s0:c0,c502 337603337419803013939200 root 4096 Jun 14 02:26 /tmp/

[php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /sandbox/
drwxr-xr-x. 2 system_u:object_r:openshift_tmp_t:s0 337603337419803013939200 root 4096 Jun 14 02:25 /sandbox/

Comment 6 Kurt Seifried 2013-06-27 20:39:25 UTC
This issue is classified as security hardening and not a security vulnerability due to the fact that it cannot be exploited without an additional vulnerability.


Note You need to log in before you can comment on or make changes to this bug.