Bug 972977 - SELinux context on polyinstantiated directories is incorrect
SELinux context on polyinstantiated directories is incorrect
Status: CLOSED CURRENTRELEASE
Product: OpenShift Online
Classification: Red Hat
Component: Containers (Show other bugs)
2.x
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Rob Millner
libra bugs
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-10 20:42 EDT by Rob Millner
Modified: 2015-05-14 19:21 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-24 10:52:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Millner 2013-06-10 20:42:03 EDT
Description of problem:
The SELinux context on polyinstantiated directories (/tmp, /dev/shm) are incorrect on devenv.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create an app
2. ssh into the app
3. ls -ladZ /tmp

Actual results:
Something like:
drwxrwxrwt. 778471974781982305419264 root system_u:object_r:tmp_t:s0       /tmp

Expected results:
Something like:
drwxrwxrwt. 519a5c005004466c41000085 root system_u:object_r:openshift_tmp_t:s0:c5,c751 /tmp

Additional info:

It appears to be correct on prod, and there are other indicators that polydir is working but the init script appears to be failing.
Comment 1 Rob Millner 2013-06-10 20:59:15 EDT
This bug may exist in prod.  At least one problem was observed with the use of all numeric usernames.  The oo-namespace-init script cannot get the password information to determine whether the directory is openshift.


+ '[' 0 = 1 ']'
+ exit 0
+ '[' 1 = 1 ']'
++ getent passwd 512884330434630336380928
+ passwd=
[HIDDEN] echo ''
++ cut -f6 -d:
+ homedir=
++ getfattr --only-values -n security.selinux ''
+ context=
++ echo ''
++ cut -f 3 -d:
+ setype=
+ cartvers=1
+ '[' -e /.env/CARTRIDGE_VERSION_2 ']'
+ '[' tmpfs '!=' tmpfs ']'
+ /sbin/restorecon /dev/shm
+ '[' '' = openshift_var_lib_t ']'
+ exit 0
+ '[' 0 = 1 ']'
+ exit 0
Comment 3 Rob Millner 2013-06-10 22:05:51 EDT
Pull request:

https://github.com/openshift/origin-server/pull/2808
Comment 4 Rob Millner 2013-06-11 17:54:53 EDT
The old pull request was failing and was closed for further hand testing.  Here's the latest pull request.
https://github.com/openshift/origin-server/pull/2818


Note on Q/E, you may have to create several apps to get one which has an all numeric user ID or create the gear by hand with oo-app-create.
Comment 5 Meng Bo 2013-06-14 02:29:49 EDT
Checked on devenv_3360,

App with numeric uuid has correct context for its /tmp and /sandbox dir.

[php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /tmp/
drwxrwxrwt. 2 system_u:object_r:openshift_tmp_t:s0:c0,c502 337603337419803013939200 root 4096 Jun 14 02:26 /tmp/

[php1-bmengdev.dev.rhcloud.com 337603337419803013939200]\> ls -Zld /sandbox/
drwxr-xr-x. 2 system_u:object_r:openshift_tmp_t:s0 337603337419803013939200 root 4096 Jun 14 02:25 /sandbox/
Comment 6 Kurt Seifried 2013-06-27 16:39:25 EDT
This issue is classified as security hardening and not a security vulnerability due to the fact that it cannot be exploited without an additional vulnerability.

Note You need to log in before you can comment on or make changes to this bug.