Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529690 - Portage etc_t labeling issue
Summary: Portage etc_t labeling issue
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 530912
  Show dependency tree
 
Reported: 2014-11-18 13:10 UTC by Eric Gisse
Modified: 2014-11-27 20:41 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2014-11-18 13:10:28 UTC 
(2.3 userspace!)

When installing postfix to replace nullmailer (no selinux policy, no interest in writing one) under enforcing, I find that portage has some issues relabeling stuff in etc_t:

Nov 18 06:44:10 testbed kernel: [128276.205110] audit: type=1400 audit(1416314650.276:637): avc:  denied  { relabelfrom } for  pid=32128 comm="install" name="server.key" dev="dm-3" ino=429201 ipaddr=173.173.113.156 scontext=root:sysadm_r:portage_t tcontext=root:object_r:etc_t tclass=file permissive=0
Nov 18 06:44:10 testbed kernel: [128276.216437] audit: type=1400 audit(1416314650.288:638): avc:  denied  { relabelfrom } for  pid=32132 comm="install" name="server.csr" dev="dm-3" ino=429202 ipaddr=173.173.113.156 scontext=root:sysadm_r:portage_t tcontext=root:object_r:etc_t tclass=file permissive=0
Nov 18 06:44:10 testbed kernel: [128276.227910] audit: type=1400 audit(1416314650.299:639): avc:  denied  { relabelfrom } for  pid=32134 comm="install" name="server.crt" dev="dm-3" ino=429203 ipaddr=173.173.113.156 scontext=root:sysadm_r:portage_t tcontext=root:object_r:etc_t tclass=file permissive=0
Nov 18 06:44:10 testbed kernel: [128276.239960] audit: type=1400 audit(1416314650.311:640): avc:  denied  { relabelfrom } for  pid=32136 comm="install" name="server.pem" dev="dm-3" ino=429205 ipaddr=173.173.113.156 scontext=root:sysadm_r:portage_t tcontext=root:object_r:etc_t tclass=file permissive=0
Nov 18 06:53:35 testbed kernel: [128841.672960] audit: type=1400 audit(1416315215.296:645): avc:  denied  { relabelfrom } for  pid=6919 comm="install" name="server.key" dev="dm-3" ino=428419 ipaddr=173.173.113.156 scontext=root:sysadm_r:portage_t tcontext=root:object_r:etc_t tclass=file permissive=1
Nov 18 06:53:35 testbed kernel: [128841.672981] audit: type=1400 audit(1416315215.296:646): avc:  denied  { relabelto } for  pid=6919 comm="install" name="server.key" dev="dm-3" ino=428419 ipaddr=173.173.113.156 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:etc_t tclass=file permissive=1

The last line was under permissive to see what else it wanted.

When you install postfix, it wants to generate a set of ssl keys for TLS mail. This is what you get under enforcing under current policy:

# ls -althrZ /etc/ssl/postfix
total 24K
drwxr-xr-x. 8 root    root system_u:object_r:etc_t 4.0K Nov 18 06:44 ..
-r--------. 1 postfix mail root:object_r:etc_t      887 Nov 18 06:44 server.key
-r--r--r--. 1 root    root root:object_r:etc_t      749 Nov 18 06:44 server.csr
-r--r--r--. 1 root    root root:object_r:etc_t     1.1K Nov 18 06:44 server.crt
-r--------. 1 postfix mail root:object_r:etc_t     1.9K Nov 18 06:44 server.pem
drwxr-xr-x. 2 root    root root:object_r:etc_t     4.0K Nov 18 06:44 .


This is what it wants, when you let it:

# ls -althrZ /etc/ssl/postfix
total 24K
drwxr-xr-x. 8 root    root system_u:object_r:etc_t 4.0K Nov 18 06:53 ..
-r--------. 1 postfix mail system_u:object_r:etc_t  891 Nov 18 06:53 server.key
-r--r--r--. 1 root    root system_u:object_r:etc_t  749 Nov 18 06:53 server.csr
-r--r--r--. 1 root    root system_u:object_r:etc_t 1.1K Nov 18 06:53 server.crt
-r--------. 1 postfix mail system_u:object_r:etc_t 1.9K Nov 18 06:53 server.pem
drwxr-xr-x. 2 root    root root:object_r:etc_t     4.0K Nov 18 06:53 .


Fixing this for etc_t is easy:

files_relabel_etc_files(portage_t)

But since portage has to manage all files, why not this?

Allowing portage to relabel everything (I thought it could, its portage!) solves this issue for this and every case and I can't easily conjur an argument why the portage_t domain shouldn't have this power.

Patch:

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 83d6ab4..744ddb5 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -195,6 +195,7 @@ domain_dontaudit_read_all_domains_state(portage_t)

 # modify any files in the system
 files_manage_all_files(portage_t)
+files_relabel_all_files(portage_t)

 selinux_get_fs_mount(portage_t)
Comment 1 Eric Gisse 2014-11-18 13:40:12 UTC 
Correction: Definitely use files_relabel_etc_files(portage_t)

auth_relabelto_shadow() has to be called explicitly because files_relabel_all_files means shadow_t can be relabeled, and shadow_t doesn't want that unless you explicitly let it.

Maaayybee I should leave that alone and stick to files_relabel_etc_files().
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 20:21:30 UTC 
Err, normally portage relabels files post-install (using a domain transition to setfiles). I'm going to see if I can reproduce this, but granting portage with relabel permissions should not be the goal afaics.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 20:38:15 UTC 
Okay, well, apparently postfix' pkg_postinst inserts the files. However, although we do get the error about portage' unability to manage the files, I'd like to keep it this way for now. portage_t itself has few relabel privileges and this would just start expanding it.

Considering that the files do get etc_t (according to the policy, this is correct, even though I think it would be wiser to mark them as certificates or keys), I'll have this block a policy rewrite for portage.