933709 – Unconfined module is never loaded even when USE=unconfined in non-targeted policy (strict/mcs/mls)

Bug 933709 - Unconfined module is never loaded even when USE=unconfined in non-targeted policy (strict/mcs/mls)

Summary: Unconfined module is never loaded even when USE=unconfined in non-targeted po...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2024-06-06 23:39 UTC by Rahul Sandhu
Modified:	2024-08-25 00:49 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info (emerge-info,19.80 KB, text/plain) 2024-06-06 23:47 UTC, Rahul Sandhu	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rahul Sandhu 2024-06-06 23:39:27 UTC

When attempting to login as a user mapped to unconfined_u, pam_selinux fails to assign a valid context:
A valid context for user could not be obtained.

This results in the parent context being assigned, i.e. in the case of a display manager (such as greetd), leaving a context of:
system_u:system_r:xdm_t:s0

It is important to be noted however that this also occurs in a tty, logging in to a tty results in a context of:
system_u:system_r:local_login_t:s0

With debug added to pam_selinux's options (and pam_selinux added to /etc/pam.d/su for the sake of live demonstration), the following is logged to syslog:
Jun 07 00:19:07 carbon su[248793]: pam_selinux(su:session): Open Session
Jun 07 00:19:07 carbon su[248793]: pam_selinux(su:session): Open Session
Jun 07 00:19:07 carbon su[248793]: pam_selinux(su:session): Username= user SELinux User= unconfined_u Level= s0-s0
Jun 07 00:19:07 carbon su[248793]: pam_selinux(su:session): Unable to get valid context for user

Interestingly, a runcon indicates that unconfined_u:unconfined_r:unconfined_t:s0 is an invalid context:
user@carbon ~ $ runcon -cr unconfined_r -u unconfined_u -t unconfined_t /bin/bash
runcon: invalid context: ‘unconfined_u:unconfined_r:unconfined_t:s0’: Invalid argument

Whereas with staff_u:staff_r:staff_t:s0:
user@carbon ~ $ runcon -cr staff_r -u staff_u -t staff_t /bin/bash
user@carbon ~ $ id -Z
staff_u:staff_r:staff_t:s0
Futher investigation showed that the unconfined policy module was not loaded:
carbon ~ # seinfo -t | grep unconfined
   unconfined_cronjob_t
   unconfined_java_t
   unconfined_mount_t
Oneshotting sec-policy/selinux-unconfined resulted in an interesting message:
* Ignoring loading of unconfined module in mcs module store.

Investigating the eclass resulted in the following:
carbon /var/db/repos/gentoo/eclass # grep -rsn 'Ignoring loading of' selinux-policy-2.eclass 
266:				einfo "Ignoring loading of unconfined module in ${i} module store.";

Surrounding code includes:
 for i in ${POLICY_TYPES}; do
        if [[ "${MODS}" = "unconfined" ]]; then
            case ${i} in
            strict|mcs|mls)
                einfo "Ignoring loading of unconfined module in ${i} module store.";
                continue
                ;;
            esac
        fi

I see no reason for the unconfined policy module to not be loaded here, possibly something from the past that needs changing now?

People currently affected can load the unconfined policy module with:
semodule -i /usr/share/selinux/mcs/unconfined.pp

Which will fix all of the aforementioned issues.

Comment 1 Rahul Sandhu 2024-06-06 23:47:35 UTC

Created attachment 895278 [details]
emerge --info

Comment 2 Larry the Git Cow gentoo-dev

2024-08-25 00:49:06 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75d12a333e1866ad6affa62b95fe88be48f5b118

commit 75d12a333e1866ad6affa62b95fe88be48f5b118
Author:     Rahul Sandhu <rahul@sandhuservices.dev>
AuthorDate: 2024-08-02 19:37:54 +0000
Commit:     Jason Zaman <perfinion@gentoo.org>
CommitDate: 2024-08-25 00:48:19 +0000

    selinux-policy-2.eclass: Load unconfined module for mcs/mls policy types
    
    Currently, there doesn't seem to be a reason to block the loading of
    the unconfined policy module on the mcs and mls policy types. Let's
    ensure we load the unconfined policy module unconditionally in the
    eclass.
    
    The loading of the unconfined policy module was initially blocked in
    82e30f21ab85b6de3ebc45ae10b28b9bd280e4a1, however as far as I can tell,
    there is no longer a reason to do this. Considering there are use flags
    for sec-policy/selinux-base and sec-policy/selinux-base-policy for the
    unconfined policy module, and using the unconfined policy module is
    supported for the mcs and mls policy types, it makes sense to no longer
    block the loading of the policy module. It is also worth mentioning
    that grabbing an selinux stage3 has the unconfined policy module
    already loaded.
    
    As the strict policy is effectively the targeted policy without support
    for the unconfined domain, it makes sense to not load the unconfined
    module for strict policy types. Let's keep a conitional check for the
    strict policy to ensure we don't load the unconfined module in that
    case.
    
    Closes: https://bugs.gentoo.org/933709
    Closes: https://github.com/gentoo/gentoo/pull/37931
    Signed-off-by: Rahul Sandhu <rahul@sandhuservices.dev>
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 eclass/selinux-policy-2.eclass | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)