Bug 530192

Summary:	Portage should use force relabeling for installed files to have system_u as target SELinux user
Product:	Gentoo Linux	Reporter:	Sven Vermeulen (RETIRED) <swift>
Component:	SELinux	Assignee:	Portage team <dev-portage>
Status:	RESOLVED FIXED
Severity:	normal	CC:	selinux
Priority:	Normal	Keywords:	InVCS
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	484436
Attachments:	Force SELinux user during relabel

Description Sven Vermeulen (RETIRED) gentoo-dev

2014-11-23 16:02:36 UTC

After installing software, Portage already relabels the files to have the right context. However, it looks like it only sets the file type context and not the SELinux owner and role (well, role is always "object_r" so does not matter).

See:

 # ls -Z $(qlist cowsay)
system_u:object_r:bin_t:s0 /usr/bin/cowsay                                     staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/milk.cow
 staff_u:object_r:bin_t:s0 /usr/bin/cowthink                                   staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moofasa.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/beavis.zen.cow          staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moose.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bong.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mutilated.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bud-frogs.cow           staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ren.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bunny.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/satanic.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cheese.cow              staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sheep.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cower.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/skeleton.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/daemon.cow              staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/small.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/default.cow             staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sodomized.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon-and-cow.cow      staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stegosaurus.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon.cow              staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stimpy.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant.cow            staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/supermilker.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant-in-snake.cow   staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/surgery.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/eyes.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/telebears.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/flaming-sheep.cow       staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/three-eyes.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ghostbusters.cow        staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turkey.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/head-in.cow             staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turtle.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/hellokitty.cow          staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/tux.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kiss.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/udder.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kitty.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/koala.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader-koala.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kosh.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/www.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/luke-koala.cow          staff_u:object_r:man_t:s0 /usr/share/man/man1/cowsay.1.bz2
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mech-and-cow            staff_u:object_r:man_t:s0 /usr/share/man/man1/cowthink.1.bz2
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/meow.cow

A force relabel (like with "rlpkg -r cowsay") results in:

# ls -Z $(qlist cowsay)
system_u:object_r:bin_t:s0 /usr/bin/cowsay                                    system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/milk.cow
system_u:object_r:bin_t:s0 /usr/bin/cowthink                                  system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moofasa.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/beavis.zen.cow         system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moose.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bong.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mutilated.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bud-frogs.cow          system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ren.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bunny.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/satanic.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cheese.cow             system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sheep.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cower.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/skeleton.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/daemon.cow             system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/small.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/default.cow            system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sodomized.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon-and-cow.cow     system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stegosaurus.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon.cow             system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stimpy.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant.cow           system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/supermilker.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant-in-snake.cow  system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/surgery.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/eyes.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/telebears.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/flaming-sheep.cow      system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/three-eyes.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ghostbusters.cow       system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turkey.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/head-in.cow            system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turtle.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/hellokitty.cow         system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/tux.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kiss.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/udder.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kitty.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/koala.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader-koala.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kosh.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/www.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/luke-koala.cow         system_u:object_r:man_t:s0 /usr/share/man/man1/cowsay.1.bz2
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mech-and-cow           system_u:object_r:man_t:s0 /usr/share/man/man1/cowthink.1.bz2
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/meow.cow

It is probably just a simple fix.

The problem with wrong SELinux user is that, on systems with USE="ubac" set, other SELinux users might not be able to access these resources at all.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2014-11-23 16:16:40 UTC

Created attachment 390126 [details, diff]
Force SELinux user during relabel

Small fix to misc-functions.sh to use the "-F" option. Tested locally again and the files are now installed with the right, complete context.

Can be fixed manually on systems as well (as workaround) by editing /usr/lib/portage/bin/misc-functions.sh (around line 1131).

Comment 2 Zac Medico gentoo-dev

2014-11-25 18:24:35 UTC

I've posted your patch for review here:

http://thread.gmane.org/gmane.linux.gentoo.portage.devel/4838

Comment 3 Zac Medico gentoo-dev

2014-11-26 08:45:05 UTC

This is in the master branch now:

https://github.com/gentoo/portage/commit/bcac54411c462aa59fe874325e4843f61dc71312

Comment 4 Brian Dolbec (RETIRED) gentoo-dev

2015-06-05 20:50:32 UTC

released in portage-2.2.14