530192 – Portage should use force relabeling for installed files to have system_u as target SELinux user

Bug 530192 - Portage should use force relabeling for installed files to have system_u as target SELinux user

Summary: Portage should use force relabeling for installed files to have system_u as t...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Portage team

URL:
Whiteboard:
Keywords:	InVCS

Depends on:
Blocks:	484436
	Show dependency tree

Reported:	2014-11-23 16:02 UTC by Sven Vermeulen (RETIRED)
Modified:	2015-06-05 20:50 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Force SELinux user during relabel (0001-Force-the-SELinux-user-during-relabel-operation.patch,1.55 KB, patch) 2014-11-23 16:16 UTC, Sven Vermeulen (RETIRED)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2014-11-23 16:02:36 UTC

After installing software, Portage already relabels the files to have the right context. However, it looks like it only sets the file type context and not the SELinux owner and role (well, role is always "object_r" so does not matter).

See:

 # ls -Z $(qlist cowsay)
system_u:object_r:bin_t:s0 /usr/bin/cowsay                                     staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/milk.cow
 staff_u:object_r:bin_t:s0 /usr/bin/cowthink                                   staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moofasa.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/beavis.zen.cow          staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moose.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bong.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mutilated.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bud-frogs.cow           staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ren.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bunny.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/satanic.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cheese.cow              staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sheep.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cower.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/skeleton.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/daemon.cow              staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/small.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/default.cow             staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sodomized.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon-and-cow.cow      staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stegosaurus.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon.cow              staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stimpy.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant.cow            staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/supermilker.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant-in-snake.cow   staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/surgery.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/eyes.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/telebears.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/flaming-sheep.cow       staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/three-eyes.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ghostbusters.cow        staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turkey.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/head-in.cow             staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turtle.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/hellokitty.cow          staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/tux.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kiss.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/udder.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kitty.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/koala.cow               staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader-koala.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kosh.cow                staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/www.cow
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/luke-koala.cow          staff_u:object_r:man_t:s0 /usr/share/man/man1/cowsay.1.bz2
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mech-and-cow            staff_u:object_r:man_t:s0 /usr/share/man/man1/cowthink.1.bz2
 staff_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/meow.cow

A force relabel (like with "rlpkg -r cowsay") results in:

# ls -Z $(qlist cowsay)
system_u:object_r:bin_t:s0 /usr/bin/cowsay                                    system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/milk.cow
system_u:object_r:bin_t:s0 /usr/bin/cowthink                                  system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moofasa.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/beavis.zen.cow         system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/moose.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bong.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mutilated.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bud-frogs.cow          system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ren.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/bunny.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/satanic.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cheese.cow             system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sheep.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/cower.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/skeleton.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/daemon.cow             system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/small.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/default.cow            system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/sodomized.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon-and-cow.cow     system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stegosaurus.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/dragon.cow             system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/stimpy.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant.cow           system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/supermilker.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/elephant-in-snake.cow  system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/surgery.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/eyes.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/telebears.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/flaming-sheep.cow      system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/three-eyes.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/ghostbusters.cow       system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turkey.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/head-in.cow            system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/turtle.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/hellokitty.cow         system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/tux.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kiss.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/udder.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kitty.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/koala.cow              system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/vader-koala.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/kosh.cow               system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/www.cow
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/luke-koala.cow         system_u:object_r:man_t:s0 /usr/share/man/man1/cowsay.1.bz2
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/mech-and-cow           system_u:object_r:man_t:s0 /usr/share/man/man1/cowthink.1.bz2
system_u:object_r:usr_t:s0 /usr/share/cowsay-3.03/cows/meow.cow

It is probably just a simple fix.

The problem with wrong SELinux user is that, on systems with USE="ubac" set, other SELinux users might not be able to access these resources at all.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2014-11-23 16:16:40 UTC

Created attachment 390126 [details, diff]
Force SELinux user during relabel

Small fix to misc-functions.sh to use the "-F" option. Tested locally again and the files are now installed with the right, complete context.

Can be fixed manually on systems as well (as workaround) by editing /usr/lib/portage/bin/misc-functions.sh (around line 1131).

Comment 2 Zac Medico gentoo-dev

2014-11-25 18:24:35 UTC

I've posted your patch for review here:

http://thread.gmane.org/gmane.linux.gentoo.portage.devel/4838

Comment 3 Zac Medico gentoo-dev

2014-11-26 08:45:05 UTC

This is in the master branch now:

https://github.com/gentoo/portage/commit/bcac54411c462aa59fe874325e4843f61dc71312

Comment 4 Brian Dolbec (RETIRED) gentoo-dev

2015-06-05 20:50:32 UTC

released in portage-2.2.14