A TOCTOU (time-of-check time-of-use) race condition was found in the way systemd, a system and service manager, used to update file permissions and SELinux security contexts. A local attacker could use this flaw to conduct symbolic link attacks possibly leading to their ability to modify permissions / security context of a path different than originally intended / requested.
Issue found by Florian Weimer, Red Hat Product Security Team
This only affects setups using SELinux.
Looks like a design issue which won't be resolved very soon. From https://bugzilla.redhat.com/show_bug.cgi?id=858760#c0:
> shared/label.c:label_fix() does not prevent symlink resolution on the
> path name. The function should check if the path name contains slashes
> and refuse to proceed in this case. I think such a drastic measure is
> warranted because by design, this function works on files in other users'
> directories, and is subject to path name races. (There is not fsetxattrat
> interface in the kernel, so fchdir followed by lsetxattr/lsetfilecon is
> the only safe alternative. Obviously, this is not thread-safe.)
> This is currently blocked by the need for new system calls (or making
> existing system calls work with O_PATH):
> We need to open files to check their hard link count and make sure that
> is not greater than 1, so that we do not improperly relabel a file that
> is visible elsewhere in the file system. Without O_PATH, the open
> operation can have side effects, so we would introduce another type of
> security bug.
> Addressing this would also fix the other issue (lsetfilecon is called
> with absolute paths, which does not prevent symbol link resolution on
> non-final path components), but this issue could be fixed separate if
This was first reported in bug 486904.
If you compare the criticized code from https://github.com/systemd/systemd/blob/v208/src/shared/label.c#L93-L136 with https://github.com/systemd/systemd/blob/331d6a201b82a03c5343bb9c25280f0cd8b7d9fb/src/basic/label.c#L29-L41 aka https://github.com/systemd/systemd/blob/331d6a201b82a03c5343bb9c25280f0cd8b7d9fb/src/basic/selinux-util.c#L83-L119 (due to code move in https://github.com/systemd/systemd/commit/a095315b3c31f7a419baceac82c26c3c5ac0cd12) you will notice that a race is still possible and that the code doesn't check for slashes or symlinks.
Marking this as unstable considering systemd is masked for SELinux profiles. Thus, it is not a stable profile or configuration.