[Libguestfs] [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)

Pino Toscano ptoscano at redhat.com
Thu Sep 24 10:39:02 UTC 2020 

On Thursday, 24 September 2020 12:15:29 CEST Richard W.M. Jones wrote:
> On Wed, Sep 23, 2020 at 05:57:50PM +0200, Pino Toscano wrote:
> > Do not attempt to relabel a guest in case its SELinux enforcing mode is
> > not "enforcing", as it is either pointless, or it may fail because of an
> > invalid policy configured.
> > ---
> >  mlcustomize/SELinux_relabel.ml | 26 +++++++++++++++++++++++++-
> >  1 file changed, 25 insertions(+), 1 deletion(-)
> > 
> > diff --git a/mlcustomize/SELinux_relabel.ml b/mlcustomize/SELinux_relabel.ml
> > index 647aeda..db00e59 100644
> > --- a/mlcustomize/SELinux_relabel.ml
> > +++ b/mlcustomize/SELinux_relabel.ml
> > @@ -24,6 +24,9 @@ open Printf
> >  
> >  module G = Guestfs
> >  
> > +exception SELinux_not_enforcing
> > +(* Interal exception to signal a non-enforcing SELinux. *)
> > +
> >  (* Simple reimplementation of Array.mem, available only with OCaml >= 4.03. *)
> >  let array_find a l =
> >    List.mem a (Array.to_list l)
> > @@ -35,12 +38,18 @@ let rec relabel (g : G.guestfs) =
> >        use_setfiles g;
> >        (* That worked, so we don't need to autorelabel. *)
> >        g#rm_f "/.autorelabel"
> > -    with Failure _ ->
> > +    with
> > +    | Failure _ ->
> >        (* This is the fallback in case something in the setfiles
> >         * method didn't work.  That includes the case where a non-SELinux
> >         * host is processing an SELinux guest, and other things.
> >         *)
> >        g#touch "/.autorelabel"
> > +    | SELinux_not_enforcing ->
> > +      (* This means that SELinux was not configured to be in enforcing mode,
> > +       * so silently accept this.
> > +       *)
> > +      ()
> >    )
> >  
> >  and is_selinux_guest g =
> > @@ -59,6 +68,21 @@ and use_setfiles g =
> >    g#aug_load ();
> >    debug_augeas_errors g;
> >  
> > +  (* Get the SELinux enforcing mode, eg "enforcing", "permissive",
> > +   * "disabled".
> > +   * Use "disabled" if not specified, just like libselinux seems to do.
> > +   *)
> > +  let typ = read_selinux_config_key g "SELINUX" "disabled" in
> > +  (* Do not attempt any relabelling if the SELinux is not "enforcing":
> > +   * - in "permissive" mode SELinux is still running, however nothing is
> > +   *   enforced: this means labels can be wrong, and "it is fine"
> 
> I don't think it's fine.  As I showed here:
> 
> https://www.redhat.com/archives/libguestfs/2020-June/msg00115.html
> 
> in permissive mode labels are still being updated on disk.

This is true for default labels, yes.

> TBH I don't understand what you said here:
> 
> https://www.redhat.com/archives/libguestfs/2020-June/msg00117.html
> 
> about "both the labels and the policy may be all wrong".  If the
> administrator set the policy to permissive then labels ought still to
> be updated when the guest is running, and we ought to try to keep them
> updated if we can in v2v.

There are various cases when, even of an enforcing system, labels are
not kept up-to-date:

$ getenforce 
Enforcing
$ touch /tmp/test
$ ls -lZ /tmp/test 
-rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /tmp/test
$ mv /tmp/test ~/var/
$ ls -lZ ~/var/test 
-rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test
$ restorecon -v ~/var/test 
Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0
$ ls -lZ ~/var/test 
-rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test

Considering that /tmp is a general location for temporary files, it's
common that files may end with a tmp_t-alike label when moved back to
the destination place (e.g. after a rename()). That is not the only
situation like this that I saw in the past.

In permissive mode, all these situation are logged in the audit log,
yes, but they cause no blocks nor errors.

> It's also fine for an administrator to
> switch a system to permissive and then back to enforcing without
> relabelling or rebooting.

A mislabelled /etc/passwd is still read and used fine in permissive
mode. Switch back from permissive to enforcing without a relabelling
is generally not a good idea, especially after the system ran for a
lot of time after the switch to permissive.

-- 
Pino Toscano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/libguestfs/attachments/20200924/c0fb4d8e/attachment.sig>

More information about the Libguestfs mailing list