[Libguestfs] [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)

Richard W.M. Jones rjones at redhat.com
Thu Sep 24 11:53:57 UTC 2020 

On Thu, Sep 24, 2020 at 12:39:02PM +0200, Pino Toscano wrote:
...
> There are various cases when, even of an enforcing system, labels are
> not kept up-to-date:
> 
> $ getenforce 
> Enforcing
> $ touch /tmp/test
> $ ls -lZ /tmp/test 
> -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /tmp/test
> $ mv /tmp/test ~/var/
> $ ls -lZ ~/var/test 
> -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test
> $ restorecon -v ~/var/test 
> Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to unconfined_u:object_r:user_home_t:s0
> $ ls -lZ ~/var/test 
> -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 12:26 /home/ptoscano/var/test

That's definitely a weird thing.  Bug maybe?

> Considering that /tmp is a general location for temporary files, it's
> common that files may end with a tmp_t-alike label when moved back to
> the destination place (e.g. after a rename()). That is not the only
> situation like this that I saw in the past.
> 
> In permissive mode, all these situation are logged in the audit log,
> yes, but they cause no blocks nor errors.
> 
> > It's also fine for an administrator to
> > switch a system to permissive and then back to enforcing without
> > relabelling or rebooting.
> 
> A mislabelled /etc/passwd is still read and used fine in permissive
> mode. Switch back from permissive to enforcing without a relabelling
> is generally not a good idea, especially after the system ran for a
> lot of time after the switch to permissive.

It's seems true from what you wrote above that someone could copy
/tmp/passwd -> /etc/passwd and it would have a wrong label.  But
virt-v2v could fix that label, which even in permissive mode sounds
like a win.

My question is what's the down-side to relabelling in permissive mode?

(I can see in *disabled* mode it's just a waste of time because the
work we do for relabelling in virt-v2v is just going to be undone when
the guest boots with SELinux disabled).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

More information about the Libguestfs mailing list