From 8bb21014a55f50b1a734322639fffadafcd79672 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Mon, 7 Oct 2019 11:48:17 -0400 Subject: [PATCH] selinux fix (rhbz 1758597) --- ...low-labeling-before-policy-is-loaded.patch | 153 ++++++++++++++++++ kernel.spec | 5 + 2 files changed, 158 insertions(+) create mode 100644 PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch diff --git a/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch b/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch new file mode 100644 index 000000000..001fa32dc --- /dev/null +++ b/PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch @@ -0,0 +1,153 @@ +From mboxrd@z Thu Jan 1 00:00:00 1970 +Return-Path: +X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on + aws-us-west-2-korg-lkml-1.web.codeaurora.org +X-Spam-Level: +X-Spam-Status: No, score=-15.0 required=3.0 + tests=HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, + MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT + autolearn=ham autolearn_force=no version=3.4.0 +Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) + by smtp.lore.kernel.org (Postfix) with ESMTP id 0CE63C4CEC5 + for ; Thu, 12 Sep 2019 13:30:40 +0000 (UTC) +Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) + by mail.kernel.org (Postfix) with ESMTP id DC0B020CC7 + for ; Thu, 12 Sep 2019 13:30:39 +0000 (UTC) +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1732192AbfILNaj (ORCPT ); + Thu, 12 Sep 2019 09:30:39 -0400 +Received: from mx1.redhat.com ([209.132.183.28]:52278 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1731687AbfILNaj (ORCPT ); + Thu, 12 Sep 2019 09:30:39 -0400 +Received: from mail-qt1-f197.google.com (mail-qt1-f197.google.com [209.85.160.197]) + (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) + (No client certificate requested) + by mx1.redhat.com (Postfix) with ESMTPS id 97CC359465 + for ; Thu, 12 Sep 2019 13:30:38 +0000 (UTC) +Received: by mail-qt1-f197.google.com with SMTP id c8so13609684qtd.20 + for ; Thu, 12 Sep 2019 06:30:38 -0700 (PDT) +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20161025; + h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version + :content-transfer-encoding; + bh=S/MIBrjCy5DTvfqPzJTJqDQQH1pDu780wgGyHs56w4k=; + b=H7fZr4X/c4ge0SXeHHRXrq3U4J60PWfSRqdCphTWxKjyLvBs8nktbJczT562oH7Hxv + hdvVjKgAzNxIXFdQetnmveDXojtHFrE21PNdo5ONQIyh35oZyrJB4ewZdUrNfbrvDc2y + ElMr/HoKEX5pY+GMJE4nzeBotlfCWU9BoAxJPUhzKA9Oib+AqDzQ0hCGH6pQY9RXRXBV + IMH21FE5dxQGtLHNCJXVxE14edDeRo8qQFWQw6ooogK7JvduuJrWBn3BmCbKz1YLTNZE + 9wRXvaHFVGNhr79JrRcItTp6Sx+tZ3XY46CV+Wi6Rq1fu8MePP9zFdIQXw9wqyd+UgLa + AIlw== +X-Gm-Message-State: APjAAAXpWx500L+bZRH8M7OzuSb0aBlsvvjaBYCGvSkzojpa2nRWjtk0 + cjKEj45ivsUgPW2Bbi6CGEtspqM4wmwb72z+ajR4hy5OjMT3KRh6W71HFbVPrlLYQTvse11Ax2d + wGOma7U/qIGDDYkjh/Q== +X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094193qtu.11.1568295037636; + Thu, 12 Sep 2019 06:30:37 -0700 (PDT) +X-Google-Smtp-Source: APXvYqzybFpoaFyGZXafGEdtHCL3XllpHltaXggcIZEb7De49V/kJzm1pU6vpg1gN8HtgnB3cilLuA== +X-Received: by 2002:ac8:7b2e:: with SMTP id l14mr8094176qtu.11.1568295037442; + Thu, 12 Sep 2019 06:30:37 -0700 (PDT) +Received: from localhost.localdomain ([12.133.141.2]) + by smtp.gmail.com with ESMTPSA id h68sm11848865qkd.35.2019.09.12.06.30.35 + (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); + Thu, 12 Sep 2019 06:30:36 -0700 (PDT) +From: Jonathan Lebon +To: selinux@vger.kernel.org +Cc: Jonathan Lebon , + Victor Kamensky +Subject: [PATCH v2] selinux: allow labeling before policy is loaded +Date: Thu, 12 Sep 2019 09:30:07 -0400 +Message-Id: <20190912133007.27545-1-jlebon@redhat.com> +X-Mailer: git-send-email 2.21.0 +MIME-Version: 1.0 +Content-Transfer-Encoding: 8bit +Sender: selinux-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: selinux@vger.kernel.org +Archived-At: +List-Archive: +List-Post: + +Currently, the SELinux LSM prevents one from setting the +`security.selinux` xattr on an inode without a policy first being +loaded. However, this restriction is problematic: it makes it impossible +to have newly created files with the correct label before actually +loading the policy. + +This is relevant in distributions like Fedora, where the policy is +loaded by systemd shortly after pivoting out of the initrd. In such +instances, all files created prior to pivoting will be unlabeled. One +then has to relabel them after pivoting, an operation which inherently +races with other processes trying to access those same files. + +Going further, there are use cases for creating the entire root +filesystem on first boot from the initrd (e.g. Container Linux supports +this today[1], and we'd like to support it in Fedora CoreOS as well[2]). +One can imagine doing this in two ways: at the block device level (e.g. +laying down a disk image), or at the filesystem level. In the former, +labeling can simply be part of the image. But even in the latter +scenario, one still really wants to be able to set the right labels when +populating the new filesystem. + +This patch enables this by changing behaviour in the following two ways: +1. allow `setxattr` if we're not initialized +2. don't try to set the in-core inode SID if we're not initialized; + instead leave it as `LABEL_INVALID` so that revalidation may be + attempted at a later time + +Note the first hunk of this patch is mostly the same as a previously +discussed one[3], though it was part of a larger series which wasn't +accepted. + +Co-developed-by: Victor Kamensky +Signed-off-by: Victor Kamensky +Signed-off-by: Jonathan Lebon + +[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html +[2] https://github.com/coreos/fedora-coreos-tracker/issues/94 +[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html + +--- + +v2: + - return early in selinux_inode_setxattr if policy hasn't been loaded + +--- + + security/selinux/hooks.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c +index 94de51628..dbe96c707 100644 +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3142,6 +3142,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name, + return dentry_has_perm(current_cred(), dentry, FILE__SETATTR); + } + ++ if (!selinux_state.initialized) ++ return (inode_owner_or_capable(inode) ? 0 : -EPERM); ++ + sbsec = inode->i_sb->s_security; + if (!(sbsec->flags & SBLABEL_MNT)) + return -EOPNOTSUPP; +@@ -3225,6 +3228,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, + return; + } + ++ if (!selinux_state.initialized) { ++ /* If we haven't even been initialized, then we can't validate ++ * against a policy, so leave the label as invalid. It may ++ * resolve to a valid label on the next revalidation try if ++ * we've since initialized. ++ */ ++ return; ++ } ++ + rc = security_context_to_sid_force(&selinux_state, value, size, + &newsid); + if (rc) { +-- +2.21.0 + + diff --git a/kernel.spec b/kernel.spec index 53967cc89..29737a605 100644 --- a/kernel.spec +++ b/kernel.spec @@ -596,6 +596,8 @@ Patch504: dwc3-fix.patch Patch507: v2-1-2-efi-tpm-Don-t-access-event--count-when-it-isn-t-mapped..patch Patch508: v3-tpm-only-set-efi_tpm_final_log_size-after-successful-event-log-parsing.patch +Patch509: PATCH-v2-selinux-allow-labeling-before-policy-is-loaded.patch + # END OF PATCH DEFINITIONS %endif @@ -1797,6 +1799,9 @@ fi # # %changelog +* Mon Oct 7 2019 Laura Abbott +- selinux fix (rhbz 1758597) + * Mon Oct 7 2019 Peter Robinson 5.3.4-300 - Linux v5.3.4