Developers of packages please pay attention to selinux labeling.
Christopher Brown
snecklifter at gmail.com
Tue Jul 13 14:11:44 UTC 2010
On 13 July 2010 14:44, Daniel J Walsh <dwalsh at redhat.com> wrote:
> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>>> No. SELinux is unacceptable when it displays ridiculous warning
>>> messages to users telling them it has detected suspicious activity on
>>> a system that has ONLY JUST BEEN INSTALLED.
>>>
>>
>> That should have failed the release criteria as it is written
>> currently. Let the QA team know by citing bug numbers.
>>
>> Rahul
>>
> All of the bugs like this
>
> https://bugzilla.redhat.com/show_bug.cgi?id=567454
>
> The problem is without the rpm_exec_t label it runs as initrc_t which is
> an unconfiend domain. It creates /tmp output files and redirects the
> stdout of all packages being updated. If any confined app transitions
> it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.
>
> This caused all confined applications to generate an AVC like
>
> node=(removed) type=AVC msg=audit(1266885495.204:24851): avc: denied {
> read append } for pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB"
> dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
>
> It is obviously difficult to trace this type of error back to packagekit.
>
> It just takes a few seconds to send us a heads up and we can fix the
> next selinux policy package.
>
> These are the things labeled rpm_exec_t on a Fedora machine
>
> /usr/libexec/yumDBUSBackend.py
> /bin/rpm
> /usr/bin/rpm
> /usr/bin/yum
> /usr/sbin/pup
> /usr/bin/smart
> /usr/sbin/pirut
> /usr/bin/apt-get
> /usr/sbin/up2date
> /usr/sbin/synaptic
> /usr/bin/apt-shell
> /usr/sbin/rhn_check
> /usr/sbin/yum-updatesd
> /usr/libexec/packagekitd
> /usr/libexec/ricci-modrpm
> /usr/bin/fedora-rmdevelrpms
> /usr/bin/rpmdev-rmdevelrpms
> /usr/sbin/system-install-packages
> /usr/share/yumex/yum_childtask\.py
> /usr/sbin/yum-complete-transaction
> /usr/share/yumex/yumex-yum-backend
>
>
> So putting this into the packagekitd package does not make sense.
>
> As long as you give us a heads up we can prevent these types of blowups.
> Since this policy is shared between yum, packagekit
Whilst I appreciate your huge efforts to provide users with a more
secure system, you need to realise that SELinux as it stands at the
moment is utterly broken. As you clearly don't think this is the case,
please spend some time in userland before beating on developers for
not caring about this.
If we can't even build (and QA!) a system that ships without SELinux
warnings, there is clearly a problem. Adding SELinux checks to Fedora
development slows things down even further. You really need to work
with the AutoQA people to get this automated. Developers simply
shouldn't have to worry about this.
I understand wanting SELinux checks for *EL but for Fedora? Seriously?
Wow, just wow.
--
Christopher Brown
More information about the devel
mailing list