Developers of packages please pay attention to selinux labeling.

Tue Jul 13 14:18:46 UTC 2010

On 07/13/2010 10:11 AM, Christopher Brown wrote:
> On 13 July 2010 14:44, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> On 07/13/2010 09:30 AM, Rahul Sundaram wrote:
>>> On 07/13/2010 06:58 PM, Christopher Brown wrote:
>>>> No. SELinux is unacceptable when it displays ridiculous warning
>>>> messages to users telling them it has detected suspicious activity on
>>>> a system that has ONLY JUST BEEN INSTALLED.
>>>>
>>>
>>> That should have failed the release criteria as it is written
>>> currently.  Let the QA team know by citing bug numbers.
>>>
>>> Rahul
>>>
>> All of the bugs like this
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=567454
>>
>> The problem is without the rpm_exec_t label it runs as initrc_t which is
>> an unconfiend domain.  It creates /tmp output files and redirects the
>> stdout of all packages being updated.  If any confined app transitions
>> it attempts to append to a file labeled tmp_t rather then rpm_tmp_t.
>>
>> This caused all confined applications to generate an AVC like
>>
>> node=(removed) type=AVC msg=audit(1266885495.204:24851): avc:  denied  {
>> read append } for  pid=6724 comm="tzdata-update" path="/tmp/tmpNJCaKB"
>> dev=dm-1 ino=110966 scontext=unconfined_u:system_r:tzdata_t:s0-s0:c0.c1023
>> tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file
>>
>> It is obviously difficult to trace this type of error back to packagekit.
>>
>> It just takes a few seconds to send us a heads up and we can fix the
>> next selinux policy package.
>>
>> These are the things labeled rpm_exec_t on a Fedora machine
>>
>> /usr/libexec/yumDBUSBackend.py
>> /bin/rpm
>> /usr/bin/rpm
>> /usr/bin/yum
>> /usr/sbin/pup
>> /usr/bin/smart
>> /usr/sbin/pirut
>> /usr/bin/apt-get
>> /usr/sbin/up2date
>> /usr/sbin/synaptic
>> /usr/bin/apt-shell
>> /usr/sbin/rhn_check
>> /usr/sbin/yum-updatesd
>> /usr/libexec/packagekitd
>> /usr/libexec/ricci-modrpm
>> /usr/bin/fedora-rmdevelrpms
>> /usr/bin/rpmdev-rmdevelrpms
>> /usr/sbin/system-install-packages
>> /usr/share/yumex/yum_childtask\.py
>> /usr/sbin/yum-complete-transaction
>> /usr/share/yumex/yumex-yum-backend
>>
>>
>> So putting this into the packagekitd package does not make sense.
>>
>> As long as you give us a heads up we can prevent these types of blowups.
>> Since this policy is shared between yum, packagekit
> 
> Whilst I appreciate your huge efforts to provide users with a more
> secure system, you need to realise that SELinux as it stands at the
> moment is utterly broken. As you clearly don't think this is the case,
> please spend some time in userland before beating on developers for
> not caring about this.
> 
> If we can't even build (and QA!) a system that ships without SELinux
> warnings, there is clearly a problem. Adding SELinux checks to Fedora
> development slows things down even further. You really need to work
> with the AutoQA people to get this automated. Developers simply
> shouldn't have to worry about this.
> 
> I understand wanting SELinux checks for *EL but for Fedora? Seriously?
> 
> Wow, just wow.
> 

We get the point you do not like SELinux.  Fine.

I don't want to get into a discussion of SELinux value here.  The goal
is just to get developers to think about the SELinux  of changing the
location of paths in their spec file after release, just like they would
think of the Ownership/Permission changes in the spec file.  We usually
catch these things in Rawhide quickly but if it happens in a released
package, it can lead more people to think SELinux is just broken.