[kernel/f20] Add patch to fix SELinux lables on /proc files (rhbz 1084829)

Josh Boyer jwboyer at fedoraproject.org
Wed Apr 9 14:06:14 UTC 2014 

commit c4920da303e1abf4502c4aaa37027274b7013e63
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Apr 9 10:05:37 2014 -0400

    Add patch to fix SELinux lables on /proc files (rhbz 1084829)

 kernel.spec                                        |    7 ++
 ...rectly-label-proc-inodes-in-use-before-th.patch |  109 ++++++++++++++++++++
 2 files changed, 116 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 09bece0..bd01576 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -777,6 +777,9 @@ Patch25054: rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
 #rhbz 1074235
 Patch25055: lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
 
+#rhbz 1084829
+Patch25056: selinux-correctly-label-proc-inodes-in-use-before-th.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -1510,6 +1513,9 @@ ApplyPatch rds-prevent-dereference-of-a-NULL-device-in-rds_iw_laddr_check.patch
 #rhbz 1074235
 ApplyPatch lib-percpu_counter.c-fix-bad-percpu-counter-state-du.patch
 
+#rhbz 1084829
+ApplyPatch selinux-correctly-label-proc-inodes-in-use-before-th.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2322,6 +2328,7 @@ fi
 #                 ||     ||
 %changelog
 * Wed Apr 09 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch to fix SELinux lables on /proc files (rhbz 1084829)
 - Add patch to fix S3 in KVM guests (rhbz 1074235)
 
 * Thu Apr 03 2014 Justin M. Forbes <jforbes at fedoraproject.org> - 3.13.9-200
diff --git a/selinux-correctly-label-proc-inodes-in-use-before-th.patch b/selinux-correctly-label-proc-inodes-in-use-before-th.patch
new file mode 100644
index 0000000..5c05899
--- /dev/null
+++ b/selinux-correctly-label-proc-inodes-in-use-before-th.patch
@@ -0,0 +1,109 @@
+Bugzilla: 1084829
+Upstream-status: 3.15 (needs to be on 3.13 and 3.14)
+
+From f64410ec665479d7b4b77b7519e814253ed0f686 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore at redhat.com>
+Date: Wed, 19 Mar 2014 16:46:18 -0400
+Subject: [PATCH] selinux: correctly label /proc inodes in use before the
+ policy is loaded
+
+This patch is based on an earlier patch by Eric Paris, he describes
+the problem below:
+
+  "If an inode is accessed before policy load it will get placed on a
+   list of inodes to be initialized after policy load.  After policy
+   load we call inode_doinit() which calls inode_doinit_with_dentry()
+   on all inodes accessed before policy load.  In the case of inodes
+   in procfs that means we'll end up at the bottom where it does:
+
+     /* Default to the fs superblock SID. */
+     isec->sid = sbsec->sid;
+
+     if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+             if (opt_dentry) {
+                     isec->sclass = inode_mode_to_security_class(...)
+                     rc = selinux_proc_get_sid(opt_dentry,
+                                               isec->sclass,
+                                               &sid);
+                     if (rc)
+                             goto out_unlock;
+                     isec->sid = sid;
+             }
+     }
+
+   Since opt_dentry is null, we'll never call selinux_proc_get_sid()
+   and will leave the inode labeled with the label on the superblock.
+   I believe a fix would be to mimic the behavior of xattrs.  Look
+   for an alias of the inode.  If it can't be found, just leave the
+   inode uninitialized (and pick it up later) if it can be found, we
+   should be able to call selinux_proc_get_sid() ..."
+
+On a system exhibiting this problem, you will notice a lot of files in
+/proc with the generic "proc_t" type (at least the ones that were
+accessed early in the boot), for example:
+
+   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
+   system_u:object_r:proc_t:s0 /proc/sys/kernel/shmmax
+
+However, with this patch in place we see the expected result:
+
+   # ls -Z /proc/sys/kernel/shmmax | awk '{ print $4 " " $5 }'
+   system_u:object_r:sysctl_kernel_t:s0 /proc/sys/kernel/shmmax
+
+Cc: Eric Paris <eparis at redhat.com>
+Signed-off-by: Paul Moore <pmoore at redhat.com>
+Acked-by: Eric Paris <eparis at redhat.com>
+---
+ security/selinux/hooks.c | 36 +++++++++++++++++++++++++++---------
+ 1 file changed, 27 insertions(+), 9 deletions(-)
+
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index 1dd948485e48..d5d67c93b65c 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -1402,15 +1402,33 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
+ 		isec->sid = sbsec->sid;
+ 
+ 		if ((sbsec->flags & SE_SBPROC) && !S_ISLNK(inode->i_mode)) {
+-			if (opt_dentry) {
+-				isec->sclass = inode_mode_to_security_class(inode->i_mode);
+-				rc = selinux_proc_get_sid(opt_dentry,
+-							  isec->sclass,
+-							  &sid);
+-				if (rc)
+-					goto out_unlock;
+-				isec->sid = sid;
+-			}
++			/* We must have a dentry to determine the label on
++			 * procfs inodes */
++			if (opt_dentry)
++				/* Called from d_instantiate or
++				 * d_splice_alias. */
++				dentry = dget(opt_dentry);
++			else
++				/* Called from selinux_complete_init, try to
++				 * find a dentry. */
++				dentry = d_find_alias(inode);
++			/*
++			 * This can be hit on boot when a file is accessed
++			 * before the policy is loaded.  When we load policy we
++			 * may find inodes that have no dentry on the
++			 * sbsec->isec_head list.  No reason to complain as
++			 * these will get fixed up the next time we go through
++			 * inode_doinit() with a dentry, before these inodes
++			 * could be used again by userspace.
++			 */
++			if (!dentry)
++				goto out_unlock;
++			isec->sclass = inode_mode_to_security_class(inode->i_mode);
++			rc = selinux_proc_get_sid(dentry, isec->sclass, &sid);
++			dput(dentry);
++			if (rc)
++				goto out_unlock;
++			isec->sid = sid;
+ 		}
+ 		break;
+ 	}
+-- 
+1.8.5.3
+

More information about the scm-commits mailing list