We have encountered a problem when performing an RPM update while Integrity
Measurement Architecture (IMA) signatures are applied to the files. In other
words, we are having a problem with the "--signfiles" support in the RPM
package.
When we install a new glibc RPM on a system with SELinux and IMA enabled, we
are seeing appraise errors with 3 files. Looking at an strace (see attached), I
see that the files are referenced different from the normal sequence (i.e. of
open, lsetxattr of security.ima, lsetxattr of security.selinux, rename) and
instead, there is a hard link call made before the open. Taking just one of
these files that results in an appraise error, namely
/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8, and looking for references to it
and some related files (i.e. /usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8
and /usr/libexec/getconf/POSIX_V7_LP64_OFF64), I see the following summary:
Create POSIX_V6 temp file and rename as POSIX_V6 regular file and hard link
POSIX_V7 temp file to POSIX_V6 regular file and rename POSIX_V7 temp file as
POSIX_V7 regular file and hard link XBS5 temp file to POSIX_V6 regular file and
open XBS5 temp file and then set security.ima on the XBS5 temp file. Since the
set of security.ima is done after the open and the open will not be creating a
file since it has a hard link to an existing file at that point, the open will
encounter an appraise error (in this strace, just resulting in a log entry)
since the security.ima signature will not be found.
Below are the relevant entries within the strace to support the problem summary
above:
write(2, "create 100755 3 ( 0, 0)"..., 89create 100755 3 ( 0,
0) 0 /usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8
open("/usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8",
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 30
lstat("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", {st_mode=S_IFREG|0755,
st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", {st_mode=S_IFREG|0755,
st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/POSIX_V6_LP64_OFF64", "security.capability")
= -1 ENODATA (No data available)
rename("/usr/libexec/getconf/POSIX_V6_LP64_OFF64;59d3a6c8",
"/usr/libexec/getconf/POSIX_V6_LP64_OFF64") = 0
write(2, "create 100755 3 ( 0, 0)"..., 89create 100755 3 ( 0,
0) 0 /usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8
link("/usr/libexec/getconf/POSIX_V6_LP64_OFF64",
"/usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8") = 0
lstat("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", {st_mode=S_IFREG|0755,
st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", {st_mode=S_IFREG|0755,
st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/POSIX_V7_LP64_OFF64", "security.capability")
= -1 ENODATA (No data available)
rename("/usr/libexec/getconf/POSIX_V7_LP64_OFF64;59d3a6c8",
"/usr/libexec/getconf/POSIX_V7_LP64_OFF64") = 0
write(2, "create 100755 3 ( 0, 0)"..., 85create 100755 3 ( 0,
0) 26648 /usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8
link("/usr/libexec/getconf/POSIX_V6_LP64_OFF64",
"/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8") = 0
open("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", O_WRONLY|O_CREAT|O_TRUNC,
0666) = 30
chown("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 0, 0) = 0
chmod("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", 0755) = 0
utimensat(AT_FDCWD, "/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8",
{{1506436625, 0}, (1506436625, 0}}, AT_SYMLINK_NOFOLLOW) = 0
lsetxattr("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "security.ima",
"...", 265, 0) = 0
lsetxattr("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8", "security.selinux",
"system_u:object_r:bin_t:s0", 27, 0) = 0
write(2, "lsetfilecon: (/usr/libexec/getco"..., 90lsetfilecon:
(/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8, system_u:object_r:bin_t:s0)
lstat("/usr/libexec/getconf/XBS5_LP64_OFF64", {st_mode=S_IFREG|0755,
st_size=26648, ...}) = 0
lstat("/usr/libexec/getconf/XBS5_LP64_OFF64", {st_mode=S_IFREG|0755,
st_size=26648, ...}) = 0
removexattr("/usr/libexec/getconf/XBS5_LP64_OFF64", "security.capability") = -1
ENODATA (No data available)
rename("/usr/libexec/getconf/XBS5_LP64_OFF64;59d3a6c8",
"/usr/libexec/getconf/XBS5_LP64_OFF64") = 0
As you can see in the sequence above, an open of an existing file (because it
is a hard link) is made before the lsetxattr call to add the IMA signature and
this is the problem. Note, although the open of the existing file is performed
with the O_TRUNC option, by design, the IMA support in the kernel appraises the
file (i.e. validates the signature) before the truncation of the file.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/333
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint