Re: is_selinux_enabled() after chroot()
On Mon, Jun 18, 2018 at 04:06:11PM -0400, Stephen Smalley wrote:
> On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> > Hello,
> >
> > libselinux sets selinut_mnt and has_selinux_config only in its constructor
> > and
> > is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> > enabled. But it doesn't work correctly when you use chroot() to a directory
> > without /proc
> > and /sys/fs/selinux mounted as it was discovered in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1321375
> >
> > In this case, is_selinux_enabled() after chroot() returns true while in a
> > new
> > program run from chrooted process it returns false. It can be demonstrated
> > by
> > the steps below.
> >
> > The solution could be to check if selinux_mnt still exists whenever a
> > function
> > depending on this is called. Would this be acceptable?
>
> You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG
> in is_selinux_enabled()?
Yes. I was thinking about something like this:
@@ -16,7 +16,7 @@ int is_selinux_enabled(void)
#ifdef ANDROID
return (selinux_mnt ? 1 : 0);
#else
- return (selinux_mnt && has_selinux_config);
+ return (selinux_mnt && (access(selinux_mnt, F_OK) == 0) &&
has_selinux_config);
#endif
}
But the problem seems to be more complex and it would probably be better to fix
it on a callers side - mount /sys/fs/selinux and /proc into chroots or do all
SELinux checks before chroot().
> Could potentially trigger a permission check that wasn't previously required,
> thereby breaking existing policies.
> Caller might just be checking to see if SELinux is enabled before using
> interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and
> therefore didn't previously need permissions to selinuxfs or
> /etc/selinux/config.
> So, possible but you'd need to make sure you don't break anything.
> Definitely don't want that changed in Android.
> >
> >
> >
> >
> > $ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd
> >
> > $ cat > test_libselinux.c < > #include
> > #include
> > #include
> > #include
> > #include
> >
> > int main(int argc, char *argv[]) {
> > pid_t pid;
> > int wstatus;
> >
> > if (argc > 1) {
> > printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
> > return 0;
> > }
> > if (chroot("/var/lib/machines/example") != 0)
> > return -1;
> >
> > printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
> > printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
> > printf("/etc/selinux/config exists: %d\n\n",
> > access("/etc/selinux/config", F_OK));
> >
> > if ((pid = fork()) == 0 ) {
> > execv("./test_is_selinux_enabled", (char *[]){
> > "./test_is_selinux_enabled", "chrooted", NULL});
> > }
> >
> > wait();
> > return 0;
> > }
> > EOF
> >
> > $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
> >
> > $ sudo ./test_is_selinux_enabled
> > SELinux in process after chroot(): 1
> > /sys/fs/selinux exists: -1
> > /etc/selinux/config exists: -1
> >
> > SELinux in chrooted process: 0
> >
> >
> >
> > ___
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to
> > selinux-requ...@tycho.nsa.gov.
> >
>
signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: is_selinux_enabled() after chroot()
On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> Hello,
>
> libselinux sets selinut_mnt and has_selinux_config only in its constructor and
> is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> enabled. But it doesn't work correctly when you use chroot() to a directory
> without /proc
> and /sys/fs/selinux mounted as it was discovered in
> https://bugzilla.redhat.com/show_bug.cgi?id=1321375
>
> In this case, is_selinux_enabled() after chroot() returns true while in a new
> program run from chrooted process it returns false. It can be demonstrated by
> the steps below.
>
> The solution could be to check if selinux_mnt still exists whenever a function
> depending on this is called. Would this be acceptable?
You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG in
is_selinux_enabled()?
Could potentially trigger a permission check that wasn't previously required,
thereby breaking existing policies.
Caller might just be checking to see if SELinux is enabled before using
interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and
therefore didn't previously need permissions to selinuxfs or
/etc/selinux/config.
So, possible but you'd need to make sure you don't break anything. Definitely
don't want that changed in Android.
>
>
>
>
> $ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd
>
> $ cat > test_libselinux.c < #include
> #include
> #include
> #include
> #include
>
> int main(int argc, char *argv[]) {
> pid_t pid;
> int wstatus;
>
> if (argc > 1) {
> printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
> return 0;
> }
> if (chroot("/var/lib/machines/example") != 0)
> return -1;
>
> printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
> printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
> printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config",
> F_OK));
>
> if ((pid = fork()) == 0 ) {
> execv("./test_is_selinux_enabled", (char *[]){
> "./test_is_selinux_enabled", "chrooted", NULL});
> }
>
> wait();
> return 0;
> }
> EOF
>
> $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
>
> $ sudo ./test_is_selinux_enabled
> SELinux in process after chroot(): 1
> /sys/fs/selinux exists: -1
> /etc/selinux/config exists: -1
>
> SELinux in chrooted process: 0
>
>
>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
is_selinux_enabled() after chroot()
Hello,
libselinux sets selinut_mnt and has_selinux_config only in its constructor and
is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
enabled. But it doesn't work correctly when you use chroot() to a directory
without /proc
and /sys/fs/selinux mounted as it was discovered in
https://bugzilla.redhat.com/show_bug.cgi?id=1321375
In this case, is_selinux_enabled() after chroot() returns true while in a new
program run from chrooted process it returns false. It can be demonstrated by
the steps below.
The solution could be to check if selinux_mnt still exists whenever a function
depending on this is called. Would this be acceptable?
$ sudo dnf --nogpg --installroot=/var/lib/machines/example install systemd
$ cat > test_libselinux.c <
#include
#include
#include
#include
int main(int argc, char *argv[]) {
pid_t pid;
int wstatus;
if (argc > 1) {
printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
return 0;
}
if (chroot("/var/lib/machines/example") != 0)
return -1;
printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config",
F_OK));
if ((pid = fork()) == 0 ) {
execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled",
"chrooted", NULL});
}
wait();
return 0;
}
EOF
$ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
$ sudo ./test_is_selinux_enabled
SELinux in process after chroot(): 1
/sys/fs/selinux exists: -1
/etc/selinux/config exists: -1
SELinux in chrooted process: 0
signature.asc
Description: PGP signature
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
