Re: [Libguestfs] [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)
On Thu, Sep 24, 2020 at 12:39:02PM +0200, Pino Toscano wrote:
...
There are various cases when, even of an enforcing system, labels
are
not kept up-to-date:
$ getenforce
Enforcing
$ touch /tmp/test
$ ls -lZ /tmp/test
-rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26
/tmp/test
$ mv /tmp/test ~/var/
$ ls -lZ ~/var/test
-rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 12:26
/home/ptoscano/var/test
$ restorecon -v ~/var/test
Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to
unconfined_u:object_r:user_home_t:s0
$ ls -lZ ~/var/test
-rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 12:26
/home/ptoscano/var/test
That's definitely a weird thing. Bug maybe?
Considering that /tmp is a general location for temporary files,
it's
common that files may end with a tmp_t-alike label when moved back to
the destination place (e.g. after a rename()). That is not the only
situation like this that I saw in the past.
In permissive mode, all these situation are logged in the audit log,
yes, but they cause no blocks nor errors.
> It's also fine for an administrator to
> switch a system to permissive and then back to enforcing without
> relabelling or rebooting.
A mislabelled /etc/passwd is still read and used fine in permissive
mode. Switch back from permissive to enforcing without a relabelling
is generally not a good idea, especially after the system ran for a
lot of time after the switch to permissive.
It's seems true from what you wrote above that someone could copy
/tmp/passwd -> /etc/passwd and it would have a wrong label. But
virt-v2v could fix that label, which even in permissive mode sounds
like a win.
My question is what's the down-side to relabelling in permissive mode?
(I can see in *disabled* mode it's just a waste of time because the
work we do for relabelling in virt-v2v is just going to be undone when
the guest boots with SELinux disabled).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine. Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/