Hi! On Wed, 2017-01-25 at 12:02:47 +0100, cgzones wrote: > Package: dpkg > Version: 1.18.18 > User: selinux-de...@lists.alioth.debian.org > Usertags: selinux
> Currently, dpkg runs its maintainer tasks in the SELinux type > dpkg_script_t without changing the SELinux user or role. > So when running root as sysadm_u:sysadm_r:sysadm_t, the tasks will be > run in unconfined_u:unconfined_r:dpkg_script_t. > The problem are the postinst scripts: They create files and run binaries. > Almost all the files created in this way do not have the correct file > context system_u:object_r:*, which can break a ubac enabled system. > e.g.: > > Would relabel /usr/share/info/dir.old from staff_u:object_r:usr_t:s0 > to system_u:object_r:usr_t:s0 > Would relabel /usr/share/info/dir from staff_u:object_r:usr_t:s0 to > system_u:object_r:usr_t:s0 > Would relabel /var/cache/man/pt/index.db from > unconfined_u:object_r:man_cache_t:s0 to > system_u:object_r:man_cache_t:s0 > > Also, for example, the exim4 post install script does some work > leading to run exim in system_mail_t, which is not allowed to run > under the roles sysadm_r/unconfined_r. > > type=PROCTITLE msg=audit(01/24/17 15:51:28.963:2602) : > proctitle=/usr/sbin/exim4 -C /var/lib/exim4/config.autogenerated.tmp > -bV > type=SYSCALL msg=audit(01/24/17 15:51:28.963:2602) : arch=armeb > syscall=socket per=PER_LINUX_32BIT success=yes exit=4 a0=local > a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=22511 pid=22748 > auid=christian uid=root gid=root euid=root suid=root fsuid=root > egid=root sgid=root fsgid=root tty=pts1 ses=359 comm=exim4 > exe=/usr/sbin/exim4 subj=staff_u:sysadm_r:system_mail_t:s0 key=(null) > type=SELINUX_ERR msg=audit(01/24/17 15:51:28.963:2602) : > op=security_compute_sid > invalid_context=staff_u:sysadm_r:system_mail_t:s0 > scontext=staff_u:sysadm_r:system_mail_t:s0 > tcontext=staff_u:sysadm_r:system_mail_t:s0 tclass=unix_stream_socket > > This can cause issues when upgrading packages in enforced mode even as > unconfined user. > > The following dpkg patch runs the maintainer tasks in the context > system_u:system_r:dpkg_script_t (may be altered inside the SELinux > policy): Thanks, but this patch feels all wrong to me. This is similar to what RPM has been using supposedly w/o problems up to now. I also refactored the function setexecfilecon() upstream so that both RPM and dpkg could use it w/o having to duplicate the same code. Why can't the SELinux policy be changed/corrected to fix the aforementioned problem? Is that not possible? Thanks, Guillem
