On Thu, Sep 24, 2020 at 12:39:02PM +0200, Pino Toscano wrote: ... > There are various cases when, even of an enforcing system, labels are > not kept up-to-date: > > $ getenforce > Enforcing > $ touch /tmp/test > $ ls -lZ /tmp/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 > 12:26 /tmp/test > $ mv /tmp/test ~/var/ > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep 24 > 12:26 /home/ptoscano/var/test > $ restorecon -v ~/var/test > Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0 to > unconfined_u:object_r:user_home_t:s0 > $ ls -lZ ~/var/test > -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep 24 > 12:26 /home/ptoscano/var/test
That's definitely a weird thing. Bug maybe? > Considering that /tmp is a general location for temporary files, it's > common that files may end with a tmp_t-alike label when moved back to > the destination place (e.g. after a rename()). That is not the only > situation like this that I saw in the past. > > In permissive mode, all these situation are logged in the audit log, > yes, but they cause no blocks nor errors. > > > It's also fine for an administrator to > > switch a system to permissive and then back to enforcing without > > relabelling or rebooting. > > A mislabelled /etc/passwd is still read and used fine in permissive > mode. Switch back from permissive to enforcing without a relabelling > is generally not a good idea, especially after the system ran for a > lot of time after the switch to permissive. It's seems true from what you wrote above that someone could copy /tmp/passwd -> /etc/passwd and it would have a wrong label. But virt-v2v could fix that label, which even in permissive mode sounds like a win. My question is what's the down-side to relabelling in permissive mode? (I can see in *disabled* mode it's just a waste of time because the work we do for relabelling in virt-v2v is just going to be undone when the guest boots with SELinux disabled). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-df lists disk usage of guests without needing to install any software inside the virtual machine. Supports Linux and Windows. http://people.redhat.com/~rjones/virt-df/ _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
