setupcon: do not copy security attribute (!13) · Merge requests · Debian Installer / console-setup

Christian Göttsche requested to merge cgzones/console-setup:selinux into master Apr 04, 2022

When copying files into the temporary working directory do not copy the security context but use the default one for the target path. Otherwise, e.g. when using SELinux, the context might not be allowed on the destination filesystem and the process needs elevated access to the original context.

Example SELinux denials:

type=PROCTITLE msg=audit(04/04/22 17:40:53.561:420) : proctitle=cp -a /dev/null /var/tmp/mkinitramfs_Z1QJRk/etc/console-setup/null 
type=PATH msg=audit(04/04/22 17:40:53.561:420) : item=1 name=/var/tmp/mkinitramfs_Z1QJRk/etc/console-setup/null inode=1708779 dev=fe:04 mode=character,600 ouid=root ogid=root rdev=01:03 obj=system_u:object_r:null_device_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/04/22 17:40:53.561:420) : item=0 name=/var/tmp/mkinitramfs_Z1QJRk/etc/console-setup/ inode=1708776 dev=fe:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:40:53.561:420) : cwd=/root 
type=SYSCALL msg=audit(04/04/22 17:40:53.561:420) : arch=x86_64 syscall=mknodat success=yes exit=0 a0=AT_FDCWD a1=0x7fffe5a5a761 a2=0600 a3=0x103 items=2 ppid=28897 pid=28898 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts8 ses=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:40:53.561:420) : avc:  denied  { associate } for  pid=28898 comm=cp name=null scontext=system_u:object_r:null_device_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 
type=AVC msg=audit(04/04/22 17:40:53.561:420) : avc:  denied  { create } for  pid=28898 comm=cp name=null scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:40:53.561:421) : proctitle=cp -a /dev/null /var/tmp/mkinitramfs_Z1QJRk/etc/console-setup/null 
type=PATH msg=audit(04/04/22 17:40:53.561:421) : item=0 name=/var/tmp/mkinitramfs_Z1QJRk/etc/console-setup/null inode=1708779 dev=fe:04 mode=character,600 ouid=root ogid=root rdev=01:03 obj=system_u:object_r:null_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:40:53.561:421) : cwd=/root 
type=SYSCALL msg=audit(04/04/22 17:40:53.561:421) : arch=x86_64 syscall=utimensat success=yes exit=0 a0=AT_FDCWD a1=0x7fffe5a5a761 a2=0x7fffe5a58330 a3=0x0 items=1 ppid=28897 pid=28898 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts8 ses=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:40:53.561:421) : avc:  denied  { setattr } for  pid=28898 comm=cp name=null dev="dm-4" ino=1708779 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:41:09.261:422) : proctitle=rm -rf /var/tmp/mkinitramfs_Z1QJRk 
type=PATH msg=audit(04/04/22 17:41:09.261:422) : item=1 name=null inode=1708779 dev=fe:04 mode=character,666 ouid=root ogid=root rdev=01:03 obj=system_u:object_r:null_device_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/04/22 17:41:09.261:422) : item=0 name=/root inode=1708776 dev=fe:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:41:09.261:422) : cwd=/root 
type=SYSCALL msg=audit(04/04/22 17:41:09.261:422) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x6 a1=0x58c4181c9508 a2=0x0 a3=0x58c4181c6860 items=2 ppid=27498 pid=31132 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts8 ses=4 comm=rm exe=/bin/rm subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:41:09.261:422) : avc:  denied  { unlink } for  pid=31132 comm=rm name=null dev="dm-4" ino=1708779 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file permissive=1

/cc @selinux-team @bigon

setupcon: do not copy security attribute

Merge request reports