Do not copy security attribute in initramfs hook (!3) · Merge requests · LVM / lvm2

Christian Göttsche requested to merge cgzones/lvm2:selinux into main Apr 04, 2022
When copying files into the temporary working directory do not copy the security context but use the default one for the target path. Otherwise, e.g. when using SELinux, the context might not be allowed on the destination filesystem and the process needs elevated access to the original context.
Example SELinux denials:
type=PROCTITLE msg=audit(04/04/22 17:53:15.335:423) : proctitle=cp -a /etc/lvm/ /var/tmp/mkinitramfs_tIDEJG/etc/lvm/                                                                                                                                                          
type=PATH msg=audit(04/04/22 17:53:15.335:423) : item=4 name=(null) inode=1708780 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0                         
type=PATH msg=audit(04/04/22 17:53:15.335:423) : item=3 name=(null) inode=1708624 dev=fe:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0                        
type=PATH msg=audit(04/04/22 17:53:15.335:423) : item=2 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0                                                                                                                                 
type=PATH msg=audit(04/04/22 17:53:15.335:423) : item=1 name=(null) inode=1708624 dev=fe:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0                        
type=PATH msg=audit(04/04/22 17:53:15.335:423) : item=0 name=/var/tmp/mkinitramfs_tIDEJG/etc/ inode=1708624 dev=fe:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid
=0                                                                                                                                                                                                                                                                            
type=CWD msg=audit(04/04/22 17:53:15.335:423) : cwd=/root/workspace/selinux/selinux-policy-debian                                                                                                                                                                             
type=SYSCALL msg=audit(04/04/22 17:53:15.335:423) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x7ffc0089273a a1=0700 a2=0xdfa81 a3=0xfffffffffffff5ce items=5 ppid=33373 pid=33374 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=
root tty=pts7 ses=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null)                                                                                                                                                                              
type=AVC msg=audit(04/04/22 17:53:15.335:423) : avc:  denied  { create } for  pid=33374 comm=cp name=lvm scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=dir permissive=1                                                   
----
type=PROCTITLE msg=audit(04/04/22 17:53:15.335:424) : proctitle=cp -a /etc/lvm/ /var/tmp/mkinitramfs_tIDEJG/etc/lvm/ 
type=PATH msg=audit(04/04/22 17:53:15.335:424) : item=1 name=/var/tmp/mkinitramfs_tIDEJG/etc/lvm/backup inode=1708783 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/04/22 17:53:15.335:424) : item=0 name=/var/tmp/mkinitramfs_tIDEJG/etc/lvm/ inode=1708780 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:53:15.335:424) : cwd=/root/workspace/selinux/selinux-policy-debian 
type=SYSCALL msg=audit(04/04/22 17:53:15.335:424) : arch=x86_64 syscall=mkdir success=yes exit=0 a0=0x5f64b4207e30 a1=0700 a2=0xdfa85 a3=0x5f64b420fe60 items=2 ppid=33373 pid=33374 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 ses=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:53:15.335:424) : avc:  denied  { add_name } for  pid=33374 comm=cp name=backup scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=dir permissive=1 
type=AVC msg=audit(04/04/22 17:53:15.335:424) : avc:  denied  { write } for  pid=33374 comm=cp name=lvm dev="dm-4" ino=1708780 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:53:15.335:425) : proctitle=cp -a /etc/lvm/ /var/tmp/mkinitramfs_tIDEJG/etc/lvm/ 
type=PATH msg=audit(04/04/22 17:53:15.335:425) : item=1 name=/var/tmp/mkinitramfs_tIDEJG/etc/lvm/backup/dlaptop-vg inode=1708784 dev=fe:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/04/22 17:53:15.335:425) : item=0 name=/var/tmp/mkinitramfs_tIDEJG/etc/lvm/backup/ inode=1708783 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:53:15.335:425) : cwd=/root/workspace/selinux/selinux-policy-debian 
type=SYSCALL msg=audit(04/04/22 17:53:15.335:425) : arch=x86_64 syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x5f64b4207fb0 a2=O_WRONLY|O_CREAT|O_EXCL a3=0x180 items=2 ppid=33373 pid=33374 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 ses=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:53:15.335:425) : avc:  denied  { write } for  pid=33374 comm=cp path=/var/tmp/mkinitramfs_tIDEJG/etc/lvm/backup/dlaptop-vg dev="dm-4" ino=1708784 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/04/22 17:53:15.335:425) : avc:  denied  { create } for  pid=33374 comm=cp name=dlaptop-vg scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:53:15.335:426) : proctitle=cp -a /etc/lvm/ /var/tmp/mkinitramfs_tIDEJG/etc/lvm/ 
type=SYSCALL msg=audit(04/04/22 17:53:15.335:426) : arch=x86_64 syscall=utimensat success=yes exit=0 a0=0x4 a1=0x0 a2=0x7ffc00891290 a3=0x0 items=0 ppid=33373 pid=33374 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 se
s=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:53:15.335:426) : avc:  denied  { setattr } for  pid=33374 comm=cp name=dlaptop-vg dev="dm-4" ino=1708784 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:53:15.335:427) : proctitle=cp -a /etc/lvm/ /var/tmp/mkinitramfs_tIDEJG/etc/lvm/ 
type=PATH msg=audit(04/04/22 17:53:15.335:427) : item=0 name=/var/tmp/mkinitramfs_tIDEJG/etc/lvm/backup inode=1708783 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 ca
p_frootid=0 
type=CWD msg=audit(04/04/22 17:53:15.335:427) : cwd=/root/workspace/selinux/selinux-policy-debian 
type=SYSCALL msg=audit(04/04/22 17:53:15.335:427) : arch=x86_64 syscall=utimensat success=yes exit=0 a0=AT_FDCWD a1=0x5f64b4207e30 a2=0x7ffc00891690 a3=0x0 items=1 ppid=33373 pid=33374 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=
root tty=pts7 ses=4 comm=cp exe=/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:53:15.335:427) : avc:  denied  { setattr } for  pid=33374 comm=cp name=backup dev="dm-4" ino=1708783 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:53:31.187:428) : proctitle=rm -rf /var/tmp/mkinitramfs_tIDEJG 
type=PATH msg=audit(04/04/22 17:53:31.187:428) : item=1 name=dlaptop-vg inode=1708784 dev=fe:04 mode=file,600 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/04/22 17:53:31.187:428) : item=0 name=/root/workspace/selinux/selinux-policy-debian inode=1708783 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:53:31.187:428) : cwd=/root/workspace/selinux/selinux-policy-debian 
type=SYSCALL msg=audit(04/04/22 17:53:31.187:428) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x7 a1=0x5f5f2cd65258 a2=0x0 a3=0x5f5f2cd63860 items=2 ppid=31913 pid=35541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root t
ty=pts7 ses=4 comm=rm exe=/bin/rm subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:53:31.187:428) : avc:  denied  { unlink } for  pid=35541 comm=rm name=dlaptop-vg dev="dm-4" ino=1708784 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=file permissive=1 
type=AVC msg=audit(04/04/22 17:53:31.187:428) : avc:  denied  { remove_name } for  pid=35541 comm=rm name=dlaptop-vg dev="dm-4" ino=1708784 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(04/04/22 17:53:31.187:429) : proctitle=rm -rf /var/tmp/mkinitramfs_tIDEJG 
type=PATH msg=audit(04/04/22 17:53:31.187:429) : item=1 name=backup inode=1708783 dev=fe:04 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(04/04/22 17:53:31.187:429) : item=0 name=/root/workspace/selinux/selinux-policy-debian inode=1708780 dev=fe:04 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lvm_conf_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
 cap_frootid=0 
type=CWD msg=audit(04/04/22 17:53:31.187:429) : cwd=/root/workspace/selinux/selinux-policy-debian 
type=SYSCALL msg=audit(04/04/22 17:53:31.187:429) : arch=x86_64 syscall=unlinkat success=yes exit=0 a0=0x6 a1=0x5f5f2cd66048 a2=0x200 a3=0x5f5f2cd63860 items=2 ppid=31913 pid=35541 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
 tty=pts7 ses=4 comm=rm exe=/bin/rm subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(04/04/22 17:53:31.187:429) : avc:  denied  { rmdir } for  pid=35541 comm=rm name=backup dev="dm-4" ino=1708783 scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lvm_conf_t:s0 tclass=dir permissive=1
/cc @selinux-team @bigon
Do not copy security attribute in initramfs hook

Merge request reports
