[DSE-Dev] Bug#852539: dpkg: run maintainer scripts with SELinux user system_u

Guillem Jover guillem at debian.org
Wed Feb 8 04:37:20 UTC 2017


On Wed, 2017-01-25 at 12:02:47 +0100, cgzones wrote:
> Package: dpkg
> Version: 1.18.18
> User: selinux-devel at lists.alioth.debian.org
> Usertags: selinux

> Currently, dpkg runs its maintainer tasks in the SELinux type
> dpkg_script_t without changing the SELinux user or role.
> So when running root as sysadm_u:sysadm_r:sysadm_t, the tasks will be
> run in unconfined_u:unconfined_r:dpkg_script_t.
> The problem are the postinst scripts: They create files and run binaries.
> Almost all the files created in this way do not have the correct file
> context system_u:object_r:*, which can break a ubac enabled system.
> e.g.:
> Would relabel /usr/share/info/dir.old from staff_u:object_r:usr_t:s0
> to system_u:object_r:usr_t:s0
> Would relabel /usr/share/info/dir from staff_u:object_r:usr_t:s0 to
> system_u:object_r:usr_t:s0
> Would relabel /var/cache/man/pt/index.db from
> unconfined_u:object_r:man_cache_t:s0 to
> system_u:object_r:man_cache_t:s0
> Also, for example, the exim4 post install script does some work
> leading to run exim in system_mail_t, which is not allowed to run
> under the roles sysadm_r/unconfined_r.
> type=PROCTITLE msg=audit(01/24/17 15:51:28.963:2602) :
> proctitle=/usr/sbin/exim4 -C /var/lib/exim4/config.autogenerated.tmp
> -bV
> type=SYSCALL msg=audit(01/24/17 15:51:28.963:2602) : arch=armeb
> syscall=socket per=PER_LINUX_32BIT success=yes exit=4 a0=local
> a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=22511 pid=22748
> auid=christian uid=root gid=root euid=root suid=root fsuid=root
> egid=root sgid=root fsgid=root tty=pts1 ses=359 comm=exim4
> exe=/usr/sbin/exim4 subj=staff_u:sysadm_r:system_mail_t:s0 key=(null)
> type=SELINUX_ERR msg=audit(01/24/17 15:51:28.963:2602) :
> op=security_compute_sid
> invalid_context=staff_u:sysadm_r:system_mail_t:s0
> scontext=staff_u:sysadm_r:system_mail_t:s0
> tcontext=staff_u:sysadm_r:system_mail_t:s0 tclass=unix_stream_socket
> This can cause issues when upgrading packages in enforced mode even as
> unconfined user.
> The following dpkg patch runs the maintainer tasks in the context
> system_u:system_r:dpkg_script_t (may be altered inside the SELinux
> policy):

Thanks, but this patch feels all wrong to me. This is similar to what
RPM has been using supposedly w/o problems up to now. I also refactored
the function setexecfilecon() upstream so that both RPM and dpkg could
use it w/o having to duplicate the same code.

Why can't the SELinux policy be changed/corrected to fix the
aforementioned problem? Is that not possible?


More information about the SELinux-devel mailing list