Bug#852539: dpkg: run maintainer scripts with SELinux user system_u

[Laurent Bigonville]

On Wed, 8 Feb 2017 05:37:20 +0100 Guillem Jover <guil...@debian.org> wrote:
> Hi!
>
> On Wed, 2017-01-25 at 12:02:47 +0100, cgzones wrote:
> > Package: dpkg
> > Version: 1.18.18
> > User: selinux-de...@lists.alioth.debian.org
> > Usertags: selinux
>
> > Currently, dpkg runs its maintainer tasks in the SELinux type
> > dpkg_script_t without changing the SELinux user or role.
> > So when running root as sysadm_u:sysadm_r:sysadm_t, the tasks will be
> > run in unconfined_u:unconfined_r:dpkg_script_t.
> > The problem are the postinst scripts: They create files and run 
binaries.
> > Almost all the files created in this way do not have the correct file
> > context system_u:object_r:*, which can break a ubac enabled system.
> > e.g.:
> >
> > Would relabel /usr/share/info/dir.old from staff_u:object_r:usr_t:s0
> > to system_u:object_r:usr_t:s0
> > Would relabel /usr/share/info/dir from staff_u:object_r:usr_t:s0 to
> > system_u:object_r:usr_t:s0
> > Would relabel /var/cache/man/pt/index.db from
> > unconfined_u:object_r:man_cache_t:s0 to
> > system_u:object_r:man_cache_t:s0
> >
> > Also, for example, the exim4 post install script does some work
> > leading to run exim in system_mail_t, which is not allowed to run
> > under the roles sysadm_r/unconfined_r.
> >
> > type=PROCTITLE msg=audit(01/24/17 15:51:28.963:2602) :
> > proctitle=/usr/sbin/exim4 -C /var/lib/exim4/config.autogenerated.tmp
> > -bV
> > type=SYSCALL msg=audit(01/24/17 15:51:28.963:2602) : arch=armeb
> > syscall=socket per=PER_LINUX_32BIT success=yes exit=4 a0=local
> > a1=SOCK_STREAM a2=ip a3=0x0 items=0 ppid=22511 pid=22748
> > auid=christian uid=root gid=root euid=root suid=root fsuid=root
> > egid=root sgid=root fsgid=root tty=pts1 ses=359 comm=exim4
> > exe=/usr/sbin/exim4 subj=staff_u:sysadm_r:system_mail_t:s0 key=(null)
> > type=SELINUX_ERR msg=audit(01/24/17 15:51:28.963:2602) :
> > op=security_compute_sid
> > invalid_context=staff_u:sysadm_r:system_mail_t:s0
> > scontext=staff_u:sysadm_r:system_mail_t:s0
> > tcontext=staff_u:sysadm_r:system_mail_t:s0 tclass=unix_stream_socket
> >
> > This can cause issues when upgrading packages in enforced mode even as
> > unconfined user.
> >
> > The following dpkg patch runs the maintainer tasks in the context
> > system_u:system_r:dpkg_script_t (may be altered inside the SELinux
> > policy):
>
> Thanks, but this patch feels all wrong to me. This is similar to what
> RPM has been using supposedly w/o problems up to now. I also refactored
> the function setexecfilecon() upstream so that both RPM and dpkg could
> use it w/o having to duplicate the same code.
>
> Why can't the SELinux policy be changed/corrected to fix the
> aforementioned problem? Is that not possible?
>
FTR: https://marc.info/?l=selinux&m=148536819617953&w=2