Re: is_selinux_enabled() after chroot()

[Petr Lautrbach <plautrba@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 3548 bytes --]

On Mon, Jun 18, 2018 at 04:06:11PM -0400, Stephen Smalley wrote:
> On 06/18/2018 03:24 PM, Petr Lautrbach wrote:
> > Hello,
> > 
> > libselinux sets selinut_mnt and has_selinux_config only in its constructor and
> > is_selinux_enabled() and others just use selinux_mnt to check if SELinux is
> > enabled. But it doesn't work correctly when you use chroot() to a directory without /proc
> > and /sys/fs/selinux mounted as it was discovered in
> > https://bugzilla.redhat.com/show_bug.cgi?id=1321375 
> > 
> > In this case, is_selinux_enabled() after chroot() returns true while in a new
> > program run from chrooted process it returns false. It can be demonstrated by
> > the steps below.
> > 
> > The solution could be to check if selinux_mnt still exists whenever a function
> > depending on this is called. Would this be acceptable?
> 
> You want to call stat() or access(F_OK) on selinux_mnt and/or SELINUXCONFIG in is_selinux_enabled()?

Yes. I was thinking about something like this:

@@ -16,7 +16,7 @@ int is_selinux_enabled(void)
 #ifdef ANDROID
 	return (selinux_mnt ? 1 : 0);
 #else
-	return (selinux_mnt && has_selinux_config);
+	return (selinux_mnt && (access(selinux_mnt, F_OK) == 0) && has_selinux_config);
 #endif
 }

But the problem seems to be more complex and it would probably be better to fix
it on a callers side - mount /sys/fs/selinux and /proc into chroots or do all
SELinux checks before chroot().

> Could potentially trigger a permission check that wasn't previously required, thereby breaking existing policies.
> Caller might just be checking to see if SELinux is enabled before using interfaces other than selinuxfs (e.g. setexeccon, setfilecon, etc) and therefore didn't previously need permissions to selinuxfs or /etc/selinux/config.
> So, possible but you'd need to make sure you don't break anything.  Definitely don't want that changed in Android.
> > 
> > 
> > 
> > 
> > $ sudo dnf --nogpg --installroot=/var/lib/machines/example  install systemd
> > 
> > $ cat > test_libselinux.c <<EOF
> > #include <selinux/selinux.h>
> > #include <stdio.h>
> > #include <sys/types.h>
> > #include <sys/wait.h>
> > #include <unistd.h>
> > 
> > int main(int argc, char *argv[]) {
> >   pid_t pid;
> >   int wstatus;
> > 
> >   if (argc > 1) {
> >     printf("SELinux in chrooted process: %d\n", is_selinux_enabled());
> >     return 0;
> >   }
> >   if (chroot("/var/lib/machines/example") != 0)
> >     return -1;
> > 
> >   printf("SELinux in process after chroot(): %d\n", is_selinux_enabled());
> >   printf("/sys/fs/selinux exists: %d\n", access("/sys/fs/selinux", F_OK));
> >   printf("/etc/selinux/config exists: %d\n\n", access("/etc/selinux/config", F_OK));
> > 
> >   if ((pid = fork()) == 0 ) {
> >     execv("./test_is_selinux_enabled", (char *[]){ "./test_is_selinux_enabled", "chrooted", NULL});
> >   }
> > 
> >   wait(&wstatus);
> >   return 0;
> > }
> > EOF
> > 
> > $ gcc -o test_is_selinux_enabled test_libselinux.c -lselinux
> > 
> > $ sudo ./test_is_selinux_enabled                            
> > SELinux in process after chroot(): 1
> > /sys/fs/selinux exists: -1
> > /etc/selinux/config exists: -1
> > 
> > SELinux in chrooted process: 0
> > 
> > 
> > 
> > _______________________________________________
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> > 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]