PGP: Set a default creation SELinux labels on GnuPG directories #1634
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Just a clarification: This pull request has not corresponding code in dnf-4-master branch because the GPGME backend was removed in commit 1649796. |
|
The tests fail because they are run in Fedora 38 instead of RHEL-9.4. |
ppisar
force-pushed
the
rhel-9.4-getfscreatecon
branch
from
504aa7b
to
8ff2c46
Compare
|
I rebased the commit to the latest rhel-9.4 branch. |
ppisar
force-pushed
the
rhel-9.4-getfscreatecon
branch
from
8ff2c46
to
e3a939d
Compare
|
I incorporated changed requested in rhel-8.10 pull request #1632. |
libdnf used to precreate the directory in /run/user to make sure a GnuPG agent executed by GPGME library places its socket there. The directories there are normally created and removed by systemd (logind PAM session). libdnf created them for a case when a package manager is invoked out of systemd session, before the super user logs in. E.g. by a timer job to cache repository metadata. A problem was when this out-of-session process was a SELinux-confined process creating files with its own SELinux label different from a DNF program. Then the directory was created with a SELinux label different from the one expected by systemd and when logging out a corresponding user, the mismatching label clashed with systemd. The same issue was with temporary GnuPG home directories created by libdnf under /tmp. This patch fixes both the isseus by restoring a SELinux label of those directories to the label defined in a default SELinux file context database. Obviously the database cannot have a record for a nonspecific /tmp/tmpdir.XXXXXX (a mkdtemp() template) directory names. Therefore I changed their names to more specific /tmp/libdnf.XXXXXX. Once a SELinux policy updates the database, directories under /tmp will get a correct label. There is yet another problem with accessing /var/cache/dnf/*/pubring, but that seems to be pure SELinux policy problem. This patch adds a new -DENABLE_SELINUX=OFF CMake option to disable the new dependency on libselinux. A default behavior is to support SELinux. Implementation details: I used selabel_lookup() + setfscreatecon() + mkdtemp() + setfscreatecon() sequence instead of mkdtemp() + selinux_restorecon() sequence because the later polutes stderr if a SELinux policy does not define the default context. One could supress stderr messages with selinux_set_callback(), but its effect cannot be restored. I also kept the sequence in one function and reused it for creating /run/user/$PID directories because the code is simpler than spliting the function into three parts. https://issues.redhat.com/browse/RHEL-6421
ppisar
force-pushed
the
rhel-9.4-getfscreatecon
branch
from
e3a939d
to
65acf31
Compare
jan-kolarik
approved these changes
Oct 31, 2023
jan-kolarik
merged commit 7529d06
into
rpm-software-management:rhel-9.4
1 of 3 checks passed
This code path doesn't affect only gpg though, it also affects the cache temporary directories! I was really confused when debugging this because I was looking at what was in git main on |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
libdnf used to precreate the directory in /run/user to make sure a GnuPG agent executed by GPGME library places its socket there.
The directories there are normally created and removed by systemd (logind PAM session). libdnf created them for a case when a package manager is invoked out of systemd session, before the super user logs in. E.g. by a timer job to cache repository metadata.
A problem was when this out-of-session process was a SELinux-confined process creating files with its own SELinux label different from a DNF program. Then the directory was created with a SELinux label different from the one expected by systemd and when logging out a corresponding user, the mismatching label clashed with systemd.
The same issue was with temporary GnuPG home directories created by libdnf under /tmp.
This patch fixes both the isseus by restoring a SELinux label of those directories to the label defined in a default SELinux file context database.
Obviously the database cannot have a record for a nonspecific /tmp/tmpdir.XXXXXX (a mkdtemp() template) directory names. Therefore I changed their names to more specific /tmp/libdnf.XXXXXX. Once a SELinux policy updates the database, directories under /tmp will get a correct label.
There is yet another problem with accessing /var/cache/dnf/*/pubring, but that seems to be pure SELinux policy problem.
This patch adds a new -DENABLE_SELINUX=OFF CMake option to disable the new dependency on libselinux. A default behavior is to support SELinux.
Implementation details:
I used selabel_lookup() + setfscreatecon() + mkdtemp()
I also kept the sequence in one function and reused it for creating /run/user/$PID directories because the code is simpler than spliting the function into three parts.
https://issues.redhat.com/browse/RHEL-6421