search

SELinuxProject / selinux

This is the upstream repository for the Security Enhanced Linux (SELinux) userland libraries and tools. The software provided by this project complements the SELinux features integrated into the Linux kernel and is used by Linux distributions. All bugs and patches should be submitted to selinux@vger.kernel.org
Other
1.33k stars 359 forks source link

semanage_get_lock fails on NFSv4 filesystems #389

Open cryptoknight opened 1 year ago

cryptoknight commented 1 year ago

The semanage_get_lock function in libsemanage attempts to acquire exclusive file locks with flock on read-only file descriptors. On labeled NFSv4 root filesystems, this leads to errors like:

# mount -t nfs4
192.168.122.166:/prov on / type nfs4 (rw,relatime,seclabel,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.19,local_lock=none,addr=192.168.122.166)
# ll /var/lib/selinux/targeted/
total 4
drwx------. 3 root root 4096 Apr 27 18:15 active
-rw-------. 1 root root    0 Apr  4 05:31 semanage.read.LOCK
-rw-------. 1 root root    0 Apr  4 05:31 semanage.trans.LOCK
# semodule -l
libsemanage.semanage_get_lock: Error obtaining direct read lock at /var/lib/selinux/targeted/semanage.read.LOCK. (Bad file descriptor).

(RHEL 8 userspace, 5.10 LTS-based kernel)

Based on available documentation, it appears that lock files must be opened read-write to successfully acquire exclusive locks on NFSv4 (which does not support the local_lock option) with modern kernels. This would change line 1893 of semanage_store.c from

if ((fd = open(lock_file, O_RDONLY)) == -1)

to

if ((fd = open(lock_file, O_RDWR)) == -1)
fsimula commented 3 months ago

I was bit by this very same problem right now, is there any update?