search

containers / udica

This repository contains a tool for generating SELinux security profiles for containers
GNU General Public License v3.0
488 stars 47 forks source link

Cannot remove policies installed by previous version #104

Closed laolux closed 2 years ago

laolux commented 3 years ago

Describe the bug I have installed some selinux policies created with udica v0.2.5 which I cannot remove anymore after upgrading to udica v0.2.6. container-selinux also got updated to the corresponding versions.

To Reproduce Steps to reproduce the behavior:

  1. create and install a custom policy using udica v0.2.5
  2. upgrade udica to v.0.2.6 and container-selinux to 2.170.0
  3. try to remove the custom policy

Expected behavior policy gets removed

Additional context Output when running semodule -r my-mosquitto-server after upgrading to udica v0.2.6:

libsemanage.semanage_direct_remove_key: Removing last my-mosquitto-server module (no other my-mosquitto-server module exists at another priority).
Re-declaration of type process
Previous declaration of type at /var/lib/selinux/targeted/tmp/modules/602/base_container/cil:2
Failed to copy block to blockinherit at /var/lib/selinux/targeted/tmp/modules/602/my-postgres-server/cil:3
Failed to copy block contents into blockinherit
Failed to resolve AST
semodule:  Failed!

Result: the module is still there and I cannot remove it.

vmojzis commented 3 years ago

This is probably caused by a change in SELinux userspace tools. They no longer recognise the way udica policies where built as valid (before udica v0.2.5). Udica templates where updated in udica v0.2.5 and then moved to container-selinux package. I suspect that your system contains a combination of policy templates from before and after the update (installed using semodule -i). Failed to copy block to blockinherit at /var/lib/selinux/targeted/tmp/modules/602/my-postgres-server/cil:3 Shows that the problem is in a block inherited on line 3 of my-postgres-server module.

If you could share the line in question I could point you to the template that is not updated (semodule -E my-postgres-server), but you can brute-force reinstall all templates: semodule -v -i /usr/share/udica/templates/*

laolux commented 2 years ago

Hi, sorry for taking so long to respond. I have decided to try a restore from backup to an updated OS. Works surprisingly well. So all my problems are solved now.

However, I have recovered the file /var/lib/selinux/targeted/tmp/modules/602/my-postgres-server/cil:3:

(block my-postgres-server
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process postgresql_port_t ( tcp_socket (  name_bind )))
    (allow process user_home_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
    (allow process user_home_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
    (allow process user_home_t ( sock_file ( append getattr open read write )))
    (allow process container_file_t ( dir ( write add_name remove_name )))
    (allow process container_file_t ( file ( create read unlink write)))
)

So I guess the problem was the restricted_net_container.

The method to brute-force reinstalling all templates is nice, will try that in the future if issues arise again.

vmojzis commented 2 years ago

Hi, sorry for taking so long to respond. I have decided to try a restore from backup to an updated OS. Works surprisingly well. So all my problems are solved now.

However, I have recovered the file /var/lib/selinux/targeted/tmp/modules/602/my-postgres-server/cil:3:

(block my-postgres-server
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process postgresql_port_t ( tcp_socket (  name_bind )))
    (allow process user_home_t ( dir ( add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
    (allow process user_home_t ( file ( append create getattr ioctl lock map open read rename setattr unlink write )))
    (allow process user_home_t ( sock_file ( append getattr open read write )))
    (allow process container_file_t ( dir ( write add_name remove_name )))
    (allow process container_file_t ( file ( create read unlink write)))
)

So I guess the problem was the restricted_net_container.

Yes, my guess is that you installed an old version of net_container.cil (the module containing restricted_net_container block) together with "my-postgres-server". Later, after updating udica, you installed "my-mosquitto-server" and replaced most udica template modules with the new versions. But since "my-mosquitto-server" didn't use any block from "net_container", the module ("net_container") wasn't replaced and your system was left with the old version. So reinstalling "net_container" would probably be enough in your case (semodule -i /usr/share/udica/templates/net_container.cil).

The method to brute-force reinstalling all templates is nice, will try that in the future if issues arise again.