search

openSUSE / transactional-update

Atomic updates for Linux operating systems
Other
109 stars 31 forks source link

[SELinux] FileContexts which are set in /var during the pkg installation are not synced #84

Closed qby-wenzel closed 2 years ago

qby-wenzel commented 2 years ago

Description: After the installation of new packages (which are covered by the SELinux Policy) in MicroOS, the package specific SELinux FileContext is not synced for all files. Directories or files in the /var partition are only created, but they lack of their correct context.

If you do these steps manually (tu shell), the RPM plugin rpm-plugin-selinux does its job as expected and will manage/set these contexts in the current mounted snapshot / env. After closing the snapshot and booting into it, the context is lost in the booted system but still present in the snapshot.

I guess as there is no default snapper config for the VAR partition, t-u could/should jump in again as in the /etc overlay case? Not sure what's the best solution here.

System Info: freshly installed openSUSE MicroOS, kind of just click next-next-next in the Installer

# grep -E "(VERSION_ID|PRETTY)" /etc/os-release
VERSION_ID="20220618"
PRETTY_NAME="openSUSE MicroOS"
# rpm -qa | grep -E "(snapper|transactional|tukit)"
grub2-snapper-plugin-2.06-25.2.noarch
libsnapper6-0.10.2-2.1.x86_64
snapper-0.10.2-2.1.x86_64
libtukit4-4.0.0~rc4-1.2.x86_64
tukit-4.0.0~rc4-1.2.x86_64
dracut-transactional-update-4.0.0~rc4-1.2.noarch
transactional-update-4.0.0~rc4-1.2.x86_64
transactional-update-zypp-config-4.0.0~rc4-1.2.noarch

Reproduce Steps:

snapshot-fc-bug:~ # ls -laZ /var/lib/nginx/
total 0
drwxr-x---. 1 nginx nginx system_u:object_r:var_lib_t:s0  48 Jun 20 07:00 .
drwxr-xr-x. 1 root  root  system_u:object_r:var_lib_t:s0 298 Jun 20 07:00 ..
drwxr-x---. 1 nginx nginx system_u:object_r:var_lib_t:s0   0 Jun 15 07:43 fastcgi
drwxr-x---. 1 nginx nginx system_u:object_r:var_lib_t:s0   0 Jun 15 07:43 proxy
drwxr-x---. 1 nginx nginx system_u:object_r:var_lib_t:s0   0 Jun 15 07:43 scgi
drwxr-x---. 1 nginx nginx system_u:object_r:var_lib_t:s0   0 Jun 15 07:43 tmp
drwxr-x---. 1 nginx nginx system_u:object_r:var_lib_t:s0   0 Jun 15 07:43 uwsgi
snapshot-fc-bug:~ # ls -laZ /.snapshots/2/snapshot/var/lib/nginx/
total 0
drwxr-x---. 1 nginx nginx system_u:object_r:httpd_var_lib_t:s0 48 Jun 15 07:43 .
drwxr-xr-x. 1 root  root  unconfined_u:object_r:unlabeled_t:s0 16 Jun 20 06:59 ..
drwxr-x---. 1 nginx nginx system_u:object_r:httpd_var_lib_t:s0  0 Jun 15 07:43 fastcgi
drwxr-x---. 1 nginx nginx system_u:object_r:httpd_var_lib_t:s0  0 Jun 15 07:43 proxy
drwxr-x---. 1 nginx nginx system_u:object_r:httpd_var_lib_t:s0  0 Jun 15 07:43 scgi
drwxr-x---. 1 nginx nginx system_u:object_r:httpd_var_lib_t:s0  0 Jun 15 07:43 tmp
drwxr-x---. 1 nginx nginx system_u:object_r:httpd_var_lib_t:s0  0 Jun 15 07:43 uwsgi
snapshot-fc-bug:~ # mount | grep -E "( / | /var)"
/dev/sda2 on / type btrfs (ro,relatime,seclabel,ssd,space_cache=v2,subvolid=268,subvol=/@/.snapshots/3/snapshot)
/dev/sda3 on /var type btrfs (rw,relatime,seclabel,ssd,space_cache=v2,subvolid=5,subvol=/)

In addition to that, the contexts of the directory (/var/lib) on the ROOT partition are correctly set, but are shadowed by the VAR partition.

Full install/check log: snapshot-fc-bug.txt

laenion commented 2 years ago

Indeed, that is an oversight. I'll check the available options, but the attributes will have to be transferred or created during early boot when create-dirs-from-rpmdb.service is running.

qby-wenzel commented 2 years ago

@laenion I added the context function to the tool but did not created a PR yet. Not sure if a best effort approach for setting file contexts is appropriate here. Maybe deleting the directory is better, because SELinux might deny the access anyway (-> wrong context)...