Re: [PATCH] libsemanage: set selinux policy root to match semanage root or storename

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] libsemanage: set selinux policy root to match semanage root or storename
Date: Thu, 8 Nov 2018 09:20:55 -0500	[thread overview]
Message-ID: <a29de7d8-7efb-f8ce-1c29-01dd4c43bb73@tycho.nsa.gov> (raw)
In-Reply-To: <CAJfZ7=kYppH2JjSkpcgX1FXnaRtHB7c561hkgRZ0XOym_T7_Ww@mail.gmail.com>

On 11/7/18 3:45 PM, Nicolas Iooss wrote:
> On Tue, Nov 6, 2018 at 8:18 PM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>
>> As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B
>> tries to use /etc/selinux/targeted/booleans.subs_dist.  This is because
>> it invokes the libselinux selinux_boolean_sub() interface, which uses
>> the active/installed policy files rather than the libsemanage ones.
>>
>> To fix, we need to set the selinux policy root when either the semanage
>> root or the semanage storename is set.  When setting the semanage root,
>> we need to prepend the semanage root to the selinux policy root.  When
>> setting the semanage storename, we need to replace the last component
>> of the selinux policy root with the new storename.
>>
>> Test:
>> strace semodule -p ~/policy-root -s minimum -n -B
>>
>> Before:
>> openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5
>>
>> After:
>> openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5
>>
>> Fixes https://github.com/SELinuxProject/selinux/issues/109
>>
>> Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
>> ---
>>   libsemanage/src/handle.c | 29 ++++++++++++++++++++++++++++-
>>   1 file changed, 28 insertions(+), 1 deletion(-)
>>
>> diff --git a/libsemanage/src/handle.c b/libsemanage/src/handle.c
>> index a6567bd4..c163e553 100644
>> --- a/libsemanage/src/handle.c
>> +++ b/libsemanage/src/handle.c
>> @@ -43,8 +43,21 @@ static char *private_semanage_root = NULL;
>>
>>   int semanage_set_root(const char *root)
>>   {
>> +       char *new_selinux_root = NULL;
>> +
>> +       asprintf(&new_selinux_root, "%s%s", root, selinux_policy_root());
>> +       if (!new_selinux_root)
>> +               return -1;
> 
> https://travis-ci.org/SELinuxProject/selinux/builds/451528669 failed
> because the return value of asprintf needs to be checked instead of
> new_selinux_root. http://man7.org/linux/man-pages/man3/asprintf.3.html
> states:
> 
>      If memory allocation wasn't possible, or some other error occurs,
> these functions will return -1, and the contents of strp are
> undefined.
> 
> [...]
> 
>> +
>> +       char *newroot = NULL;
>> +       asprintf(&newroot, "%s%s", root, storename);
>> +       assert(newroot);
> 
> Same here.

Unfortunately there are more fundamental problems with the patch as 
well, e.g.

1) Mutating selinux_policy_root breaks the test of whether we are 
installing to the active store in semanage_install_final_tmp(), which 
will cause policy reloads to be triggered when performing an operation 
on a different store, a different root, or both.

2) semanage_select_store() is supposed to only modify the per-handle 
state.  Changing selinux policy root is global state and would affect 
any other handles.

3) Multiple semanage_set_root() calls would yield the wrong result.

4) An allocation failure for private_semanage_root would leave the 
policy root modified.

Not sure of the best approach here.  Could possibly just modify the 
policy root around the selinux_boolean_sub() call and leave the rest 
unchanged...