Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

selinux_restore_tty: use fgetfilecon_raw/fsetfilecon_raw #17

Closed
ghost opened this issue Dec 11, 2019 · 3 comments
Closed

selinux_restore_tty: use fgetfilecon_raw/fsetfilecon_raw #17

ghost opened this issue Dec 11, 2019 · 3 comments

Comments

@ghost
Copy link

ghost commented Dec 11, 2019

Sudo uses fgetfilecon() and fsetfilecon() in selinux_restore_tty()
It should probably use fgetfilecon_raw() and fsetfilecon_raw() instead.

If you use mcstrans (a daemon that translates SELinux contexts to human readable strings), and you run shutdown -h now from a sudo -r sysadm.role -s shell then systemd will kill mcstrans before the sudo shell process gets killed.

Sudo, i think, still has the translated version of the context (retrieved with fgetfilecon()) in cache and tries to restore the context of the tty using the human readable version of the context. Since mcstrans is no longer present, that context is invalid prompting:

12:39 < grift> Dec 11 12:36:20 perfevent audit: SELINUX_ERR op=setxattr 
               invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
12:39 < grift> Dec 11 12:36:20 perfevent audit[859]: AVC avc:  denied  { mac_admin } for  pid=859 comm="sudo" capability=33  
               scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0

By using fgetfilecon_raw() and fsetfilecon_raw() sudo would be using the "raw" context to restore the tty. This "raw" context is valid when mcstrans has been terminated.

@ToddMiller1
Copy link

Can you try the attached patch? I don't have an SELinux policy that actually cares about file contexts.
fsetfilecon_raw.txt

@ghost
Copy link
Author

ghost commented Dec 11, 2019

Thanks, Yes this patch fixes the above issue for me.

@millert
Copy link
Collaborator

millert commented Dec 12, 2019

I committed the patch; it will be in sudo the 1.8.30 release.

@millert millert closed this as completed Dec 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants