Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] SELinux module fcontext_get_policy fails when sel_level specified #61778

Open
daniel-sampliner opened this issue Mar 11, 2022 · 3 comments
Open

[BUG] SELinux module fcontext_get_policy fails when sel_level specified #61778

daniel-sampliner opened this issue Mar 11, 2022 · 3 comments
Assignees
@twangboy
Labels
Bug broken, incorrect, or confusing behavior severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Milestone
Approved

Comments

@daniel-sampliner
Copy link

Description
If optional sel_level argument is given to selinux.fcontext_get_policy_name, it fails to find the policy.

For example, take this policy:

[user@localhost ~]$ sudo salt-call --local selinux.fcontext_get_policy name='/.*'
local:
    ----------
    filespec:
        /.*
    filetype:
        all files
    sel_level:
        s0
    sel_role:
        object_r
    sel_type:
        default_t
    sel_user:
        system_u

If we then add argument sel_level=s0, no policy is returned:

[user@localhost ~]$ sudo salt-call --local selinux.fcontext_get_policy name='/.*' sel_level=s0
local:
    None

Steps to Reproduce the behavior
Simply call selinux.fcontext_get_policy with sel_level argument provided.

Expected behavior
The matching policy is returned.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3004

Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: Not Installed
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 2.11.1
       libgit2: Not Installed
      M2Crypto: 0.35.2
          Mako: Not Installed
       msgpack: 0.6.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: Not Installed
        pygit2: Not Installed
        Python: 3.6.8 (default, Nov 16 2020, 16:55:22)
  python-gnupg: Not Installed
        PyYAML: 3.13
         PyZMQ: 17.0.0
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.1.4

System Versions:
          dist: centos 7 Core
        locale: UTF-8
       machine: x86_64
       release: 3.10.0-1160.el7.x86_64
        system: Linux
       version: CentOS Linux 7 Core

Additional context
It appears this is because semanage fcontext -l command always (at least on CentOS 7, which is only system I have tested) appends an extra whitespace to the end:

[user@localhost ~]$ sudo semanage fcontext -l 2>/dev/null | grep -m1 / | hexdump -C
00000000  2f 2e 2a 20 20 20 20 20  20 20 20 20 20 20 20 20  |/.*             |
00000010  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
*
00000030  20 20 20 61 6c 6c 20 66  69 6c 65 73 20 20 20 20  |   all files    |
00000040  20 20 20 20 20 20 73 79  73 74 65 6d 5f 75 3a 6f  |      system_u:o|
00000050  62 6a 65 63 74 5f 72 3a  64 65 66 61 75 6c 74 5f  |bject_r:default_|
00000060  74 3a 73 30 20 0a                                 |t:s0 .|
00000066

Notice the final hex 73 30 20 0a which maps to s 0 <space> <newline>
@daniel-sampliner daniel-sampliner added Bug broken, incorrect, or confusing behavior needs-triage labels Mar 11, 2022
@welcome
Copy link

welcome bot commented Mar 11, 2022

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

daniel-sampliner added a commit to daniel-sampliner/salt that referenced this issue Mar 11, 2022
@daniel-sampliner
Handle trailing whitespace from semanage command
b06be84 
On some systems, command "semanage fcontext -l" suffixes all lines with
a single trailing whitespace. This causes selinux.fcontext_get_policy to
fail to find policies if sel_level optional argument is provided.

This change modifies the regexp used to match lines to handle 0 or 1
empty spaces at the end of the line.

Fixes saltstack#61778
@daniel-sampliner
Copy link
Author

I have a work-in-progress fix at b06be84; just needs a small tweak to the regexp.

However, it's lacking a good way to test the bug and the fix.

@OrangeDog OrangeDog added severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around and removed needs-triage labels Mar 14, 2022
@OrangeDog OrangeDog added this to the Approved milestone Mar 14, 2022
@johnnybubonic
Copy link

Adding as a note, same for salt.states.selinux.fcontext_policy_present (and, presumably, salt.states.selinux.fcontext_policy_absent as well) - the state will fail with sel_level specified explicitly and pass with it not specified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@twangboy twangboy

Labels
Bug broken, incorrect, or confusing behavior severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
4 participants
@OrangeDog @johnnybubonic @twangboy @daniel-sampliner