Skip to content

src/useradd.c: chroot or prefix SELinux file context #1258

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 22 commits into
base: master
Choose a base branch
from
Draft

src/useradd.c: chroot or prefix SELinux file context #1258

wants to merge 22 commits into from

Conversation

ikerexxe
Copy link
Collaborator

@ikerexxe ikerexxe commented May 5, 2025

Do not process SELinux file context during file closure when chroot or
prefix options are selected.

As I'm changing a lot of files I decided to split the changes in a set of
patches to make them easier to understand.

Tests: #940
Closes: #940

@ikerexxe
Copy link
Collaborator Author

ikerexxe commented May 5, 2025

This is blocked by next-actions/pytest-mh#101

@ikerexxe
Copy link
Collaborator Author

ikerexxe commented May 5, 2025

@praiskup and @pmatilai I have created a COPR repository to help test these changes. Do you mind testing them?

By the way, if you need the build in some other distribution let me know.

@pmatilai pmatilai mentioned this pull request May 12, 2025
Open
ikerexxe added 18 commits May 13, 2025 13:00
@ikerexxe
tests/system/requirements.txt: update pytest-mh
94cba14 
pytest-mh v1.0.24 provided new SELinux functionality and this is needed
for the tests that are under development. Update this dependency to
satisfy the new test requirements.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
tests/system/framework/: add SELinux utility
1540785 
Add SELinux utility to BaseLinuxRole.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
tests/system/tests: SELinux for chroot and prefix
5921783 
SELinux context labels aren't supported in chroot and prefix options,
thus check that they aren't changed when adding a user.

Tests: shadow-maint#940
Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/: add SELinux control flag in commonio_close()
e0f3d55 
Expand commonio_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in pw_close()
db8975b 
Expand pw_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in spw_close()
d3e591b 
Expand spw_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in gr_close()
4fc1303 
Expand gr_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in sgr_close()
16aac88 
Expand sgr_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in sub_uid_close()
bb7f7b8 
Expand sub_uid_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in sub_gid_close()
f9d406b 
Expand sub_gid_close() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/: add SELinux control flag in commonio_unlock()
2f5d09c 
Expand commonio_unlock() interface to add a control flag for SELinux
file context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in pw_unlock()
999f8f9 
Expand pw_unlock() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in spw_unlock()
93e404d 
Expand spw_unlock() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in gr_unlock()
a122013 
Expand gr_unlock() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in sgr_unlock()
0ce897f 
Expand sgr_unlock() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
src/vipw.c: add SELinux control flag in unlock
70ba5a8 
All unlock functions require the SELinux control flag, thus add it as an
argument.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in sub_uid_unlock()
250e7ef 
Expand sub_uid_unlock() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/, src/: add SELinux control flag in sub_gid_unlock()
fbbc0f7 
Expand sub_gid_unlock() interface to add a control flag for SELinux file
context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@pmatilai
Copy link

Hmm, I'm afraid I don't see any behavior change from this on the rpm case (this on Fedora 41'ish):

[root@lumikko tmp]# rpm -q shadow-utils
shadow-utils-4.17.4-30test.fc41.x86_64
[root@lumikko tmp]# rm -rf /srv/test; rpm -U --root /srv/test/ setup-2.15.0-8.fc41.noarch.rpm --nodeps --nosignature --define "__systemd_sysusers /usr/lib/rpm/sysusers.sh"
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
groupadd: failure while writing changes to /etc/group
useradd: group '4' does not exist
useradd: group '1' does not exist
useradd: group '2' does not exist
useradd: group '50' does not exist
useradd: group '100' does not exist
useradd: group '0' does not exist
useradd: group '7' does not exist
useradd: group '12' does not exist
useradd: group '65534' does not exist
useradd: group '0' does not exist
useradd: group '0' does not exist
useradd: group '0' does not exist
useradd: group '0' does not exist
[root@lumikko tmp]#

That's how it fails with the stock F41 shadow-utils-4.15.1-12.fc41.x86_64 too.

ikerexxe added 4 commits May 20, 2025 14:10
@ikerexxe
src/useradd.c: chroot or prefix SELinux file context
10e42de 
Do not process SELinux file context during file closure when chroot or
prefix options are selected.

Closes: shadow-maint#940
Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
src/useradd.c: SELinux file context for home and mail
b93b6e5 
Do not process SELinux file context when creating home and mail folders
when chroot or prefix options are selected.

Closes: shadow-maint#940
Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
lib/: add SELinux control flag in cleanup_unlock_*()
b778e70 
Expand cleanup_unlock_group() and cleanup_unlock_gshadow() interfaces to
add a control flag for SELinux file context processing.

Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
src/groupadd.c: chroot or prefix SELinux file context
c8d2c6d 
Do not process SELinux file context during file closure when chroot or
prefix options are selected.

Closes: shadow-maint#940
Signed-off-by: Iker Pedrosa <[email protected]>
@ikerexxe
Copy link
Collaborator Author

I wasn't aware that the specific problem you were facing included groupadd, so I only updated the APIs and useradd as I wanted to confirm this was the way forward before updating other tools.

With this new information I have changed the groupadd code to avoid relabeling any file. I have tested this code with the command you provided and it seems to be working. I had to disable SELinux though, as I was hitting an AVC denial when trying to open the chroot group file.

I have updated the build COPR repository to include these changes. Test it when you can, and if you run into any problems share the exact steps you used so I can reproduce it.

@praiskup
Copy link

Tested with the proposed chagnes, and I can create users/groups with the --root. I still can't remove them (prefix works):

[root@vm-10-0-185-185 ~]# userdel -f mockbuild --root /var/lib/mock/fedora-41-x86_64/root
userdel: failure while writing changes to /etc/passwd
[root@vm-10-0-185-185 ~]# cat /var/lib/mock/fedora-41-x86_64/root/etc/passwd | grep mockbuild
mockbuild:x:1001:135::/builddir:/bin/bash
[root@vm-10-0-185-185 ~]# ls -alhZ /var/lib/mock/fedora-41-x86_64/root/etc/passwd
-rw-r--r--. 1 root root unconfined_u:object_r:mock_var_lib_t:s0 617 May 30 07:09 /var/lib/mock/fedora-41-x86_64/root/etc/passwd
[root@vm-10-0-185-185 ~]# userdel -f mockbuild --prefix /var/lib/mock/fedora-41-x86_64/root
[root@vm-10-0-185-185 ~]# echo $?
0

@ikerexxe
Copy link
Collaborator Author

ikerexxe commented Jun 2, 2025

That's expected behaviour as I only proposed the fix for useradd and groupadd binaries, everything else isn't fixed yet.

@alejandro-colomar @hallyn would you mind reviewing the general concept of this PR? You can skip the testing and just review how I propose to handle the propagation of the process_selinux flag from the various binaries to the library that handles file management. There are already quite a few commits in this PR and making all the binaries behave the same way is going to increase them even more, so I would like to be sure that this is the best way to solve this problem before proceeding with the rest.

@alejandro-colomar
Copy link
Collaborator

That's expected behaviour as I only proposed the fix for useradd and groupadd binaries, everything else isn't fixed yet.

@alejandro-colomar @hallyn would you mind reviewing the general concept of this PR? You can skip the testing and just review how I propose to handle the propagation of the process_selinux flag from the various binaries to the library that handles file management. There are already quite a few commits in this PR and making all the binaries behave the same way is going to increase them even more, so I would like to be sure that this is the best way to solve this problem before proceeding with the rest.

Yep, I'll review.

@pmatilai
Copy link

Doh, I've missed the update round here. I'll try to retest soon, thanks for looking into this!

alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Jun 11, 2025
View reviewed changes
@alejandro-colomar
Copy link
Collaborator

The changes seem relatively simple. I ignore SELinux, so I can't review the idea, but the code seems reasonable.

@alejandro-colomar
Copy link
Collaborator

The changes seem relatively simple. I ignore SELinux, so I can't review the idea, but the code seems reasonable.

It would be interesting to merge this PR as a proper merge commit instead of a rebase, to keep it organized as a single block of changes, BTW.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alejandro-colomar alejandro-colomar alejandro-colomar left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The --chroot option doesn't work well with SELinux off in-chroot
4 participants
@ikerexxe @pmatilai @praiskup @alejandro-colomar