Libguestfs - Sep 2020 - Re: [common PATCH 3/3] mlcustomize: do not relabel if not enforcing (RHBZ#1828952)

On Thu, Sep 24, 2020 at 12:39:02PM +0200, Pino Toscano wrote:
...
> There are various cases when, even of an enforcing system, labels are
> not kept up-to-date:
> 
> $ getenforce 
> Enforcing
> $ touch /tmp/test
> $ ls -lZ /tmp/test 
> -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep
24 12:26 /tmp/test
> $ mv /tmp/test ~/var/
> $ ls -lZ ~/var/test 
> -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_tmp_t:s0 0 Sep
24 12:26 /home/ptoscano/var/test
> $ restorecon -v ~/var/test 
> Relabeled /home/ptoscano/var/test from unconfined_u:object_r:user_tmp_t:s0
to unconfined_u:object_r:user_home_t:s0
> $ ls -lZ ~/var/test 
> -rw-rw-r--. 1 ptoscano ptoscano unconfined_u:object_r:user_home_t:s0 0 Sep
24 12:26 /home/ptoscano/var/test
That's definitely a weird thing.  Bug maybe?
> Considering that /tmp is a general location for temporary files, it's
> common that files may end with a tmp_t-alike label when moved back to
> the destination place (e.g. after a rename()). That is not the only
> situation like this that I saw in the past.
> 
> In permissive mode, all these situation are logged in the audit log,
> yes, but they cause no blocks nor errors.
> 
> > It's also fine for an administrator to
> > switch a system to permissive and then back to enforcing without
> > relabelling or rebooting.
> 
> A mislabelled /etc/passwd is still read and used fine in permissive
> mode. Switch back from permissive to enforcing without a relabelling
> is generally not a good idea, especially after the system ran for a
> lot of time after the switch to permissive.
It's seems true from what you wrote above that someone could copy
/tmp/passwd -> /etc/passwd and it would have a wrong label.  But
virt-v2v could fix that label, which even in permissive mode sounds
like a win.

My question is what's the down-side to relabelling in permissive mode?

(I can see in *disabled* mode it's just a waste of time because the
work we do for relabelling in virt-v2v is just going to be undone when
the guest boots with SELinux disabled).

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/

On Thursday, 24 September 2020 13:53:57 CEST Richard W.M. Jones
wrote:
> > Considering that /tmp is a general location for temporary files,
it's
> > common that files may end with a tmp_t-alike label when moved back to
> > the destination place (e.g. after a rename()). That is not the only
> > situation like this that I saw in the past.
> > 
> > In permissive mode, all these situation are logged in the audit log,
> > yes, but they cause no blocks nor errors.
> > 
> > > It's also fine for an administrator to
> > > switch a system to permissive and then back to enforcing without
> > > relabelling or rebooting.
> > 
> > A mislabelled /etc/passwd is still read and used fine in permissive
> > mode. Switch back from permissive to enforcing without a relabelling
> > is generally not a good idea, especially after the system ran for a
> > lot of time after the switch to permissive.
> 
> It's seems true from what you wrote above that someone could copy
> /tmp/passwd -> /etc/passwd and it would have a wrong label.  But
> virt-v2v could fix that label, which even in permissive mode sounds
> like a win.
The question is: why? If the system had wrong labels even for system
files, and the administrator did not bother/want to fix them (because
of permissive), why should virt-v2v? Even if virt-v2v relabels a
permissive guest, the labels will get out of sync once the guest runs
again and does its own stuff, so there is no gain here.
> My question is what's the down-side to relabelling in permissive mode?
Time spend doing something that is not useful/used for the guest.

-- 
Pino Toscano

On Thu, Sep 24, 2020 at 02:16:24PM +0200, Pino Toscano
wrote:
> On Thursday, 24 September 2020 13:53:57 CEST Richard W.M. Jones wrote:
> > > Considering that /tmp is a general location for temporary files,
it's
> > > common that files may end with a tmp_t-alike label when moved
back to
> > > the destination place (e.g. after a rename()). That is not the
only
> > > situation like this that I saw in the past.
> > > 
> > > In permissive mode, all these situation are logged in the audit
log,
> > > yes, but they cause no blocks nor errors.
> > > 
> > > > It's also fine for an administrator to
> > > > switch a system to permissive and then back to enforcing
without
> > > > relabelling or rebooting.
> > > 
> > > A mislabelled /etc/passwd is still read and used fine in
permissive
> > > mode. Switch back from permissive to enforcing without a
relabelling
> > > is generally not a good idea, especially after the system ran for
a
> > > lot of time after the switch to permissive.
> > 
> > It's seems true from what you wrote above that someone could copy
> > /tmp/passwd -> /etc/passwd and it would have a wrong label.  But
> > virt-v2v could fix that label, which even in permissive mode sounds
> > like a win.
> 
> The question is: why? If the system had wrong labels even for system
> files, and the administrator did not bother/want to fix them (because
> of permissive), why should virt-v2v? Even if virt-v2v relabels a
> permissive guest, the labels will get out of sync once the guest runs
> again and does its own stuff, so there is no gain here.
I don't think this part is true (except in rather contrived situations).
It seems as if when setting the mode to Permissive when the guest is
running normally, it *is* attempting to maintain the correct labels.
So virt-v2v should do the same thing.

Rich.
> > My question is what's the down-side to relabelling in permissive
mode?
> 
> Time spend doing something that is not useful/used for the guest.
> 
> -- 
> Pino Toscano


-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/