Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-1389

RPM's %post script doesn't handle invocation with --root flag properly

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • None
    • Critical
    • rhel-security-selinux
    • ssg_security
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      We leverage a VM-creation process that builds VMs into a chrooted environment. As part of this process, we invoke package-installation by passing the --root flag to dnf. The selinux-policy RPM's %post script seems to not properly handle this usage-scenario. As a result, it both tests for an existing /etc/selinux/config file and, if it tries to create a new one, it does so in the environment's real root rather than the chroot location

      Version-Release number of selected component (if applicable):

      Presumably all 8.x versions up through at least selinux-policy-3.14.3-117.el8.noarch

      How reproducible:

      Steps to Reproduce:
      1. Execute an installation by passing a chroot-location to dnf with the `--root` flag
      2. Execute a find within the chroot-location to look for the ${CHROOT}/etc/selinux/config file (or simply any file under the CHROOT that might contain ^SELINUX=
      3. Get a null result from the find

      Actual results:

      Get a null result from the find

      Expected results:

      ${CHROOT}/etc/selinux/config SHOULD exist

      Additional info:

      In looking at the RPM's %post script:

      ~~~
      postinstall scriptlet (using /bin/sh):
      if [ ! -s /etc/selinux/config ]; then
      #

      1. New install so we will default to targeted policy
        #
        echo "
      2. This file controls the state of SELinux on the system.
      3. SELINUX= can take one of these three values:
      4. enforcing - SELinux security policy is enforced.
      5. permissive - SELinux prints warnings instead of enforcing.
      6. disabled - No SELinux policy is loaded.
        SELINUX=enforcing
      7. SELINUXTYPE= can take one of these three values:
      8. targeted - Targeted processes are protected,
      9. minimum - Modification of targeted policy. Only selected processes are protected.
      10. mls - Multi Level Security protection.
        SELINUXTYPE=targeted

      " > /etc/selinux/config

      ln -sf ../selinux/config /etc/sysconfig/selinux
      restorecon /etc/selinux/config 2> /dev/null || :
      else
      . /etc/selinux/config
      fi
      exit 0
      ~~~

      It looks like there's no logic in the script to "understand" that the locations should be adjusted if the --root flag has been passed to dnf.

              rhn-support-zpytela Zdenek Pytela
              redhat@xanthia.com Thomas Jones (Inactive)
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: