[OE-core] [PATCH] shadow: 'useradd' copies root's extended attributes

wenzong fan wenzong.fan at windriver.com
Tue Jan 16 02:53:39 UTC 2018 


On 01/15/2018 10:33 PM, José Bollo wrote:
> On Wed, 10 Jan 2018 17:50:19 +0800
> wenzong fan <wenzong.fan at windriver.com> wrote:
> 
>> On 01/10/2018 01:01 AM, Patrick Ohly wrote:
>>> On Fri, 2018-01-05 at 01:07 +0000, Fan, Wenzong wrote:
>>>> It works and will override the labels of home dir that SELinux
>>>> applied, that's the issue.
>>>>
>>>> For SELinux enabled system, the user's home dir should have lavel
>>>> 'user_home_dir_t' instead of 'etc_t', it prevents users from
>>>> creating files in their home dir.
>>>
>>> Sounds like the "copy xattr" function needs to become a bit
>>> smarter: it needs to understand some of the semantic involved and
>>> skip those SELinux xattrs that are always meant to be set
>>> dynamically by the running kernel.
>>>
>>> Wenzong, which xattrs are those? Do you agree with the proposed
>>> solution?
>>
>> The xattr for selinux is "security.selinux":
>>
>> $ getfattr -n security.selinux /home/t1
>> security.selinux="user_u:object_r:user_home_dir_t:s0-s15:c0.c1023"
>>
>> I think the "attr_copy_file()" is doing right thing, but it should be
>> used in a limited situation, such as only for Smack ...
>>
>> Thanks
>> Wenzong
> 
> The LSM "SELinux" is complicated enough to change label of template
> files to label of instance files correctly. The approach with Smack is
> different and the template files embed the expected complex hierarchy
> that otherwise could only be created with a program.
> 
> A possible approach would be with smack to add a program for creating
> homes. Conversely, SELinux could consider to use template approach too
> instead of increasing its rules set (with templating splitted in two
> parts: files and "creation" rules).
> 
>>From "man 7 xattr" we know:
>   - extended attributes are namespaced
>   - the fully qualified name is "namespace.attribute"
>   - actual namespaces are security, system, trusted, and user
> 
> A possibility would be to filter the copied extended attributes. For
> SELinux we can just tell to not copy "security" attributes. See
> manual of the command "tar" (recent version) that has options
> --xattrs-exclude and --xattr-include.
> 
> Is there a need to copy extended attributes except for Smack?

I incline to limit the patch only for Smack with a proper bbappend, and 
maybe we'll want a distro feature as well. Both enable SELinux and Smack 
is not a normal use case, sometimes user choice Smack is because SELinux 
is too weight for their system. (except for you know a case that Smack 
can do but SELinux can't)

About how to get Smack and SELinux work together, I'm not sure if their 
communities also considered about that. Only fix the xattr issue maybe 
not enough ...

Thanks
Wenzong

> 
>>> Jose, can you look into updating your patch accordingly?
> 
> Perhaps yes but not now because I don't now what to do.
> 
> Best regards
> Jose
>

More information about the Openembedded-core mailing list