Bug#948365: mkinitramfs: do not copy SELinux file attributes
Package: initramfs-tools-core
Version: 0.135
File: /usr/sbin/mkinitramfs
User: selinux-devel@lists.alioth.debian.org
Usertags: selinux
Hi,
currently mkinitramfs (called by update-initramfs -u) uses 'cp -a' to
gather the files for the initramfs.
'-a' unfolds to '-dR --preserve=all' and 'preserve=all' forces cp to
copy an existing SELinux context.
This results into odd denials/permission-requests like:
type=PROCTITLE msg=audit(01/07/20 17:43:37.802:10521) : proctitle=cp
-ar /etc/ld.so.conf /etc/ld.so.conf.d /var/tmp/mkinitramfs_5j7fmj/etc/
type=PATH msg=audit(01/07/20 17:43:37.802:10521) : item=1
name=/var/tmp/mkinitramfs_5j7fmj/etc/ld.so.conf.d nametype=CREATE
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(01/07/20 17:43:37.802:10521) : item=0
name=/var/tmp/mkinitramfs_5j7fmj/etc/ inode=1942 dev=08:01
mode=dir,755 ouid=root ogid=root rdev=00:00
obj=root:object_r:initramfs_tmp_t:s0 nametype=PARENT cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(01/07/20 17:43:37.802:10521) :
cwd=/root/workspace/selinux/selinux-policy-debian
type=SYSCALL msg=audit(01/07/20 17:43:37.802:10521) : arch=x86_64
syscall=mkdir success=no exit=EACCES(Permission denied)
a0=0x55cf69140670 a1=0700 a2=0x4001e a3=0x55cf67cb760e items=2
ppid=96302 pid=99538 auid=root uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=cp
exe=/usr/bin/cp subj=root:sysadm_r:initramfs_t:s0-s0:c0.c1023
key=(null)
type=AVC msg=audit(01/07/20 17:43:37.802:10521) : avc: denied {
create } for pid=99538 comm=cp name=ld.so.conf.d
scontext=root:sysadm_r:initramfs_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ld_so_conf_t:s0 tclass=dir permissive=0
These copied files should not inherited the original ld_so_conf_t
context or at least it should be configured by the SELinux policy
writer.
Please consider using the option 'no-preserve=context,xattr'.
Best regards
Christian Göttsche
--- /root/workspace/mkinitramfs 2020-01-07 21:09:49.015636826 +0100
+++ /usr/sbin/mkinitramfs 2020-01-07 21:10:40.926855379 +0100
@@ -351,7 +351,7 @@
# workaround: libgcc always needed on old-abi arm
if [ "$DPKG_ARCH" = arm ] || [ "$DPKG_ARCH" = armeb ]; then
- cp -a /lib/libgcc_s.so.1 "${DESTDIR}/lib/"
+ cp -a --no-preserve=context,xattr /lib/libgcc_s.so.1 "${DESTDIR}/lib/"
fi
run_scripts /usr/share/initramfs-tools/hooks
@@ -371,7 +371,7 @@
rm -f "${DESTDIR}/lib/modules/${version}"/modules.*map
# make sure that library search path is up to date
-cp -ar /etc/ld.so.conf* "$DESTDIR"/etc/
+cp -a --no-preserve=context,xattr /etc/ld.so.conf* "$DESTDIR"/etc/
if ! ldconfig -r "$DESTDIR" ; then
[ "$(id -u)" != "0" ] \
&& echo "ldconfig might need uid=0 (root) for chroot()" >&2
@@ -400,7 +400,7 @@
[ -e "${DESTDIR}/lib/ld-linux-armhf.so.3" ]; then
rm -f "${DESTDIR}/lib/arm-linux-gnueabihf/ld-linux.so.3"
rm -f "${DESTDIR}/lib/ld-linux-armhf.so.3"
- cp -aL /lib/ld-linux-armhf.so.3 "${DESTDIR}/lib/"
+ cp -aL --no-preserve=context,xattr
/lib/ld-linux-armhf.so.3 "${DESTDIR}/lib/"
ln -sf /lib/ld-linux-armhf.so.3
"${DESTDIR}/lib/arm-linux-gnueabihf/ld-linux.so.3"
fi
fi
Reply to: