From 206d65618f20995b168dcc63090d1e6871450e90 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Wed, 26 May 2021 15:45:26 +0200

Subject: [PATCH] [archive] skip copying SELinux context for /proc and /sys

 everytime

A supplement of #1399 fix, now also for adding strings or special

device files.

Also adding a (vendor) test case for it.

Resolves: #2560

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/archive.py                           | 35 +++++++++++----------

 tests/vendor_tests/redhat/rhbz1965001.py | 39 ++++++++++++++++++++++++

 2 files changed, 56 insertions(+), 18 deletions(-)

 create mode 100644 tests/vendor_tests/redhat/rhbz1965001.py

diff --git a/sos/archive.py b/sos/archive.py

index 4dd31d75..b02b2475 100644

--- a/sos/archive.py

+++ b/sos/archive.py

@@ -326,6 +326,20 @@ class FileCacheArchive(Archive):

             return None

         return dest

+    def _copy_attributes(self, src, dest):

+        # copy file attributes, skip SELinux xattrs for /sys and /proc

+        try:

+            stat = os.stat(src)

+            if src.startswith("/sys/") or src.startswith("/proc/"):

+                shutil.copymode(src, dest)

+                os.utime(dest, ns=(stat.st_atime_ns, stat.st_mtime_ns))

+            else:

+                shutil.copystat(src, dest)

+            os.chown(dest, stat.st_uid, stat.st_gid)

+        except Exception as e:

+            self.log_debug("caught '%s' setting attributes of '%s'"

+                           % (e, dest))

+

     def add_file(self, src, dest=None):

         with self._path_lock:

             if not dest:

@@ -348,18 +362,7 @@ class FileCacheArchive(Archive):

                     else:

                         self.log_info("File %s not collected: '%s'" % (src, e))

-                # copy file attributes, skip SELinux xattrs for /sys and /proc

-                try:

-                    stat = os.stat(src)

-                    if src.startswith("/sys/") or src.startswith("/proc/"):

-                        shutil.copymode(src, dest)

-                        os.utime(dest, ns=(stat.st_atime_ns, stat.st_mtime_ns))

-                    else:

-                        shutil.copystat(src, dest)

-                    os.chown(dest, stat.st_uid, stat.st_gid)

-                except Exception as e:

-                    self.log_debug("caught '%s' setting attributes of '%s'"

-                                   % (e, dest))

+                self._copy_attributes(src, dest)

                 file_name = "'%s'" % src

             else:

                 # Open file case: first rewind the file to obtain

@@ -388,11 +391,7 @@ class FileCacheArchive(Archive):

                 content = content.decode('utf8', 'ignore')

             f.write(content)

             if os.path.exists(src):

-                try:

-                    shutil.copystat(src, dest)

-                except OSError as e:

-                    self.log_error("Unable to add '%s' to archive: %s" %

-                                   (dest, e))

+                self._copy_attributes(src, dest)

             self.log_debug("added string at '%s' to FileCacheArchive '%s'"

                            % (src, self._archive_root))

@@ -501,7 +500,7 @@ class FileCacheArchive(Archive):

                     self.log_info("add_node: %s - mknod '%s'" % (msg, dest))

                     return

                 raise e

-            shutil.copystat(path, dest)

+            self._copy_attributes(path, dest)

     def name_max(self):

         if 'PC_NAME_MAX' in os.pathconf_names:

diff --git a/tests/vendor_tests/redhat/rhbz1965001.py b/tests/vendor_tests/redhat/rhbz1965001.py

new file mode 100644

index 00000000..aa16ba81

--- /dev/null

+++ b/tests/vendor_tests/redhat/rhbz1965001.py

@@ -0,0 +1,39 @@

+# This file is part of the sos project: https://github.com/sosreport/sos

+#

+# This copyrighted material is made available to anyone wishing to use,

+# modify, copy, or redistribute it subject to the terms and conditions of

+# version 2 of the GNU General Public License.

+#

+# See the LICENSE file in the source distribution for further information.

+

+

+import tempfile

+import shutil

+from sos_tests import StageOneReportTest

+

+

+class rhbz1965001(StageOneReportTest):

+    """

+    Copying /proc/sys/vm/{compact_memory,drop_caches} must ignore SELinux

+    context, otherwise an attempt to set the context to files under some

+    directories like /tmp raises an AVC denial, and an ERROR

+    "Unable to add '...' to archive: [Errno 13] Permission denied: '...'

+    is raise.

+

+    https://bugzilla.redhat.com/show_bug.cgi?id=1965001

+

+    :avocado: enable

+    :avocado: tags=stageone

+    """

+

+    sos_cmd = '-o system'

+    # it is crucial to run the test case with --tmp-dir=/tmp/... as that is

+    # (an example of) directory exhibiting the relabel permission deny.

+    # /var/tmp directory allows those relabels.

+    #

+    # the directory shouldn't exist at this moment, otherwise

+    # "check to prevent multiple setUp() runs" in sos_tests.py would fail

+    _tmpdir = '/tmp/rhbz1965001_avocado_test'

+

+    def test_no_permission_denied(self):

+        self.assertSosLogNotContains("Permission denied")

-- 

2.26.3