[archive] skip copying SELinux context for /proc and /sys everytime

A supplement of #1399 fix, now also for adding strings or special device files. Also adding a (vendor) test case for it. Resolves: #2560 Signed-off-by: Pavel Moravec <pmoravec@redhat.com>
author: Pavel Moravec <pmoravec@redhat.com> 2021-05-26 15:45:26 +0200
committer: Jake Hunsaker <jhunsake@redhat.com> 2021-06-01 10:34:27 -0400
commit: 206d65618f20995b168dcc63090d1e6871450e90 (patch)
tree: ce9e520b8467955bf1f558e6d7c4ccaee9767c52
parent: 61b083de3c43f86f152c810ddf888c5dad073165 (diff)
download: sos-206d65618f20995b168dcc63090d1e6871450e90.tar.gz
2 files changed, 56 insertions, 18 deletions
diff --git a/sos/archive.py b/sos/archive.py
index 4dd31d75..b02b2475 100644
--- a/sos/archive.py
+++ b/sos/archive.py
@@ -326,6 +326,20 @@ class FileCacheArchive(Archive):
             return None
         return dest
 
+    def _copy_attributes(self, src, dest):
+        # copy file attributes, skip SELinux xattrs for /sys and /proc
+        try:
+            stat = os.stat(src)
+            if src.startswith("/sys/") or src.startswith("/proc/"):
+                shutil.copymode(src, dest)
+                os.utime(dest, ns=(stat.st_atime_ns, stat.st_mtime_ns))
+            else:
+                shutil.copystat(src, dest)
+            os.chown(dest, stat.st_uid, stat.st_gid)
+        except Exception as e:
+            self.log_debug("caught '%s' setting attributes of '%s'"
+                           % (e, dest))
+
     def add_file(self, src, dest=None):
         with self._path_lock:
             if not dest:
@@ -348,18 +362,7 @@ class FileCacheArchive(Archive):
                     else:
                         self.log_info("File %s not collected: '%s'" % (src, e))
 
-                # copy file attributes, skip SELinux xattrs for /sys and /proc
-                try:
-                    stat = os.stat(src)
-                    if src.startswith("/sys/") or src.startswith("/proc/"):
-                        shutil.copymode(src, dest)
-                        os.utime(dest, ns=(stat.st_atime_ns, stat.st_mtime_ns))
-                    else:
-                        shutil.copystat(src, dest)
-                    os.chown(dest, stat.st_uid, stat.st_gid)
-                except Exception as e:
-                    self.log_debug("caught '%s' setting attributes of '%s'"
-                                   % (e, dest))
+                self._copy_attributes(src, dest)
                 file_name = "'%s'" % src
             else:
                 # Open file case: first rewind the file to obtain
@@ -388,11 +391,7 @@ class FileCacheArchive(Archive):
                 content = content.decode('utf8', 'ignore')
             f.write(content)
             if os.path.exists(src):
-                try:
-                    shutil.copystat(src, dest)
-                except OSError as e:
-                    self.log_error("Unable to add '%s' to archive: %s" %
-                                   (dest, e))
+                self._copy_attributes(src, dest)
             self.log_debug("added string at '%s' to FileCacheArchive '%s'"
                            % (src, self._archive_root))
 
@@ -501,7 +500,7 @@ class FileCacheArchive(Archive):
                     self.log_info("add_node: %s - mknod '%s'" % (msg, dest))
                     return
                 raise e
-            shutil.copystat(path, dest)
+            self._copy_attributes(path, dest)
 
     def name_max(self):
         if 'PC_NAME_MAX' in os.pathconf_names:
diff --git a/tests/vendor_tests/redhat/rhbz1965001.py b/tests/vendor_tests/redhat/rhbz1965001.py
new file mode 100644
index 00000000..aa16ba81
--- /dev/null
+++ b/tests/vendor_tests/redhat/rhbz1965001.py
@@ -0,0 +1,39 @@
+# This file is part of the sos project: https://github.com/sosreport/sos
+#
+# This copyrighted material is made available to anyone wishing to use,
+# modify, copy, or redistribute it subject to the terms and conditions of
+# version 2 of the GNU General Public License.
+#
+# See the LICENSE file in the source distribution for further information.
+
+
+import tempfile
+import shutil
+from sos_tests import StageOneReportTest
+
+
+class rhbz1965001(StageOneReportTest):
+    """
+    Copying /proc/sys/vm/{compact_memory,drop_caches} must ignore SELinux
+    context, otherwise an attempt to set the context to files under some
+    directories like /tmp raises an AVC denial, and an ERROR
+    "Unable to add '...' to archive: [Errno 13] Permission denied: '...'
+    is raise.
+
+    https://bugzilla.redhat.com/show_bug.cgi?id=1965001
+
+    :avocado: enable
+    :avocado: tags=stageone
+    """
+
+    sos_cmd = '-o system'
+    # it is crucial to run the test case with --tmp-dir=/tmp/... as that is
+    # (an example of) directory exhibiting the relabel permission deny.
+    # /var/tmp directory allows those relabels.
+    #
+    # the directory shouldn't exist at this moment, otherwise
+    # "check to prevent multiple setUp() runs" in sos_tests.py would fail
+    _tmpdir = '/tmp/rhbz1965001_avocado_test'
+
+    def test_no_permission_denied(self):
+        self.assertSosLogNotContains("Permission denied")
author	Pavel Moravec <pmoravec@redhat.com>	2021-05-26 15:45:26 +0200
committer	Jake Hunsaker <jhunsake@redhat.com>	2021-06-01 10:34:27 -0400
commit	206d65618f20995b168dcc63090d1e6871450e90 (patch)
tree	ce9e520b8467955bf1f558e6d7c4ccaee9767c52
parent	61b083de3c43f86f152c810ddf888c5dad073165 (diff)
download	sos-206d65618f20995b168dcc63090d1e6871450e90.tar.gz