uutils coreutils mknod Utility SELinux Context Handling Vulnerability

A vulnerability exists in the mknod utility of uutils coreutils, specifically in version 0.6.0, related to the management of security labels. The issue arises because the utility creates device nodes before applying the appropriate SELinux context. If the labeling process fails, mknod attempts to remove the incorrectly labeled node using a directory removal command that cannot handle device files or FIFOs. This flawed cleanup leaves behind device nodes with incorrect labels, potentially granting unauthorized access to nodes that should be protected by mandatory access controls.

Impact

The vulnerability could lead to improper access controls on device nodes, allowing unauthorized interactions with these nodes despite existing security measures.

Reproduction

To reproduce this vulnerability, use the mknod command to create a device node. If the SELinux context labeling fails, the utility will leave the node with a default context that could allow unauthorized access. This can be tested by creating a node that triggers a labeling failure, such as one that conflicts with current SELinux policies.

Remediation

Users can update to the latest version of uutils coreutils, where this issue has been addressed.