Fix parsing of /etc/selinux/semanage.conf in RHEL 9

resolves: rhbz#2077120
This commit is contained in:
Richard W.M. Jones 2022-10-06 12:41:11 +01:00
parent a479fbbcba
commit 9a9230ffa3
4 changed files with 159 additions and 3 deletions

View File

@ -1,7 +1,7 @@
From 08101c754aafab4d0f79367839bbd0d6012c31cf Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 2 Mar 2022 14:54:39 +0100
Subject: [PATCH 1/2] Chrony: add new directives and options (#745)
Subject: [PATCH 1/3] Chrony: add new directives and options (#745)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

View File

@ -1,7 +1,7 @@
From e0bce2e8c21ccc69729676e8dc6fa1e541aedee2 Mon Sep 17 00:00:00 2001
From: Laszlo Ersek <lersek@users.noreply.github.com>
Date: Wed, 20 Apr 2022 10:13:06 +0200
Subject: [PATCH 2/2] Kdump: parse "auto_reset_crashkernel" (#754)
Subject: [PATCH 2/3] Kdump: parse "auto_reset_crashkernel" (#754)
The "auto_reset_crashkernel" keyword was introduced in the following
kexec-tools patch set:

View File

@ -0,0 +1,148 @@
From aca3def462ab141c3991a2d27c44341b809cf970 Mon Sep 17 00:00:00 2001
From: rwmjones <rjones@redhat.com>
Date: Thu, 6 Oct 2022 12:15:56 +0100
Subject: [PATCH 3/3] semanage: Fix parsing of ignoredirs (#758)
From /etc/selinux/semanage.conf from a RHEL 9.1 system, this line
caused problems:
ignoredirs=/root;/bin;/boot;/dev;/etc [...]
Parse this as a list of modified Rx.fspath, generating a tree like:
/files/etc/selinux/semanage.conf/ignoredirs/1 = /root
/files/etc/selinux/semanage.conf/ignoredirs/2 = /bin
/files/etc/selinux/semanage.conf/ignoredirs/3 = /dev
/files/etc/selinux/semanage.conf/ignoredirs/4 = /etc
[...]
Also this adds the RHEL 9 file as another test case and adjusts the
output of the existing test case.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2077120
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
(cherry picked from commit a3ba6e2d32b95507e2474a219e788ac3d54bc4a1)
---
lenses/semanage.aug | 7 +++-
lenses/tests/test_semanage.aug | 4 +-
tests/root/etc/selinux/semanage.conf | 60 ++++++++++++++++++++++++++++
tests/xpath.tests | 1 +
4 files changed, 70 insertions(+), 2 deletions(-)
create mode 100644 tests/root/etc/selinux/semanage.conf
diff --git a/lenses/semanage.aug b/lenses/semanage.aug
index 46f93b32..edd97131 100644
--- a/lenses/semanage.aug
+++ b/lenses/semanage.aug
@@ -23,7 +23,12 @@ let sep = IniFile.sep "=" "="
let empty = IniFile.empty
let eol = IniFile.eol
-let entry = IniFile.entry IniFile.entry_re sep comment
+let list_keys = "ignoredirs"
+let scl = del ";" ";"
+let fspath = /[^ \t\n;#]+/ (* Rx.fspath without ; or # *)
+
+let entry = IniFile.entry_list list_keys sep fspath scl comment
+ | IniFile.entry (IniFile.entry_re - list_keys) sep comment
| empty
let title = IniFile.title_label "@group" (IniFile.record_re - /^end$/)
diff --git a/lenses/tests/test_semanage.aug b/lenses/tests/test_semanage.aug
index a6ceaca0..f76b95f3 100644
--- a/lenses/tests/test_semanage.aug
+++ b/lenses/tests/test_semanage.aug
@@ -68,7 +68,9 @@ test Semanage.lns get conf =
{ "usepasswd" = "False" }
{ "bzip-small" = "true" }
{ "bzip-blocksize" = "5" }
- { "ignoredirs" = "/root" }
+ { "ignoredirs"
+ { "1" = "/root" }
+ }
{ }
{ "@group" = "sefcontext_compile"
{ "path" = "/usr/sbin/sefcontext_compile" }
diff --git a/tests/root/etc/selinux/semanage.conf b/tests/root/etc/selinux/semanage.conf
new file mode 100644
index 00000000..406f16f1
--- /dev/null
+++ b/tests/root/etc/selinux/semanage.conf
@@ -0,0 +1,60 @@
+# Authors: Jason Tang <jtang@tresys.com>
+#
+# Copyright (C) 2004-2005 Tresys Technology, LLC
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#
+# Specify how libsemanage will interact with a SELinux policy manager.
+# The four options are:
+#
+# "source" - libsemanage manipulates a source SELinux policy
+# "direct" - libsemanage will write directly to a module store.
+# /foo/bar - Write by way of a policy management server, whose
+# named socket is at /foo/bar. The path must begin
+# with a '/'.
+# foo.com:4242 - Establish a TCP connection to a remote policy
+# management server at foo.com. If there is a colon
+# then the remainder is interpreted as a port number;
+# otherwise default to port 4242.
+module-store = direct
+
+# When generating the final linked and expanded policy, by default
+# semanage will set the policy version to POLICYDB_VERSION_MAX, as
+# given in <sepol/policydb.h>. Change this setting if a different
+# version is necessary.
+#policy-version = 19
+
+# expand-check check neverallow rules when executing all semanage
+# commands. There might be a penalty in execution time if this
+# option is enabled.
+expand-check=0
+
+# usepasswd check tells semanage to scan all pass word records for home directories
+# and setup the labeling correctly. If this is turned off, SELinux will label only /home
+# and home directories of users with SELinux login mappings defined, see
+# semanage login -l for the list of such users.
+# If you want to use a different home directory, you will need to use semanage fcontext command.
+# For example, if you had home dirs in /althome directory you would have to execute
+# semanage fcontext -a -e /home /althome
+usepasswd=False
+bzip-small=true
+bzip-blocksize=5
+ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var
+optimize-policy=true
+
+[sefcontext_compile]
+path = /usr/sbin/sefcontext_compile
+args = -r $@
+[end]
diff --git a/tests/xpath.tests b/tests/xpath.tests
index 4278e433..71c998b8 100644
--- a/tests/xpath.tests
+++ b/tests/xpath.tests
@@ -109,6 +109,7 @@ test descendant-or-self /files/descendant-or-self :: 4
/files/etc/ssh/ssh_config/Host/SendEnv[1]/4 = LC_TIME
/files/etc/ssh/ssh_config/Host/SendEnv[2]/4 = LC_TELEPHONE
/files/etc/aliases/4
+ /files/etc/selinux/semanage.conf/ignoredirs/4 = /dev
/files/etc/fstab/4
/files/etc/pam.d/login/4
/files/etc/pam.d/newrole/4
--
2.31.1

View File

@ -1,6 +1,6 @@
Name: augeas
Version: 1.13.0
Release: 2%{?dist}
Release: 3%{?dist}
Summary: A library for changing configuration files
License: LGPLv2+
@ -22,6 +22,10 @@ Patch1: 0001-Chrony-add-new-directives-and-options-745.patch
# Upstream commit 288a028da531a5f58d9ee89bc29fd73e7483bf24
Patch2: 0002-Kdump-parse-auto_reset_crashkernel-754.patch
# Fix parsing of /etc/selinux/semanage.conf in RHEL 9 (RHBZ#2077120).
# Upstream commit a3ba6e2d32b95507e2474a219e788ac3d54bc4a1
Patch3: 0003-semanage-Fix-parsing-of-ignoredirs-758.patch
Provides: bundled(gnulib)
BuildRequires: make
@ -138,6 +142,10 @@ rm -f $RPM_BUILD_ROOT/usr/bin/dump
%{_libdir}/libfa.a
%changelog
* Thu Oct 06 2022 Richard W.M. Jones <rjones@redhat.com> - 1.13.0-3
- Fix parsing of /etc/selinux/semanage.conf in RHEL 9
resolves: rhbz#2077120
* Wed Apr 20 2022 Richard W.M. Jones <rjones@redhat.com> - 1.13.0-2
- Parse auto_reset_crashkernel in kdump
resolves: rhbz#2042772