Use _fortify_level to disable fortification.
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
This commit is contained in:
parent
339f628c14
commit
da92657ed9
@ -0,0 +1,42 @@
|
|||||||
|
From 73218e291ca68a927965bdffa7d43d0fc62c2718 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
Date: Wed, 27 Jul 2022 17:14:25 +0200
|
||||||
|
Subject: [PATCH] selinux: prepare for anon inode controls enablement
|
||||||
|
|
||||||
|
We plan to start labeling anon inodes (userfaultfd and io_uring file
|
||||||
|
descriptors) properly in selinux-policy, which means that domains using
|
||||||
|
these will need new rules.
|
||||||
|
|
||||||
|
See: https://github.com/fedora-selinux/selinux-policy/pull/1351
|
||||||
|
|
||||||
|
Since ceph may optionally use io_uring, this patch adds the necessary
|
||||||
|
interface call to its policy to avoid a regression. As the new interface
|
||||||
|
call is put under a conditional, the policy package will be buildable
|
||||||
|
against selinux-policy with or without the above PR merged, but it will
|
||||||
|
need to be rebuilt against the updated selinux-policy to actually pick
|
||||||
|
up the new rules.
|
||||||
|
|
||||||
|
I tested this on a minimal ceph cluster with 'bdev_ioring = true' added
|
||||||
|
to ceph.conf. I got io_uring denials without this patch + with
|
||||||
|
selinux-policy with PR#1351 and no denials with ceph rebuilt with this
|
||||||
|
patch.
|
||||||
|
|
||||||
|
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
---
|
||||||
|
selinux/ceph.te | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/selinux/ceph.te b/selinux/ceph.te
|
||||||
|
index 77d35d9714b60..729bce1fc8589 100644
|
||||||
|
--- a/selinux/ceph.te
|
||||||
|
+++ b/selinux/ceph.te
|
||||||
|
@@ -75,6 +75,9 @@ manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
|
||||||
|
|
||||||
|
kernel_read_system_state(ceph_t)
|
||||||
|
kernel_read_network_state(ceph_t)
|
||||||
|
+ifdef(`kernel_io_uring_use',`
|
||||||
|
+ kernel_io_uring_use(ceph_t)
|
||||||
|
+')
|
||||||
|
allow ceph_t kernel_t:system module_request;
|
||||||
|
|
||||||
|
corenet_all_recvfrom_unlabeled(ceph_t)
|
14
ceph.spec
14
ceph.spec
@ -162,7 +162,7 @@
|
|||||||
#################################################################################
|
#################################################################################
|
||||||
Name: ceph
|
Name: ceph
|
||||||
Version: 17.2.5
|
Version: 17.2.5
|
||||||
Release: 5%{?dist}
|
Release: 6%{?dist}
|
||||||
%if 0%{?fedora} || 0%{?rhel}
|
%if 0%{?fedora} || 0%{?rhel}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
%endif
|
%endif
|
||||||
@ -193,6 +193,7 @@ Patch0019: 0019-cmake-modules-CheckCxxAtomic.cmake.patch
|
|||||||
Patch0020: 0020-src-arrow-cpp-cmake_modules-ThirdpartyToolchain.cmake.patch
|
Patch0020: 0020-src-arrow-cpp-cmake_modules-ThirdpartyToolchain.cmake.patch
|
||||||
Patch0023: 0023-src-s3select-include-s3select_parquet_intrf.h.patch
|
Patch0023: 0023-src-s3select-include-s3select_parquet_intrf.h.patch
|
||||||
Patch0024: 0024-gcc-13.patch
|
Patch0024: 0024-gcc-13.patch
|
||||||
|
Patch0025: 0025-selinux-prepare-for-anon-inode-controls-enablement.patch
|
||||||
# ceph 14.0.1 does not support 32-bit architectures, bugs #1727788, #1727787
|
# ceph 14.0.1 does not support 32-bit architectures, bugs #1727788, #1727787
|
||||||
ExcludeArch: i686 armv7hl
|
ExcludeArch: i686 armv7hl
|
||||||
%if 0%{?suse_version}
|
%if 0%{?suse_version}
|
||||||
@ -1347,10 +1348,7 @@ export CXXFLAGS="$RPM_OPT_FLAGS -DFMT_DEPRECATED_OSTREAM"
|
|||||||
|
|
||||||
%if 0%{with seastar}
|
%if 0%{with seastar}
|
||||||
# seastar uses longjmp() to implement coroutine. and this annoys longjmp_chk()
|
# seastar uses longjmp() to implement coroutine. and this annoys longjmp_chk()
|
||||||
export CXXFLAGS=$(echo $RPM_OPT_FLAGS | sed -e 's/-Wp,-D_FORTIFY_SOURCE=2//g')
|
%undefine _fortify_level
|
||||||
# remove from CFLAGS too because it causes the arrow submodule to fail with:
|
|
||||||
# warning _FORTIFY_SOURCE requires compiling with optimization (-O)
|
|
||||||
export CFLAGS=$(echo $RPM_OPT_FLAGS | sed -e 's/-Wp,-D_FORTIFY_SOURCE=2//g')
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
env | sort
|
env | sort
|
||||||
@ -2625,6 +2623,12 @@ exit 0
|
|||||||
%config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
|
%config %{_sysconfdir}/prometheus/ceph/ceph_default_alerts.yml
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jan 20 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 2:17.2.5-6
|
||||||
|
- Use _fortify_level to disable fortification.
|
||||||
|
|
||||||
|
* Thu Jan 19 2023 Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
- Prepare for anon inode SELinux controls enablement
|
||||||
|
|
||||||
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:17.2.5-5
|
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2:17.2.5-5
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user