rpms/libdnf
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Do not set a default SELinux creation context if SELinux appears to be disabled

Browse Source 
Resolves: RHEL-43232
This commit is contained in:
Petr Písař 2024-06-21 13:18:26 +02:00
parent b85a2c5ea2
commit 58d2db3e7d
2 changed files with 99 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch Normal file
View File

@ -0,0 +1,93 @@
From d264065ec0d574b70bf376d5ee3777d7cc03030f Mon Sep 17 00:00:00 2001
From: Colin Walters <walters@verbum.org>
Date: Tue, 4 Jun 2024 06:57:19 -0400
Subject: [PATCH] repo: Don't try to perform labeling if SELinux is disabled
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The default for container execution is that `/sys/fs/selinux`
is not mounted, and the libselinux library function `is_selinux_enabled`
should be used to dynamically check if the system should attempt to perform SELinux labeling.
This is how it's done by rpm, ostree, and systemd for example.
But this code unconditionally tries to label if it finds a policy,
which breaks in an obscure corner case
when executed inside a container that includes policy files (e.g.
fedora/rhel-bootc) but when we're not using overlayfs for the backend
(with BUILDAH_BACKEND=vfs).
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
libdnf/repo/Repo.cpp | 50 +++++++++++++++++++++++---------------------
1 file changed, 26 insertions(+), 24 deletions(-)
diff --git a/libdnf/repo/Repo.cpp b/libdnf/repo/Repo.cpp
index 16f15195..10b88813 100644
--- a/libdnf/repo/Repo.cpp
+++ b/libdnf/repo/Repo.cpp
@@ -679,34 +679,36 @@ static int create_temporary_directory(char *name_template) {
int old_default_context_was_retrieved = 0;
struct selabel_handle *labeling_handle = NULL;
- /* A purpose of this piece of code is to deal with applications whose
- * security policy overrides a file context for temporary files but don't
- * know that libdnf executes GnuPG which expects a default file context. */
- if (0 == getfscreatecon(&old_default_context)) {
- old_default_context_was_retrieved = 1;
- } else {
- logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
- }
+ if (is_selinux_enabled()) {
+ /* A purpose of this piece of code is to deal with applications whose
+ * security policy overrides a file context for temporary files but don't
+ * know that libdnf executes GnuPG which expects a default file context. */
+ if (0 == getfscreatecon(&old_default_context)) {
+ old_default_context_was_retrieved = 1;
+ } else {
+ logger->debug(tfm::format("Failed to retrieve a default SELinux context"));
+ }
- labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- if (NULL == labeling_handle) {
- logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
- strerror(errno)));
- } else {
- if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
- /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
- * that value should be really defined in default file context
- * SELinux policy. Only log that the policy is incpomplete. */
- logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
- name_template));
+ labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (NULL == labeling_handle) {
+ logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s",
+ strerror(errno)));
} else {
- if (setfscreatecon(new_default_context)) {
- logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
- new_default_context));
+ if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) {
+ /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
+ * that value should be really defined in default file context
+ * SELinux policy. Only log that the policy is incpomplete. */
+ logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"",
+ name_template));
+ } else {
+ if (setfscreatecon(new_default_context)) {
+ logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"",
+ new_default_context));
+ }
+ freecon(new_default_context);
}
- freecon(new_default_context);
+ selabel_close(labeling_handle);
}
- selabel_close(labeling_handle);
}
#endif
--
2.45.2

7
libdnf.spec
View File

@ -58,7 +58,7 @@
Name: libdnf Name: libdnf
Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version}
Release: 11%{?dist} Release: 12%{?dist}
Summary: Library providing simplified C and Python API to libsolv Summary: Library providing simplified C and Python API to libsolv
License: LGPLv2+ License: LGPLv2+
URL: https://github.com/rpm-software-management/libdnf URL: https://github.com/rpm-software-management/libdnf
@ -78,6 +78,7 @@ Patch12: 0012-MergedTransaction-Calculate-RPM-difference-between-t.patch
Patch13: 0013-MergedTransaction-Fix-invalid-memory-access-when-dro.patch Patch13: 0013-MergedTransaction-Fix-invalid-memory-access-when-dro.patch
Patch14: 0014-context-use-rpmtsAddReinstallElement-when-doing-a-re.patch Patch14: 0014-context-use-rpmtsAddReinstallElement-when-doing-a-re.patch
Patch15: 0015-Since-we-use-rpmtsAddReinstallElement-rpm-also-unins.patch Patch15: 0015-Since-we-use-rpmtsAddReinstallElement-rpm-also-unins.patch
Patch16: 0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch
BuildRequires: cmake BuildRequires: cmake
@ -327,6 +328,10 @@ popd
%endif %endif
%changelog %changelog
* Fri Jun 21 2024 Petr Pisar <ppisar@redhat.com> - 0.69.0-12
- Do not set a default SELinux creation context if SELinux appears to be
disabled (RHEL-43232)
* Thu May 16 2024 Petr Pisar <ppisar@redhat.com> - 0.69.0-11 * Thu May 16 2024 Petr Pisar <ppisar@redhat.com> - 0.69.0-11
- Fix reinstalling packages which conflicts with themselves in - Fix reinstalling packages which conflicts with themselves in
dnf_transaction_commit() (RHEL-1454) dnf_transaction_commit() (RHEL-1454)