Set default SELinux labels on GnuPG directories
Resolves: RHEL-10720
This commit is contained in:
parent
25c438cbaf
commit
dc58d5532f
226
0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
Normal file
226
0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
Normal file
@ -0,0 +1,226 @@
|
||||
From 08f02ded6de50949fa4ba650fa562643278e5093 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
||||
Date: Thu, 12 Oct 2023 15:55:43 +0200
|
||||
Subject: [PATCH] PGP: Set a default creation SELinux labels on GnuPG
|
||||
directories
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
This is another way how to fix mismatching SELinux context on
|
||||
/run/user directories without moving the directories to
|
||||
/run/gnupg/user.
|
||||
|
||||
librepo used to precreate the directory in /run/user to make sure
|
||||
a GnuPG agent executed by GPGME library places its socket there.
|
||||
|
||||
The directories there are normally created and removed by systemd
|
||||
(logind PAM session). librepo created them for a case when a package
|
||||
manager is invoked out of systemd session, before the super user logs
|
||||
in. E.g. by a timer job to cache repository metadata.
|
||||
|
||||
A problem was when this out-of-session process was a SELinux-confined
|
||||
process creating files with its own SELinux label different from a DNF
|
||||
program. Then the directory was created with a SELinux label different
|
||||
from the one expected by systemd and when logging out a corresponding
|
||||
user, the mismatching label clashed with systemd.
|
||||
|
||||
This patch fixes the issue by choosing a SELinux label of those
|
||||
directories to the label defined in a default SELinux file context
|
||||
database.
|
||||
|
||||
This patch adds a new -DENABLE_SELINUX=OFF CMake option to disable the
|
||||
new dependency on libselinux. A default behavior is to support SELinux
|
||||
only if GPGME backend is selected with -DUSE_GPGME=ON.
|
||||
|
||||
https://issues.redhat.com/browse/RHEL-10720
|
||||
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
||||
---
|
||||
CMakeLists.txt | 8 ++++++
|
||||
librepo.spec | 9 +++++-
|
||||
librepo/CMakeLists.txt | 4 +++
|
||||
librepo/gpg.c | 64 ++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 84 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index b4007e3..1a107bc 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -5,6 +5,7 @@ OPTION (ENABLE_TESTS "Build test?" ON)
|
||||
OPTION (ENABLE_DOCS "Build docs?" ON)
|
||||
OPTION (WITH_ZCHUNK "Build with zchunk support" ON)
|
||||
OPTION (ENABLE_PYTHON "Build Python bindings" ON)
|
||||
+OPTION (ENABLE_SELINUX "Restore SELinux labels on GnuPG directories" ON)
|
||||
|
||||
INCLUDE (${CMAKE_SOURCE_DIR}/VERSION.cmake)
|
||||
SET (VERSION "${LIBREPO_MAJOR}.${LIBREPO_MINOR}.${LIBREPO_PATCH}")
|
||||
@@ -33,6 +34,9 @@ PKG_SEARCH_MODULE(LIBCRYPTO REQUIRED libcrypto openssl)
|
||||
PKG_CHECK_MODULES(LIBXML2 libxml-2.0 REQUIRED)
|
||||
FIND_PACKAGE(CURL 7.52.0 REQUIRED)
|
||||
FIND_PACKAGE(Gpgme REQUIRED)
|
||||
+IF (ENABLE_SELINUX)
|
||||
+ PKG_CHECK_MODULES(SELINUX REQUIRED libselinux)
|
||||
+ENDIF(ENABLE_SELINUX)
|
||||
|
||||
|
||||
IF (WITH_ZCHUNK)
|
||||
@@ -63,6 +67,10 @@ ENDIF (NOT CURL_FOUND)
|
||||
INCLUDE_DIRECTORIES(${LIBXML2_INCLUDE_DIRS})
|
||||
INCLUDE_DIRECTORIES(${CURL_INCLUDE_DIR})
|
||||
#INCLUDE_DIRECTORIES(${CHECK_INCLUDE_DIR})
|
||||
+IF (ENABLE_SELINUX)
|
||||
+ INCLUDE_DIRECTORIES(${SELINUX_INCLUDE_DIRS})
|
||||
+ ADD_DEFINITIONS(-DENABLE_SELINUX=1)
|
||||
+ENDIF (ENABLE_SELINUX)
|
||||
|
||||
include (GNUInstallDirs)
|
||||
# Python stuff
|
||||
diff --git a/librepo.spec b/librepo.spec
|
||||
index 88d6d6d..ae87425 100644
|
||||
--- a/librepo.spec
|
||||
+++ b/librepo.spec
|
||||
@@ -8,6 +8,8 @@
|
||||
%bcond_without zchunk
|
||||
%endif
|
||||
|
||||
+%bcond_without selinux
|
||||
+
|
||||
%global dnf_conflict 2.8.8
|
||||
|
||||
Name: librepo
|
||||
@@ -29,6 +31,9 @@ BuildRequires: libattr-devel
|
||||
BuildRequires: libcurl-devel >= %{libcurl_version}
|
||||
BuildRequires: pkgconfig(libxml-2.0)
|
||||
BuildRequires: pkgconfig(libcrypto)
|
||||
+%if %{with selinux}
|
||||
+BuildRequires: pkgconfig(libselinux)
|
||||
+%endif
|
||||
BuildRequires: pkgconfig(openssl)
|
||||
%if %{with zchunk}
|
||||
BuildRequires: pkgconfig(zck) >= 0.9.11
|
||||
@@ -66,7 +71,9 @@ Python 3 bindings for the librepo library.
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
-%cmake %{!?with_zchunk:-DWITH_ZCHUNK=OFF}
|
||||
+%cmake \
|
||||
+ %{!?with_zchunk:-DWITH_ZCHUNK=OFF} \
|
||||
+ -DENABLE_SELINUX=%{?with_selinux:ON}%{!?with_selinux:OFF}
|
||||
%cmake_build
|
||||
|
||||
%check
|
||||
diff --git a/librepo/CMakeLists.txt b/librepo/CMakeLists.txt
|
||||
index 4f00a5e..e759692 100644
|
||||
--- a/librepo/CMakeLists.txt
|
||||
+++ b/librepo/CMakeLists.txt
|
||||
@@ -53,6 +53,10 @@ TARGET_LINK_LIBRARIES(librepo
|
||||
${GPGME_VANILLA_LIBRARIES}
|
||||
${GLIB2_LIBRARIES}
|
||||
)
|
||||
+IF (ENABLE_SELINUX)
|
||||
+ TARGET_LINK_LIBRARIES(librepo ${SELINUX_LIBRARIES})
|
||||
+ENDIF(ENABLE_SELINUX)
|
||||
+
|
||||
IF (WITH_ZCHUNK)
|
||||
TARGET_LINK_LIBRARIES(librepo ${ZCHUNKLIB_LIBRARIES})
|
||||
ENDIF (WITH_ZCHUNK)
|
||||
diff --git a/librepo/gpg.c b/librepo/gpg.c
|
||||
index a134d44..e4b6589 100644
|
||||
--- a/librepo/gpg.c
|
||||
+++ b/librepo/gpg.c
|
||||
@@ -28,6 +28,11 @@
|
||||
#include <gpgme.h>
|
||||
#include <unistd.h>
|
||||
|
||||
+#if ENABLE_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/label.h>
|
||||
+#endif
|
||||
+
|
||||
#include "rcodes.h"
|
||||
#include "util.h"
|
||||
#include "gpg.h"
|
||||
@@ -44,6 +49,14 @@
|
||||
* Previous solution was to send the agent a "KILLAGENT" message, but that
|
||||
* would cause a race condition with calling gpgme_release(), see [2], [3].
|
||||
*
|
||||
+ * Current solution with precreating /run/user/$UID showed problematic when
|
||||
+ * this library was used out of an systemd-logind session. Then
|
||||
+ * /run/user/$UID, normally maintained by systemd, was assigned a SELinux
|
||||
+ * label unexpected by systemd causing errors on a user logout [4].
|
||||
+ *
|
||||
+ * We remedy it by choosing the label according to a default file context
|
||||
+ * policy (ENABLE_SELINUX macro).
|
||||
+ *
|
||||
* Since the agent doesn't clean up its sockets properly, by creating this
|
||||
* directory we make sure they are in a place that is not causing trouble with
|
||||
* container images.
|
||||
@@ -51,14 +64,65 @@
|
||||
* [1] https://bugzilla.redhat.com/show_bug.cgi?id=1650266
|
||||
* [2] https://bugzilla.redhat.com/show_bug.cgi?id=1769831
|
||||
* [3] https://github.com/rpm-software-management/microdnf/issues/50
|
||||
+ * [4] https://issues.redhat.com/browse/RHEL-10720
|
||||
*/
|
||||
void ensure_socket_dir_exists() {
|
||||
char dirname[32];
|
||||
+#if ENABLE_SELINUX
|
||||
+ char *old_default_context = NULL;
|
||||
+ int old_default_context_was_retrieved = 0;
|
||||
+ struct selabel_handle *labeling_handle = NULL;
|
||||
+
|
||||
+ /* A purpose of this piece of code is to deal with applications whose
|
||||
+ * security policy overrides a file context for temporary files but don't
|
||||
+ * know that librepo executes GnuPG which expects a default file context. */
|
||||
+ if (0 == getfscreatecon(&old_default_context)) {
|
||||
+ old_default_context_was_retrieved = 1;
|
||||
+ } else {
|
||||
+ g_debug("Failed to retrieve a default SELinux context");
|
||||
+ }
|
||||
+ labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
+ if (labeling_handle == NULL) {
|
||||
+ g_debug("Failed to open a SELinux labeling handle: %s", strerror(errno));
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
snprintf(dirname, sizeof(dirname), "/run/user/%u", getuid());
|
||||
+
|
||||
+#if ENABLE_SELINUX
|
||||
+ if (labeling_handle != NULL) {
|
||||
+ char *new_default_context = NULL;
|
||||
+ if (selabel_lookup(labeling_handle, &new_default_context, dirname, 0700)) {
|
||||
+ /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but
|
||||
+ * that value should be really defined in default file context
|
||||
+ * SELinux policy. Only log that the policy is incomplete. */
|
||||
+ g_debug("Failed to look up a default SELinux label for \"%s\"", dirname);
|
||||
+ } else {
|
||||
+ if (setfscreatecon(new_default_context)) {
|
||||
+ g_debug("Failed to set default SELinux context to \"%s\"",
|
||||
+ new_default_context);
|
||||
+ }
|
||||
+ freecon(new_default_context);
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
int res = mkdir(dirname, 0700);
|
||||
if (res != 0 && errno != EEXIST) {
|
||||
g_debug("Failed to create \"%s\": %d - %s\n", dirname, errno, strerror(errno));
|
||||
}
|
||||
+
|
||||
+#if ENABLE_SELINUX
|
||||
+ if (labeling_handle != NULL) {
|
||||
+ selabel_close(labeling_handle);
|
||||
+ }
|
||||
+ if (old_default_context_was_retrieved) {
|
||||
+ if (setfscreatecon(old_default_context)) {
|
||||
+ g_debug("Failed to restore a default SELinux context");
|
||||
+ }
|
||||
+ }
|
||||
+ freecon(old_default_context);
|
||||
+#endif
|
||||
}
|
||||
|
||||
gboolean
|
||||
--
|
||||
2.41.0
|
||||
|
15
librepo.spec
15
librepo.spec
@ -8,11 +8,13 @@
|
||||
%bcond_without zchunk
|
||||
%endif
|
||||
|
||||
%bcond_without selinux
|
||||
|
||||
%global dnf_conflict 2.8.8
|
||||
|
||||
Name: librepo
|
||||
Version: 1.14.2
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Summary: Repodata downloading library
|
||||
|
||||
License: LGPLv2+
|
||||
@ -25,6 +27,7 @@ Patch0003: 0003-More-covscan-fixes.patch
|
||||
Patch0004: 0004-Use-g_strdup_vprintf-instead-of-manually-calculating.patch
|
||||
Patch0005: 0005-Use-g_list_free_full-to-free-LRMetadataTarget-err.patch
|
||||
Patch0006: 0006-Detailed-error-message-when-using-non-existing-TMPDI.patch
|
||||
Patch0007: 0007-PGP-Set-a-default-creation-SELinux-labels-on-GnuPG-d.patch
|
||||
|
||||
BuildRequires: cmake
|
||||
BuildRequires: gcc
|
||||
@ -36,6 +39,9 @@ BuildRequires: libattr-devel
|
||||
BuildRequires: libcurl-devel >= %{libcurl_version}
|
||||
BuildRequires: pkgconfig(libxml-2.0)
|
||||
BuildRequires: pkgconfig(libcrypto)
|
||||
%if %{with selinux}
|
||||
BuildRequires: pkgconfig(libselinux)
|
||||
%endif
|
||||
BuildRequires: pkgconfig(openssl)
|
||||
%if %{with zchunk}
|
||||
BuildRequires: pkgconfig(zck) >= 0.9.11
|
||||
@ -73,7 +79,9 @@ Python 3 bindings for the librepo library.
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
%cmake %{!?with_zchunk:-DWITH_ZCHUNK=OFF}
|
||||
%cmake \
|
||||
%{!?with_zchunk:-DWITH_ZCHUNK=OFF} \
|
||||
-DENABLE_SELINUX=%{?with_selinux:ON}%{!?with_selinux:OFF}
|
||||
%cmake_build
|
||||
|
||||
%check
|
||||
@ -103,6 +111,9 @@ Python 3 bindings for the librepo library.
|
||||
%{python3_sitearch}/%{name}/
|
||||
|
||||
%changelog
|
||||
* Thu Oct 12 2023 Petr Pisar <ppisar@redhat.com> - 1.14.2-5
|
||||
- Set default SELinux labels on GnuPG directories (RHEL-10720)
|
||||
|
||||
* Mon Sep 12 2022 Lukas Hrazky <lhrazky@redhat.com> - 1.14.2-4
|
||||
- Fix termination of va_list in lr_metadatatarget_append_error()
|
||||
- Detailed error message when using non-existing TMPDIR
|
||||
|
Loading…
Reference in New Issue
Block a user