From fd198b3dc4b5c31aee86922696df744523c2e789 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Wed, 30 Sep 2015 17:09:02 +0200 Subject: [PATCH] libselinux-2.4-4 - Flush the class/perm string mapping cache on policy reload (#1264051) - Fix restorecon when path has no context --- libselinux-rhat.patch | 131 ++++++++++++++++++++++++++++++++++++++++-- libselinux.spec | 8 ++- 2 files changed, 133 insertions(+), 6 deletions(-) diff --git a/libselinux-rhat.patch b/libselinux-rhat.patch index d8c8ffe..afbed40 100644 --- a/libselinux-rhat.patch +++ b/libselinux-rhat.patch @@ -755,6 +755,67 @@ index 7cf3139..364a746 100644 if (!selinux_mnt) { errno = ENOENT; return -1; +diff --git libselinux-2.4/src/checkAccess.c libselinux-2.4/src/checkAccess.c +index ee85ebc..8de5747 100644 +--- libselinux-2.4/src/checkAccess.c ++++ libselinux-2.4/src/checkAccess.c +@@ -8,10 +8,28 @@ + #include "avc_internal.h" + + static pthread_once_t once = PTHREAD_ONCE_INIT; ++static int selinux_enabled; ++ ++static int avc_reset_callback(uint32_t event __attribute__((unused)), ++ security_id_t ssid __attribute__((unused)), ++ security_id_t tsid __attribute__((unused)), ++ security_class_t tclass __attribute__((unused)), ++ access_vector_t perms __attribute__((unused)), ++ access_vector_t *out_retained __attribute__((unused))) ++{ ++ flush_class_cache(); ++ return 0; ++} + + static void avc_init_once(void) + { +- avc_open(NULL, 0); ++ selinux_enabled = is_selinux_enabled(); ++ if (selinux_enabled == 1) { ++ if (avc_open(NULL, 0)) ++ return; ++ avc_add_callback(avc_reset_callback, AVC_CALLBACK_RESET, ++ 0, 0, 0, 0); ++ } + } + + int selinux_check_access(const char *scon, const char *tcon, const char *class, const char *perm, void *aux) { +@@ -21,18 +39,20 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class, + security_class_t sclass; + access_vector_t av; + +- if (is_selinux_enabled() == 0) +- return 0; +- + __selinux_once(once, avc_init_once); + ++ if (selinux_enabled != 1) ++ return 0; ++ + rc = avc_context_to_sid(scon, &scon_id); + if (rc < 0) + return rc; + +- rc = avc_context_to_sid(tcon, &tcon_id); +- if (rc < 0) +- return rc; ++ rc = avc_context_to_sid(tcon, &tcon_id); ++ if (rc < 0) ++ return rc; ++ ++ (void) avc_netlink_check_nb(); + + sclass = string_to_security_class(class); + if (sclass == 0) { diff --git libselinux-2.4/src/check_context.c libselinux-2.4/src/check_context.c index 52063fa..234749c 100644 --- libselinux-2.4/src/check_context.c @@ -1272,7 +1333,7 @@ index 30e9dc7..bec5f3b 100644 { return get_path(SYSTEMD_CONTEXTS); diff --git libselinux-2.4/src/selinux_internal.h libselinux-2.4/src/selinux_internal.h -index afb2170..9b1ca4d 100644 +index afb2170..16b5cdb 100644 --- libselinux-2.4/src/selinux_internal.h +++ libselinux-2.4/src/selinux_internal.h @@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy) @@ -1283,7 +1344,16 @@ index afb2170..9b1ca4d 100644 hidden_proto(selinux_sepgsql_context_path) hidden_proto(selinux_systemd_contexts_path) hidden_proto(selinux_path) -@@ -137,3 +138,8 @@ extern int selinux_page_size hidden; +@@ -101,6 +102,8 @@ hidden_proto(security_get_initial_context); + hidden_proto(security_get_initial_context_raw); + hidden_proto(selinux_reset_config); + ++hidden void flush_class_cache(void); ++ + extern int load_setlocaldefs hidden; + extern int require_seusers hidden; + extern int selinux_page_size hidden; +@@ -137,3 +140,8 @@ extern int selinux_page_size hidden; if (pthread_setspecific != NULL) \ pthread_setspecific(KEY, VALUE); \ } while (0) @@ -1293,10 +1363,30 @@ index afb2170..9b1ca4d 100644 + +extern int has_selinux_config hidden; diff --git libselinux-2.4/src/selinuxswig_python.i libselinux-2.4/src/selinuxswig_python.i -index ae72246..c9a2341 100644 +index ae72246..8cea18d 100644 --- libselinux-2.4/src/selinuxswig_python.i +++ libselinux-2.4/src/selinuxswig_python.i -@@ -31,9 +31,9 @@ def restorecon(path, recursive=False): +@@ -8,7 +8,7 @@ + + %pythoncode %{ + +-import shutil, os, stat ++import shutil, os, errno, stat + + DISABLED = -1 + PERMISSIVE = 0 +@@ -26,14 +26,19 @@ def restorecon(path, recursive=False): + status, context = matchpathcon(path, mode) + + if status == 0: +- status, oldcontext = lgetfilecon(path) ++ try: ++ status, oldcontext = lgetfilecon(path) ++ except OSError as e: ++ if e.errno != errno.ENODATA: ++ raise ++ oldcontext = None + if context != oldcontext: lsetfilecon(path, context) if recursive: @@ -1328,6 +1418,39 @@ index d05969c..3f0200e 100644 if (rc < 0 && errno == ENOTSUP) { char * ccontext = NULL; int err = errno; +diff --git libselinux-2.4/src/stringrep.c libselinux-2.4/src/stringrep.c +index 9ae8248..2dbec2b 100644 +--- libselinux-2.4/src/stringrep.c ++++ libselinux-2.4/src/stringrep.c +@@ -158,6 +158,28 @@ err1: + return NULL; + } + ++hidden void flush_class_cache(void) ++{ ++ struct discover_class_node *cur = discover_class_cache, *prev = NULL; ++ size_t i; ++ ++ while (cur != NULL) { ++ free(cur->name); ++ ++ for (i = 0; i < MAXVECTORS; i++) ++ free(cur->perms[i]); ++ ++ free(cur->perms); ++ ++ prev = cur; ++ cur = cur->next; ++ ++ free(prev); ++ } ++ ++ discover_class_cache = NULL; ++} ++ + security_class_t string_to_security_class(const char *s) + { + struct discover_class_node *node; diff --git libselinux-2.4/utils/Makefile libselinux-2.4/utils/Makefile index f469924..5499538 100644 --- libselinux-2.4/utils/Makefile diff --git a/libselinux.spec b/libselinux.spec index 36b9d48..430bf97 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -9,7 +9,7 @@ Summary: SELinux library and simple utilities Name: libselinux Version: 2.4 -Release: 3%{?dist} +Release: 4%{?dist} License: Public Domain Group: System Environment/Libraries # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -18,7 +18,7 @@ Source1: selinuxconlist.8 Source2: selinuxdefcon.8 Url: https://github.com/SELinuxProject/selinux/wiki # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# HEAD https://github.com/fedora-selinux/selinux/commit/36fd8bb4b36bb1ca3aa10e3226136459e6ed2498 +# HEAD https://github.com/fedora-selinux/selinux/commit/8c09d34e464e79a602fb9c9408554279aede3b6b Patch1: libselinux-rhat.patch BuildRequires: pkgconfig python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel %if 0%{?with_python3} @@ -247,6 +247,10 @@ rm -rf %{buildroot} %{ruby_vendorarchdir}/selinux.so %changelog +* Wed Sep 30 2015 Petr Lautrbach 2.4-4 +- Flush the class/perm string mapping cache on policy reload (#1264051) +- Fix restorecon when path has no context + * Wed Sep 02 2015 Petr Lautrbach 2.4-3 - Simplify procattr cache (#1257157,#1232371)