diff --git a/SOURCES/0003-libsemanage-Preserve-file-context-and-ownership-in-p.patch b/SOURCES/0003-libsemanage-Preserve-file-context-and-ownership-in-p.patch new file mode 100644 index 0000000..ce66018 --- /dev/null +++ b/SOURCES/0003-libsemanage-Preserve-file-context-and-ownership-in-p.patch @@ -0,0 +1,146 @@ +From d238e71d979dce51afed11b9b8af0898be5daafe Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 29 Jul 2024 13:26:45 +0200 +Subject: [PATCH] libsemanage: Preserve file context and ownership in policy + store + +Make sure that file context (all parts) and ownership of +files/directories in policy store does not change no matter which user +and under which context executes policy rebuild. + +Fixes: + # semodule -B + # ls -lZ /etc/selinux/targeted/contexts/files + +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 14704 Jul 11 09:57 file_contexts.homedirs +-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 20289 Jul 11 09:57 file_contexts.homedirs.bin + + SELinux user changed from system_u to the user used to execute semodule + + # capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B" + # ls -lZ /etc/selinux/targeted/contexts/files + +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 14704 Jul 19 09:10 file_contexts.homedirs +-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 20289 Jul 19 09:10 file_contexts.homedirs.bin + + Both file context and ownership changed -- causes remote login + failures and other issues in some scenarios. + +Signed-off-by: Vit Mojzis +Acked-by: Stephen Smalley +--- + libsemanage/src/semanage_store.c | 32 ++++++++++++++++++++++++++++++++ + libsemanage/src/semanage_store.h | 1 + + 2 files changed, 33 insertions(+) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 27c5d349..0ac2e5b2 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -36,6 +36,7 @@ typedef struct dbase_policydb dbase_t; + #include "database_policydb.h" + #include "handle.h" + ++#include + #include + #include + #include +@@ -767,6 +768,7 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode, + if (!retval && rename(tmp, dst) == -1) + return -1; + ++ semanage_setfiles(dst); + out: + errno = errsv; + return retval; +@@ -819,6 +821,8 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + goto cleanup; + } + umask(mask); ++ ++ semanage_setfiles(dst); + } + + for (i = 0; i < len; i++) { +@@ -837,6 +841,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag) + goto cleanup; + } + umask(mask); ++ semanage_setfiles(path2); + } else if (S_ISREG(sb.st_mode) && flag == 1) { + mask = umask(0077); + if (semanage_copy_file(path, path2, sb.st_mode, +@@ -938,6 +943,7 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path) + + } + umask(mask); ++ semanage_setfiles(path); + } + else { + /* check that it really is a directory */ +@@ -1614,16 +1620,19 @@ static int semanage_validate_and_compile_fcontexts(semanage_handle_t * sh) + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)) != 0) { + goto cleanup; + } ++ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_BIN)); + + if (sefcontext_compile(sh, + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL)) != 0) { + goto cleanup; + } ++ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL_BIN)); + + if (sefcontext_compile(sh, + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS)) != 0) { + goto cleanup; + } ++ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS_BIN)); + + status = 0; + cleanup: +@@ -3018,3 +3027,26 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + + return 0; + } ++ ++/* Make sure the file context and ownership of files in the policy ++ * store does not change */ ++void semanage_setfiles(const char *path){ ++ struct stat sb; ++ int fd; ++ /* Fix the user and role portions of the context, ignore errors ++ * since this is not a critical operation */ ++ selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY); ++ ++ /* Make sure "path" is owned by root */ ++ if ((geteuid() != 0 || getegid() != 0) && ++ ((fd = open(path, O_RDONLY)) != -1)){ ++ /* Skip files with the SUID or SGID bit set -- abuse protection */ ++ if ((fstat(fd, &sb) != -1) && ++ !(S_ISREG(sb.st_mode) && ++ (sb.st_mode & (S_ISUID | S_ISGID))) && ++ (fchown(fd, 0, 0) == -1)) ++ fprintf(stderr, "Warning! Could not set ownership of %s to root\n", path); ++ ++ close(fd); ++ } ++} +diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h +index 1fc77da8..e21dadeb 100644 +--- a/libsemanage/src/semanage_store.h ++++ b/libsemanage/src/semanage_store.h +@@ -124,6 +124,7 @@ int semanage_get_cil_paths(semanage_handle_t * sh, semanage_module_info_t *modin + int semanage_get_active_modules(semanage_handle_t *sh, + semanage_module_info_t **modinfo, int *num_modules); + ++void semanage_setfiles(const char *path); + + /* lock file routines */ + int semanage_get_trans_lock(semanage_handle_t * sh); +-- +2.45.2 + diff --git a/SOURCES/0005-libsemanage-Mute-error-messages-from-selinux_restore.patch b/SOURCES/0005-libsemanage-Mute-error-messages-from-selinux_restore.patch new file mode 100644 index 0000000..5bc047a --- /dev/null +++ b/SOURCES/0005-libsemanage-Mute-error-messages-from-selinux_restore.patch @@ -0,0 +1,64 @@ +From 217f00e1ff962fff7e7babc619d29dfc30cb72f6 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 12 Dec 2024 19:44:25 +0100 +Subject: [PATCH] libsemanage: Mute error messages from selinux_restorecon +Content-type: text/plain + +Mute error messages produced by selinux_restorecon when rebuilding the +policy store to avoid error messages in containers, image mode, etc. + +Fixes: + #podman build --security-opt=label=disable --cap-add=all --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide +... +Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext: Operation not supported +Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas: Operation not supported +Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil: Operation not supported +Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll: Operation not supported +... + +https://bugzilla.redhat.com/show_bug.cgi?id=2326348 + +Signed-off-by: Vit Mojzis +Acked-by: James Carter +--- + libsemanage/src/semanage_store.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index c26f5667b3cd..fc77e4817c4d 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -3026,15 +3026,29 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len, + return 0; + } + ++/* log_callback muting all logs */ ++static int __attribute__ ((format(printf, 2, 3))) ++log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) const char *fmt, ...) ++{ ++ return 0; ++} ++ + /* Make sure the file context and ownership of files in the policy + * store does not change */ + void semanage_setfiles(const char *path){ + struct stat sb; + int fd; ++ union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG); ++ union selinux_callback cb = { .func_log = log_callback_mute }; ++ ++ /* Mute all logs */ ++ selinux_set_callback(SELINUX_CB_LOG, cb); ++ + /* Fix the user and role portions of the context, ignore errors + * since this is not a critical operation */ + selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY); +- ++ /* restore log_logging */ ++ selinux_set_callback(SELINUX_CB_LOG, cb_orig); + /* Make sure "path" is owned by root */ + if ((geteuid() != 0 || getegid() != 0) && + ((fd = open(path, O_RDONLY)) != -1)){ +-- +2.48.1 + diff --git a/SOURCES/0006-libsemanage-Set-new-restorecon-handle-before-doing-r.patch b/SOURCES/0006-libsemanage-Set-new-restorecon-handle-before-doing-r.patch new file mode 100644 index 0000000..58908c9 --- /dev/null +++ b/SOURCES/0006-libsemanage-Set-new-restorecon-handle-before-doing-r.patch @@ -0,0 +1,37 @@ +From d19aee085e00713fd8ed525bf2c041fb2081bc6d Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 22 Jan 2025 10:58:28 -0500 +Subject: [PATCH] libsemanage: Set new restorecon handle before doing + restorecon +Content-type: text/plain + +In semanage_setfiles(), need to reset the restorecon handle to make +sure restorecon is not operating on old selabel data. + +Signed-off-by: James Carter +--- + libsemanage/src/semanage_store.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index fc77e4817c4d..aca8274dfa04 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -3038,9 +3038,14 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons + void semanage_setfiles(const char *path){ + struct stat sb; + int fd; ++ struct selabel_handle *sehandle; ++ + union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG); + union selinux_callback cb = { .func_log = log_callback_mute }; + ++ sehandle = selinux_restorecon_default_handle(); ++ selinux_restorecon_set_sehandle(sehandle); ++ + /* Mute all logs */ + selinux_set_callback(SELINUX_CB_LOG, cb); + +-- +2.48.1 + diff --git a/SOURCES/0007-libsemanage-improve-performance-of-semanage-store-re.patch b/SOURCES/0007-libsemanage-improve-performance-of-semanage-store-re.patch new file mode 100644 index 0000000..4688d4b --- /dev/null +++ b/SOURCES/0007-libsemanage-improve-performance-of-semanage-store-re.patch @@ -0,0 +1,78 @@ +From 8fbcce101a3c53444af48f766ff77f82f32cff29 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Mon, 24 Feb 2025 18:09:58 +0100 +Subject: [PATCH] libsemanage: improve performance of semanage store rebuild +Content-type: text/plain + +Commit 9d107ab77ba4 ("libsemanage: Set new restorecon handle before doing restorecon +") added reopeniong selabel handle every time semanage_setfiles() is +called. It means that during `semodule -B`, `selabel_close()` and +`selabel_open()` could be called more than 1800x what could have a +significant performance impact. + +It should be enough to reopen selabel handle just after semanage commit +when changes are applied. + +Before 9d107ab77ba4: + # time semodule -B + real 0m5.067s + user 0m4.675s + sys 0m0.279s + +After 9d107ab77ba4: + # time semodule -B + real 0m11.176s + user 0m10.535s + sys 0m0.499s + +With this patch: + # time semodule -B + real 0m5.109s + user 0m4.713s + sys 0m0.266s + +Signed-off-by: Petr Lautrbach +--- + libsemanage/src/semanage_store.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index aca8274dfa04..f02812580238 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -1741,6 +1741,7 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + semanage_path(SEMANAGE_PREVIOUS, SEMANAGE_TOPLEVEL); + const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL); + struct stat buf; ++ struct selabel_handle *sehandle; + + /* update the commit number */ + if ((commit_number = semanage_direct_get_serial(sh)) < 0) { +@@ -1847,6 +1848,9 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + + cleanup: + semanage_release_active_lock(sh); ++ sehandle = selinux_restorecon_default_handle(); ++ selinux_restorecon_set_sehandle(sehandle); ++ + return retval; + } + +@@ -3038,14 +3042,10 @@ log_callback_mute(__attribute__((unused)) int type, __attribute__((unused)) cons + void semanage_setfiles(const char *path){ + struct stat sb; + int fd; +- struct selabel_handle *sehandle; + + union selinux_callback cb_orig = selinux_get_callback(SELINUX_CB_LOG); + union selinux_callback cb = { .func_log = log_callback_mute }; + +- sehandle = selinux_restorecon_default_handle(); +- selinux_restorecon_set_sehandle(sehandle); +- + /* Mute all logs */ + selinux_set_callback(SELINUX_CB_LOG, cb); + +-- +2.48.1 + diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index 714441c..0459bce 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -1,10 +1,10 @@ %define libsepolver 3.6-1 -%define libselinuxver 3.6-1 +%define libselinuxver 3.6-3 Summary: SELinux binary policy manipulation library Name: libsemanage Version: 3.6 -Release: 2.1%{?dist} +Release: 5%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/libsemanage-3.6.tar.gz # fedora-selinux/selinux: git checkout c9s; git format-patch -N 3.6 -- libsemanage @@ -12,7 +12,11 @@ Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/libsema # Patch list start Patch0001: 0001-Revert-Do-not-automatically-install-Russian-translat.patch Patch0002: 0002-Revert-libsemanage-Remove-the-Russian-translations.patch +Patch0003: 0003-libsemanage-Preserve-file-context-and-ownership-in-p.patch Patch0004: 0004-libsemanage-open-lock_file-with-O_RDWR.patch +Patch0005: 0005-libsemanage-Mute-error-messages-from-selinux_restore.patch +Patch0006: 0006-libsemanage-Set-new-restorecon-handle-before-doing-r.patch +Patch0007: 0007-libsemanage-improve-performance-of-semanage-store-re.patch # Patch list end URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -156,9 +160,18 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/semanage.conf %{_libexecdir}/selinux/semanage_migrate_store %changelog -* Fri Nov 08 2024 Petr Lautrbach - 3.6-2.1 +* Mon Feb 24 2025 Petr Lautrbach - 3.6-5 +- improve performance of semanage store rebuild (RHEL-79100) + +* Tue Jan 28 2025 Petr Lautrbach - 3.6-4 +- Set new restorecon handle before doing restorecon (RHEL-76472) + +* Fri Nov 08 2024 Petr Lautrbach - 3.6-3 - open lock_file with O_RDWR (RHEL-60503) +* Tue Aug 06 2024 Vit Mojzis - 3.6-2 +- Preserve file context and ownership in policy store (RHEL-31216, RHEL-54389) + * Wed Dec 13 2023 Petr Lautrbach - 3.6-1 - SELinux userspace 3.6 release