rpms/libsemanage
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import libsemanage-2.9-6.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-03-30 14:36:58 -04:00 committed by Stepan Oksanichenko
parent 8f4c88e389
commit 30e486744e
3 changed files with 73 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch Normal file
View File

@ -0,0 +1,55 @@
From 11e381e5aa3468aa5c2634f14706336c7824f226 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 27 Jan 2021 12:00:55 +0100
Subject: [PATCH] libsemanage: sync filesystem with sandbox
Commit 331a109f91ea ("libsemanage: fsync final files before rename")
added fsync() for policy files and improved situation when something
unexpected happens right after rename(). However the module store could
be affected as well. After the following steps module files could be 0
size:
1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
2. Force shutdown the server during the command is run, or right after
it's finished
3. Boot the system and look for empty files:
# find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
1266
It looks like this situation can be avoided if the filesystem with the
sandbox is sync()ed before we start to rename() directories in the
store.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsemanage/src/semanage_store.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index 733df8da37c2..ae023582e907 100644
--- a/libsemanage/src/semanage_store.c
+++ b/libsemanage/src/semanage_store.c
@@ -1737,6 +1737,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
}
close(fd);
+ /* sync changes in sandbox to filesystem */
+ fd = open(sandbox, O_DIRECTORY);
+ if (fd == -1) {
+ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
+ return -1;
+ }
+ if (syncfs(fd) == -1) {
+ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
+ close(fd);
+ return -1;
+ }
+ close(fd);
+
retval = commit_number;
if (semanage_get_active_lock(sh) < 0) {
--
2.30.0

8
SOURCES/semanage.conf
View File

@ -42,14 +42,16 @@ module-store = direct
expand-check=0 expand-check=0
# usepasswd check tells semanage to scan all pass word records for home directories # usepasswd check tells semanage to scan all pass word records for home directories
# and setup the labeling correctly. If this is turned off, SELinux will label /home # and setup the labeling correctly. If this is turned off, SELinux will label only /home
# correctly only. You will need to use semanage fcontext command. # and home directories of users with SELinux login mappings defined, see
# semanage login -l for the list of such users.
# If you want to use a different home directory, you will need to use semanage fcontext command.
# For example, if you had home dirs in /althome directory you would have to execute # For example, if you had home dirs in /althome directory you would have to execute
# semanage fcontext -a -e /home /althome # semanage fcontext -a -e /home /althome
usepasswd=False usepasswd=False
bzip-small=true bzip-small=true
bzip-blocksize=5 bzip-blocksize=5
ignoredirs=/root ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var
[sefcontext_compile] [sefcontext_compile]
path = /usr/sbin/sefcontext_compile path = /usr/sbin/sefcontext_compile

14
SPECS/libsemanage.spec
View File

@ -4,13 +4,14 @@
Summary: SELinux binary policy manipulation library Summary: SELinux binary policy manipulation library
Name: libsemanage Name: libsemanage
Version: 2.9 Version: 2.9
Release: 3%{?dist} Release: 6%{?dist}
License: LGPLv2+ License: LGPLv2+
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch
Patch0002: 0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch Patch0002: 0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch
Patch0003: 0003-libsemanage-fsync-final-files-before-rename.patch Patch0003: 0003-libsemanage-fsync-final-files-before-rename.patch
Patch0004: 0004-libsemanage-sync-filesystem-with-sandbox.patch
URL: https://github.com/SELinuxProject/selinux/wiki URL: https://github.com/SELinuxProject/selinux/wiki
Source1: semanage.conf Source1: semanage.conf
@ -156,6 +157,17 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~
%{_libexecdir}/selinux/semanage_migrate_store %{_libexecdir}/selinux/semanage_migrate_store
%changelog %changelog
* Mon Feb 1 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
- sync filesystem with sandbox (#1913224)
* Mon Dec 21 2020 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
- Revert "genhomedircon: check usepasswd" (rhbz#1871786)
- semanage.conf - improve usepasswd=False explanation (rhbz#1871786)
- semanage.conf - expand list of ignoredirs (rhbz#1871786)
* Sun Nov 22 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
- genhomedircon: check usepasswd (rhbz#1871786)
* Mon Jun 29 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-3 * Mon Jun 29 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
- Fsync final files before rename (#1838762) - Fsync final files before rename (#1838762)