import libsemanage-2.9-6.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
8f4c88e389
commit
30e486744e
55
SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch
Normal file
55
SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 11e381e5aa3468aa5c2634f14706336c7824f226 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <plautrba@redhat.com>
|
||||
Date: Wed, 27 Jan 2021 12:00:55 +0100
|
||||
Subject: [PATCH] libsemanage: sync filesystem with sandbox
|
||||
|
||||
Commit 331a109f91ea ("libsemanage: fsync final files before rename")
|
||||
added fsync() for policy files and improved situation when something
|
||||
unexpected happens right after rename(). However the module store could
|
||||
be affected as well. After the following steps module files could be 0
|
||||
size:
|
||||
|
||||
1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
|
||||
2. Force shutdown the server during the command is run, or right after
|
||||
it's finished
|
||||
3. Boot the system and look for empty files:
|
||||
# find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
|
||||
1266
|
||||
|
||||
It looks like this situation can be avoided if the filesystem with the
|
||||
sandbox is sync()ed before we start to rename() directories in the
|
||||
store.
|
||||
|
||||
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
||||
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
||||
---
|
||||
libsemanage/src/semanage_store.c | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
|
||||
index 733df8da37c2..ae023582e907 100644
|
||||
--- a/libsemanage/src/semanage_store.c
|
||||
+++ b/libsemanage/src/semanage_store.c
|
||||
@@ -1737,6 +1737,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
|
||||
}
|
||||
close(fd);
|
||||
|
||||
+ /* sync changes in sandbox to filesystem */
|
||||
+ fd = open(sandbox, O_DIRECTORY);
|
||||
+ if (fd == -1) {
|
||||
+ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ if (syncfs(fd) == -1) {
|
||||
+ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
|
||||
+ close(fd);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ close(fd);
|
||||
+
|
||||
retval = commit_number;
|
||||
|
||||
if (semanage_get_active_lock(sh) < 0) {
|
||||
--
|
||||
2.30.0
|
||||
|
||||
@ -42,14 +42,16 @@ module-store = direct
|
||||
expand-check=0
|
||||
|
||||
# usepasswd check tells semanage to scan all pass word records for home directories
|
||||
# and setup the labeling correctly. If this is turned off, SELinux will label /home
|
||||
# correctly only. You will need to use semanage fcontext command.
|
||||
# and setup the labeling correctly. If this is turned off, SELinux will label only /home
|
||||
# and home directories of users with SELinux login mappings defined, see
|
||||
# semanage login -l for the list of such users.
|
||||
# If you want to use a different home directory, you will need to use semanage fcontext command.
|
||||
# For example, if you had home dirs in /althome directory you would have to execute
|
||||
# semanage fcontext -a -e /home /althome
|
||||
usepasswd=False
|
||||
bzip-small=true
|
||||
bzip-blocksize=5
|
||||
ignoredirs=/root
|
||||
ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var
|
||||
|
||||
[sefcontext_compile]
|
||||
path = /usr/sbin/sefcontext_compile
|
||||
|
||||
@ -4,13 +4,14 @@
|
||||
Summary: SELinux binary policy manipulation library
|
||||
Name: libsemanage
|
||||
Version: 2.9
|
||||
Release: 3%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: LGPLv2+
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch
|
||||
Patch0002: 0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch
|
||||
Patch0003: 0003-libsemanage-fsync-final-files-before-rename.patch
|
||||
Patch0004: 0004-libsemanage-sync-filesystem-with-sandbox.patch
|
||||
URL: https://github.com/SELinuxProject/selinux/wiki
|
||||
Source1: semanage.conf
|
||||
|
||||
@ -156,6 +157,17 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~
|
||||
%{_libexecdir}/selinux/semanage_migrate_store
|
||||
|
||||
%changelog
|
||||
* Mon Feb 1 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
|
||||
- sync filesystem with sandbox (#1913224)
|
||||
|
||||
* Mon Dec 21 2020 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
|
||||
- Revert "genhomedircon: check usepasswd" (rhbz#1871786)
|
||||
- semanage.conf - improve usepasswd=False explanation (rhbz#1871786)
|
||||
- semanage.conf - expand list of ignoredirs (rhbz#1871786)
|
||||
|
||||
* Sun Nov 22 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
|
||||
- genhomedircon: check usepasswd (rhbz#1871786)
|
||||
|
||||
* Mon Jun 29 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
|
||||
- Fsync final files before rename (#1838762)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user