Compare commits
1 Commits
Author | SHA1 | Date | |
---|---|---|---|
67f6962810 |
361
SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch
Normal file
361
SOURCES/0013-libsemanage-allow-spaces-in-user-group-names.patch
Normal file
@ -0,0 +1,361 @@
|
|||||||
|
From f4a0e563dfff91d308d1738bbabdddc9ab672098 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Thu, 17 Feb 2022 13:49:23 +0100
|
||||||
|
Subject: [PATCH] libsemanage: allow spaces in user/group names
|
||||||
|
|
||||||
|
"semanage login -a" accepts whitespaces in user/group name
|
||||||
|
(e.g. users/groups from Active Directory), which may lead to issues down
|
||||||
|
the line since libsemanage doesn't expect whitespaces in
|
||||||
|
/var/lib/selinux/targeted/active/seusers and other config files.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
Artificial but simple reproducer
|
||||||
|
# groupadd server_admins
|
||||||
|
# sed -i "s/^server_admins/server admins/" /etc/group
|
||||||
|
# semanage login -a -s staff_u %server\ admins
|
||||||
|
# semanage login -l (or "semodule -B")
|
||||||
|
libsemanage.parse_assert_ch: expected character ':', but found 'a' (/var/lib/selinux/targeted/active/seusers: 6):
|
||||||
|
%server admins:staff_u:s0-s0:c0.c1023 (No such file or directory).
|
||||||
|
libsemanage.seuser_parse: could not parse seuser record (No such file or directory).
|
||||||
|
libsemanage.dbase_file_cache: could not cache file database (No such file or directory).
|
||||||
|
libsemanage.enter_ro: could not enter read-only section (No such file or directory).
|
||||||
|
FileNotFoundError: [Errno 2] No such file or directory
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
libsemanage/src/booleans_file.c | 2 +-
|
||||||
|
libsemanage/src/fcontexts_file.c | 6 +++---
|
||||||
|
libsemanage/src/ibendports_file.c | 4 ++--
|
||||||
|
libsemanage/src/ibpkeys_file.c | 4 ++--
|
||||||
|
libsemanage/src/interfaces_file.c | 6 +++---
|
||||||
|
libsemanage/src/nodes_file.c | 8 ++++----
|
||||||
|
libsemanage/src/parse_utils.c | 6 +++---
|
||||||
|
libsemanage/src/parse_utils.h | 11 +++++------
|
||||||
|
libsemanage/src/ports_file.c | 4 ++--
|
||||||
|
libsemanage/src/seusers_file.c | 6 +++---
|
||||||
|
libsemanage/src/users_base_file.c | 7 +++----
|
||||||
|
libsemanage/src/users_extra_file.c | 4 ++--
|
||||||
|
12 files changed, 33 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libsemanage/src/booleans_file.c b/libsemanage/src/booleans_file.c
|
||||||
|
index f79d0b44..6d600bbc 100644
|
||||||
|
--- a/libsemanage/src/booleans_file.c
|
||||||
|
+++ b/libsemanage/src/booleans_file.c
|
||||||
|
@@ -48,7 +48,7 @@ static int bool_parse(semanage_handle_t * handle,
|
||||||
|
goto last;
|
||||||
|
|
||||||
|
/* Extract name */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, '=') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, '=', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
if (semanage_bool_set_name(handle, boolean, str) < 0)
|
||||||
|
diff --git a/libsemanage/src/fcontexts_file.c b/libsemanage/src/fcontexts_file.c
|
||||||
|
index 1e596519..ad177208 100644
|
||||||
|
--- a/libsemanage/src/fcontexts_file.c
|
||||||
|
+++ b/libsemanage/src/fcontexts_file.c
|
||||||
|
@@ -91,7 +91,7 @@ static int fcontext_parse(semanage_handle_t * handle,
|
||||||
|
goto last;
|
||||||
|
|
||||||
|
/* Regexp */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_fcontext_set_expr(handle, fcontext, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -101,7 +101,7 @@ static int fcontext_parse(semanage_handle_t * handle,
|
||||||
|
/* Type */
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (!strcasecmp(str, "-s"))
|
||||||
|
semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_SOCK);
|
||||||
|
@@ -125,7 +125,7 @@ static int fcontext_parse(semanage_handle_t * handle,
|
||||||
|
/* Context */
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
process_context:
|
||||||
|
diff --git a/libsemanage/src/ibendports_file.c b/libsemanage/src/ibendports_file.c
|
||||||
|
index 402c7a5e..47a62429 100644
|
||||||
|
--- a/libsemanage/src/ibendports_file.c
|
||||||
|
+++ b/libsemanage/src/ibendports_file.c
|
||||||
|
@@ -76,7 +76,7 @@ static int ibendport_parse(semanage_handle_t *handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* IB Device Name */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_ibendport_set_ibdev_name(handle, ibendport, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -93,7 +93,7 @@ static int ibendport_parse(semanage_handle_t *handle,
|
||||||
|
/* context */
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_context_from_string(handle, str, &con) < 0) {
|
||||||
|
ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s",
|
||||||
|
diff --git a/libsemanage/src/ibpkeys_file.c b/libsemanage/src/ibpkeys_file.c
|
||||||
|
index ceaea7ad..5424e279 100644
|
||||||
|
--- a/libsemanage/src/ibpkeys_file.c
|
||||||
|
+++ b/libsemanage/src/ibpkeys_file.c
|
||||||
|
@@ -81,7 +81,7 @@ static int ibpkey_parse(semanage_handle_t *handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Subnet Prefix */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_ibpkey_set_subnet_prefix(handle, ibpkey, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -116,7 +116,7 @@ static int ibpkey_parse(semanage_handle_t *handle,
|
||||||
|
semanage_ibpkey_set_pkey(ibpkey, low);
|
||||||
|
}
|
||||||
|
/* Pkey context */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_context_from_string(handle, str, &con) < 0) {
|
||||||
|
ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s",
|
||||||
|
diff --git a/libsemanage/src/interfaces_file.c b/libsemanage/src/interfaces_file.c
|
||||||
|
index 1478af97..b105f807 100644
|
||||||
|
--- a/libsemanage/src/interfaces_file.c
|
||||||
|
+++ b/libsemanage/src/interfaces_file.c
|
||||||
|
@@ -73,7 +73,7 @@ static int iface_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Name */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_iface_set_name(handle, iface, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -83,7 +83,7 @@ static int iface_parse(semanage_handle_t * handle,
|
||||||
|
/* Interface context */
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_context_from_string(handle, str, &con) < 0) {
|
||||||
|
ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s",
|
||||||
|
@@ -107,7 +107,7 @@ static int iface_parse(semanage_handle_t * handle,
|
||||||
|
/* Message context */
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_context_from_string(handle, str, &con) < 0) {
|
||||||
|
ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s",
|
||||||
|
diff --git a/libsemanage/src/nodes_file.c b/libsemanage/src/nodes_file.c
|
||||||
|
index f6c8895d..922355dd 100644
|
||||||
|
--- a/libsemanage/src/nodes_file.c
|
||||||
|
+++ b/libsemanage/src/nodes_file.c
|
||||||
|
@@ -78,7 +78,7 @@ static int node_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Protocol */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (!strcasecmp(str, "ipv4"))
|
||||||
|
proto = SEMANAGE_PROTO_IP4;
|
||||||
|
@@ -97,7 +97,7 @@ static int node_parse(semanage_handle_t * handle,
|
||||||
|
/* Address */
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_node_set_addr(handle, node, proto, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -107,7 +107,7 @@ static int node_parse(semanage_handle_t * handle,
|
||||||
|
str = NULL;
|
||||||
|
|
||||||
|
/* Netmask */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_node_set_mask(handle, node, proto, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -117,7 +117,7 @@ static int node_parse(semanage_handle_t * handle,
|
||||||
|
str = NULL;
|
||||||
|
|
||||||
|
/* Port context */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_context_from_string(handle, str, &con) < 0) {
|
||||||
|
ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s",
|
||||||
|
diff --git a/libsemanage/src/parse_utils.c b/libsemanage/src/parse_utils.c
|
||||||
|
index 4fb54fc3..918dee43 100644
|
||||||
|
--- a/libsemanage/src/parse_utils.c
|
||||||
|
+++ b/libsemanage/src/parse_utils.c
|
||||||
|
@@ -239,7 +239,7 @@ int parse_fetch_int(semanage_handle_t * handle,
|
||||||
|
char *test = NULL;
|
||||||
|
int value = 0;
|
||||||
|
|
||||||
|
- if (parse_fetch_string(handle, info, &str, delim) < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, delim, 0) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
if (!isdigit((int)*str)) {
|
||||||
|
@@ -267,7 +267,7 @@ int parse_fetch_int(semanage_handle_t * handle,
|
||||||
|
}
|
||||||
|
|
||||||
|
int parse_fetch_string(semanage_handle_t * handle,
|
||||||
|
- parse_info_t * info, char **str, char delim)
|
||||||
|
+ parse_info_t * info, char **str, char delim, int allow_spaces)
|
||||||
|
{
|
||||||
|
|
||||||
|
char *start = info->ptr;
|
||||||
|
@@ -277,7 +277,7 @@ int parse_fetch_string(semanage_handle_t * handle,
|
||||||
|
if (parse_assert_noeof(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- while (*(info->ptr) && !isspace(*(info->ptr)) &&
|
||||||
|
+ while (*(info->ptr) && (allow_spaces || !isspace(*(info->ptr))) &&
|
||||||
|
(*(info->ptr) != delim)) {
|
||||||
|
info->ptr++;
|
||||||
|
len++;
|
||||||
|
diff --git a/libsemanage/src/parse_utils.h b/libsemanage/src/parse_utils.h
|
||||||
|
index 0f334860..3e44aca1 100644
|
||||||
|
--- a/libsemanage/src/parse_utils.h
|
||||||
|
+++ b/libsemanage/src/parse_utils.h
|
||||||
|
@@ -71,12 +71,11 @@ extern int parse_optional_str(parse_info_t * info, const char *str);
|
||||||
|
int parse_fetch_int(semanage_handle_t * hgandle,
|
||||||
|
parse_info_t * info, int *num, char delim);
|
||||||
|
|
||||||
|
-/* Extract the next string (delimited by
|
||||||
|
- * whitespace), and move the read pointer past it.
|
||||||
|
- * Stop of the optional character delim is encountered,
|
||||||
|
- * or if whitespace/eof is encountered. Fail if the
|
||||||
|
- * string is of length 0. */
|
||||||
|
+/* Extract the next string and move the read pointer past it.
|
||||||
|
+ * Stop if the optional character delim (or eof) is encountered,
|
||||||
|
+ * or if whitespace is encountered and allow_spaces is 0.
|
||||||
|
+ * Fail if the string is of length 0. */
|
||||||
|
extern int parse_fetch_string(semanage_handle_t * handle,
|
||||||
|
- parse_info_t * info, char **str_ptr, char delim);
|
||||||
|
+ parse_info_t * info, char **str_ptr, char delim, int allow_spaces);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff --git a/libsemanage/src/ports_file.c b/libsemanage/src/ports_file.c
|
||||||
|
index 4738d467..0c151089 100644
|
||||||
|
--- a/libsemanage/src/ports_file.c
|
||||||
|
+++ b/libsemanage/src/ports_file.c
|
||||||
|
@@ -78,7 +78,7 @@ static int port_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Protocol */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (!strcasecmp(str, "tcp"))
|
||||||
|
semanage_port_set_proto(port, SEMANAGE_PROTO_TCP);
|
||||||
|
@@ -124,7 +124,7 @@ static int port_parse(semanage_handle_t * handle,
|
||||||
|
semanage_port_set_port(port, low);
|
||||||
|
|
||||||
|
/* Port context */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_context_from_string(handle, str, &con) < 0) {
|
||||||
|
ERR(handle, "invalid security context \"%s\" (%s: %u)\n%s",
|
||||||
|
diff --git a/libsemanage/src/seusers_file.c b/libsemanage/src/seusers_file.c
|
||||||
|
index 910bedf4..21b970ac 100644
|
||||||
|
--- a/libsemanage/src/seusers_file.c
|
||||||
|
+++ b/libsemanage/src/seusers_file.c
|
||||||
|
@@ -53,7 +53,7 @@ static int seuser_parse(semanage_handle_t * handle,
|
||||||
|
goto last;
|
||||||
|
|
||||||
|
/* Extract name */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ':') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ':', 1) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_seuser_set_name(handle, seuser, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -68,7 +68,7 @@ static int seuser_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Extract sename */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ':') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ':', 1) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_seuser_set_sename(handle, seuser, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -83,7 +83,7 @@ static int seuser_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* NOTE: does not allow spaces/multiline */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
if (semanage_seuser_set_mlsrange(handle, seuser, str) < 0)
|
||||||
|
diff --git a/libsemanage/src/users_base_file.c b/libsemanage/src/users_base_file.c
|
||||||
|
index 0f0a8fdb..a0f8cd7e 100644
|
||||||
|
--- a/libsemanage/src/users_base_file.c
|
||||||
|
+++ b/libsemanage/src/users_base_file.c
|
||||||
|
@@ -83,7 +83,7 @@ static int user_base_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Parse user name */
|
||||||
|
- if (parse_fetch_string(handle, info, &name_str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &name_str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
if (semanage_user_base_set_name(handle, user, name_str) < 0) {
|
||||||
|
@@ -150,7 +150,7 @@ static int user_base_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* NOTE: does not allow spaces/multiline */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_user_base_set_mlslevel(handle, user, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -165,8 +165,7 @@ static int user_base_parse(semanage_handle_t * handle,
|
||||||
|
if (parse_assert_space(handle, info) < 0)
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
- /* NOTE: does not allow spaces/multiline */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ';') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ';', 1) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_user_base_set_mlsrange(handle, user, str) < 0)
|
||||||
|
goto err;
|
||||||
|
diff --git a/libsemanage/src/users_extra_file.c b/libsemanage/src/users_extra_file.c
|
||||||
|
index 8f2bebd6..7aa9df3c 100644
|
||||||
|
--- a/libsemanage/src/users_extra_file.c
|
||||||
|
+++ b/libsemanage/src/users_extra_file.c
|
||||||
|
@@ -57,7 +57,7 @@ static int user_extra_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Extract name */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ' ') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ' ', 0) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_user_extra_set_name(handle, user_extra, str) < 0)
|
||||||
|
goto err;
|
||||||
|
@@ -73,7 +73,7 @@ static int user_extra_parse(semanage_handle_t * handle,
|
||||||
|
goto err;
|
||||||
|
|
||||||
|
/* Extract prefix */
|
||||||
|
- if (parse_fetch_string(handle, info, &str, ';') < 0)
|
||||||
|
+ if (parse_fetch_string(handle, info, &str, ';', 1) < 0)
|
||||||
|
goto err;
|
||||||
|
if (semanage_user_extra_set_prefix(handle, user_extra, str) < 0)
|
||||||
|
goto err;
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 330b6efa010b3dac732beb49c98894a99dab0545 Mon Sep 17 00:00:00 2001
|
From db81de97febc8c79bfe7c54f57ae313cc5ba0728 Mon Sep 17 00:00:00 2001
|
||||||
From: Ondrej Mosnacek <omosnace@redhat.com>
|
From: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
Date: Wed, 8 Jun 2022 19:09:53 +0200
|
Date: Wed, 8 Jun 2022 19:09:53 +0200
|
||||||
Subject: [PATCH] libsemanage: always write kernel policy when
|
Subject: [PATCH] libsemanage: always write kernel policy when
|
||||||
@ -55,5 +55,5 @@ index bbdca2b2..252fc5bb 100644
|
|||||||
ifaces->dtable->is_modified(ifaces->dbase) |
|
ifaces->dtable->is_modified(ifaces->dbase) |
|
||||||
nodes->dtable->is_modified(nodes->dbase) |
|
nodes->dtable->is_modified(nodes->dbase) |
|
||||||
--
|
--
|
||||||
2.37.3
|
2.35.3
|
||||||
|
|
@ -0,0 +1,146 @@
|
|||||||
|
From 52f19bad2e4a3d5c7599df9afd5e3cd675ecac8c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Mon, 29 Jul 2024 13:26:45 +0200
|
||||||
|
Subject: [PATCH] libsemanage: Preserve file context and ownership in policy
|
||||||
|
store
|
||||||
|
|
||||||
|
Make sure that file context (all parts) and ownership of
|
||||||
|
files/directories in policy store does not change no matter which user
|
||||||
|
and under which context executes policy rebuild.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
# semodule -B
|
||||||
|
# ls -lZ /etc/selinux/targeted/contexts/files
|
||||||
|
|
||||||
|
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 421397 Jul 11 09:57 file_contexts
|
||||||
|
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 593470 Jul 11 09:57 file_contexts.bin
|
||||||
|
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 14704 Jul 11 09:57 file_contexts.homedirs
|
||||||
|
-rw-r--r--. 1 root root unconfined_u:object_r:file_context_t:s0 20289 Jul 11 09:57 file_contexts.homedirs.bin
|
||||||
|
|
||||||
|
SELinux user changed from system_u to the user used to execute semodule
|
||||||
|
|
||||||
|
# capsh --user=testuser --caps="cap_dac_override,cap_chown+eip" --addamb=cap_dac_override,cap_chown -- -c "semodule -B"
|
||||||
|
# ls -lZ /etc/selinux/targeted/contexts/files
|
||||||
|
|
||||||
|
-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 421397 Jul 19 09:10 file_contexts
|
||||||
|
-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 593470 Jul 19 09:10 file_contexts.bin
|
||||||
|
-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 14704 Jul 19 09:10 file_contexts.homedirs
|
||||||
|
-rw-r--r--. 1 testuser testuser unconfined_u:object_r:file_context_t:s0 20289 Jul 19 09:10 file_contexts.homedirs.bin
|
||||||
|
|
||||||
|
Both file context and ownership changed -- causes remote login
|
||||||
|
failures and other issues in some scenarios.
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||||||
|
---
|
||||||
|
libsemanage/src/semanage_store.c | 32 ++++++++++++++++++++++++++++++++
|
||||||
|
libsemanage/src/semanage_store.h | 1 +
|
||||||
|
2 files changed, 33 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
|
||||||
|
index 1fff667d..52cc72d7 100644
|
||||||
|
--- a/libsemanage/src/semanage_store.c
|
||||||
|
+++ b/libsemanage/src/semanage_store.c
|
||||||
|
@@ -36,6 +36,7 @@ typedef struct dbase_policydb dbase_t;
|
||||||
|
#include "database_policydb.h"
|
||||||
|
#include "handle.h"
|
||||||
|
|
||||||
|
+#include <selinux/restorecon.h>
|
||||||
|
#include <selinux/selinux.h>
|
||||||
|
#include <sepol/policydb.h>
|
||||||
|
#include <sepol/module.h>
|
||||||
|
@@ -763,6 +764,7 @@ int semanage_copy_file(const char *src, const char *dst, mode_t mode,
|
||||||
|
if (!retval && rename(tmp, dst) == -1)
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
+ semanage_setfiles(dst);
|
||||||
|
out:
|
||||||
|
errno = errsv;
|
||||||
|
return retval;
|
||||||
|
@@ -801,6 +803,8 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
umask(mask);
|
||||||
|
+
|
||||||
|
+ semanage_setfiles(dst);
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < len; i++) {
|
||||||
|
@@ -819,6 +823,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
umask(mask);
|
||||||
|
+ semanage_setfiles(path2);
|
||||||
|
} else if (S_ISREG(sb.st_mode) && flag == 1) {
|
||||||
|
mask = umask(0077);
|
||||||
|
if (semanage_copy_file(path, path2, sb.st_mode,
|
||||||
|
@@ -920,6 +925,7 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path)
|
||||||
|
|
||||||
|
}
|
||||||
|
umask(mask);
|
||||||
|
+ semanage_setfiles(path);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
/* check that it really is a directory */
|
||||||
|
@@ -1597,16 +1603,19 @@ static int semanage_validate_and_compile_fcontexts(semanage_handle_t * sh)
|
||||||
|
semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC)) != 0) {
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
+ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_BIN));
|
||||||
|
|
||||||
|
if (sefcontext_compile(sh,
|
||||||
|
semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL)) != 0) {
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
+ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL_BIN));
|
||||||
|
|
||||||
|
if (sefcontext_compile(sh,
|
||||||
|
semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS)) != 0) {
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
+ semanage_setfiles(semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_HOMEDIRS_BIN));
|
||||||
|
|
||||||
|
status = 0;
|
||||||
|
cleanup:
|
||||||
|
@@ -3001,3 +3010,26 @@ int semanage_nc_sort(semanage_handle_t * sh, const char *buf, size_t buf_len,
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+/* Make sure the file context and ownership of files in the policy
|
||||||
|
+ * store does not change */
|
||||||
|
+void semanage_setfiles(const char *path){
|
||||||
|
+ struct stat sb;
|
||||||
|
+ int fd;
|
||||||
|
+ /* Fix the user and role portions of the context, ignore errors
|
||||||
|
+ * since this is not a critical operation */
|
||||||
|
+ selinux_restorecon(path, SELINUX_RESTORECON_SET_SPECFILE_CTX | SELINUX_RESTORECON_IGNORE_NOENTRY);
|
||||||
|
+
|
||||||
|
+ /* Make sure "path" is owned by root */
|
||||||
|
+ if ((geteuid() != 0 || getegid() != 0) &&
|
||||||
|
+ ((fd = open(path, O_RDONLY)) != -1)){
|
||||||
|
+ /* Skip files with the SUID or SGID bit set -- abuse protection */
|
||||||
|
+ if ((fstat(fd, &sb) != -1) &&
|
||||||
|
+ !(S_ISREG(sb.st_mode) &&
|
||||||
|
+ (sb.st_mode & (S_ISUID | S_ISGID))) &&
|
||||||
|
+ (fchown(fd, 0, 0) == -1))
|
||||||
|
+ fprintf(stderr, "Warning! Could not set ownership of %s to root\n", path);
|
||||||
|
+
|
||||||
|
+ close(fd);
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
diff --git a/libsemanage/src/semanage_store.h b/libsemanage/src/semanage_store.h
|
||||||
|
index 1fc77da8..e21dadeb 100644
|
||||||
|
--- a/libsemanage/src/semanage_store.h
|
||||||
|
+++ b/libsemanage/src/semanage_store.h
|
||||||
|
@@ -124,6 +124,7 @@ int semanage_get_cil_paths(semanage_handle_t * sh, semanage_module_info_t *modin
|
||||||
|
int semanage_get_active_modules(semanage_handle_t *sh,
|
||||||
|
semanage_module_info_t **modinfo, int *num_modules);
|
||||||
|
|
||||||
|
+void semanage_setfiles(const char *path);
|
||||||
|
|
||||||
|
/* lock file routines */
|
||||||
|
int semanage_get_trans_lock(semanage_handle_t * sh);
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -4,7 +4,7 @@
|
|||||||
Summary: SELinux binary policy manipulation library
|
Summary: SELinux binary policy manipulation library
|
||||||
Name: libsemanage
|
Name: libsemanage
|
||||||
Version: 2.9
|
Version: 2.9
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz
|
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz
|
||||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||||
@ -20,7 +20,10 @@ Patch0009: 0009-semodule-libsemanage-move-module-hashing-into-libsem.patch
|
|||||||
Patch0010: 0010-libsemanage-move-compressed-file-handling-into-a-sep.patch
|
Patch0010: 0010-libsemanage-move-compressed-file-handling-into-a-sep.patch
|
||||||
Patch0011: 0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch
|
Patch0011: 0011-libsemanage-clean-up-semanage_direct_commit-a-bit.patch
|
||||||
Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch
|
Patch0012: 0012-libsemanage-optionally-rebuild-policy-when-modules-a.patch
|
||||||
Patch0013: 0013-libsemanage-always-write-kernel-policy-when-check_ex.patch
|
Patch0013: 0013-libsemanage-allow-spaces-in-user-group-names.patch
|
||||||
|
Patch0014: 0014-libsemanage-always-write-kernel-policy-when-check_ex.patch
|
||||||
|
Patch0015: 0015-libsemanage-Preserve-file-context-and-ownership-in-p.patch
|
||||||
|
|
||||||
URL: https://github.com/SELinuxProject/selinux/wiki
|
URL: https://github.com/SELinuxProject/selinux/wiki
|
||||||
Source1: semanage.conf
|
Source1: semanage.conf
|
||||||
|
|
||||||
@ -166,8 +169,12 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~
|
|||||||
%{_libexecdir}/selinux/semanage_migrate_store
|
%{_libexecdir}/selinux/semanage_migrate_store
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Oct 11 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
|
* Mon Jul 29 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
|
||||||
- always write kernel policy when check_ext_changes is specified (#2129139)
|
- Preserve file context and ownership in policy store (RHEL-17509)
|
||||||
|
|
||||||
|
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-9
|
||||||
|
- allow spaces in user/group names (#2042408)
|
||||||
|
- always write kernel policy when check_ext_changes is specified (#2089802)
|
||||||
|
|
||||||
* Tue Feb 22 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
|
* Tue Feb 22 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
|
||||||
- Bump release to get around OSCI issues
|
- Bump release to get around OSCI issues
|
||||||
|
Loading…
Reference in New Issue
Block a user