fix: test_0112.sh fails on SELinux-enabled systems

Resolves: RHEL-61155
2024-10-01 14:09:45 +02:00 · 2024-10-01 14:09:45 +02:00 · fb909a98f1
commit fb909a98f1
parent 49f1776c81
2 changed files with 191 additions and 1 deletions
--- a/001-Avoid-opening-log-file-for-getting-SELinux-context.patch
+++ b/001-Avoid-opening-log-file-for-getting-SELinux-context.patch
@ -0,0 +1,184 @@
+From 5f3274417c0cfa54841f2817eb9a3c5168846ec1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Sat, 3 Aug 2024 19:07:38 +0200
+Subject: [PATCH] Avoid opening log file for getting SELinux context
+
+Currently setSecCtxByName() uses open_logfile() to get a file descriptor
+to the current log file to retrieve its security context.
+open_logfile() performs additional checks, like whether the file is a
+regular file, which alter the control flow between systems with SELinux
+enabled and disabled.  This can be observed in the reported issue #632.
+Use lgetfilecon_raw() instead to have the same behavior for SELinux
+enabled and disabled systems and delay the checks for invalid log files
+to code executed in both cases.
+
+Closes: #632
+(cherry picked from commit e4a833015eb5590cf86a6a78895ff399174ade4f)
+---
+ logrotate.c | 89 ++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 51 insertions(+), 38 deletions(-)
+
+diff --git a/logrotate.c b/logrotate.c
+index 1292b46..40b5295 100644
+--- a/logrotate.c
+++ b/logrotate.c
+@@ -360,27 +360,9 @@ static int movefd(int oldfd, int newfd)
+     return rc;
+ }
+ 
+-static int setSecCtx(int fdSrc, const char *src, char **pPrevCtx)
+-{
+ #ifdef WITH_SELINUX
+-    char *srcCtx;
+-    *pPrevCtx = NULL;
+-
+-    if (!selinux_enabled)
+-        /* pretend success */
+-        return 0;
+-
+-    /* read security context of fdSrc */
+-    if (fgetfilecon_raw(fdSrc, &srcCtx) < 0) {
+-        if (errno == ENOTSUP)
+-            /* pretend success */
+-            return 0;
+-
+-        message(MESS_ERROR, "getting file context %s: %s\n", src,
+-                strerror(errno));
+-        return selinux_enforce;
+-    }
+-
+static int setSecCtx(char *srcCtx, char **pPrevCtx)
+{
+     /* save default security context for restoreSecCtx() */
+     if (getfscreatecon_raw(pPrevCtx) < 0) {
+         message(MESS_ERROR, "getting default context: %s\n", strerror(errno));
+@@ -400,37 +382,68 @@ static int setSecCtx(int fdSrc, const char *src, char **pPrevCtx)
+ 
+     message(MESS_DEBUG, "set default create context to %s\n", srcCtx);
+     freecon(srcCtx);
+
+    return 0;
+}
+#endif /* WITH_SELINUX */
+
+static int setSecCtxByFd(int fdSrc, const char *src, char **pPrevCtx)
+{
+#ifdef WITH_SELINUX
+    char *srcCtx;
+    *pPrevCtx = NULL;
+
+    if (!selinux_enabled)
+        /* pretend success */
+        return 0;
+
+    /* read security context of fdSrc */
+    if (fgetfilecon_raw(fdSrc, &srcCtx) < 0) {
+        if (errno == ENOTSUP)
+            /* pretend success */
+            return 0;
+
+        message(MESS_ERROR, "getting file context %s: %s\n", src,
+                strerror(errno));
+        return selinux_enforce;
+    }
+
+    return setSecCtx(srcCtx, pPrevCtx);
+ #else
+     (void) fdSrc;
+     (void) src;
+     (void) pPrevCtx;
+-#endif
+     return 0;
+#endif /* WITH_SELINUX */
+ }
+ 
+-static int setSecCtxByName(const char *src, const struct logInfo *log, char **pPrevCtx)
+static int setSecCtxByName(const char *src, char **pPrevCtx)
+ {
+-    int hasErrors = 0;
+ #ifdef WITH_SELINUX
+-    int fd;
+    char *srcCtx;
+    *pPrevCtx = NULL;
+ 
+     if (!selinux_enabled)
+         /* pretend success */
+         return 0;
+ 
+-    fd = open_logfile(src, log, 0);
+-    if (fd < 0) {
+-        message(MESS_ERROR, "error opening %s: %s\n", src, strerror(errno));
+-        return 1;
+    /* read security context of src */
+    if (lgetfilecon_raw(src, &srcCtx) < 0) {
+        if (errno == ENOTSUP)
+            /* pretend success */
+            return 0;
+
+        message(MESS_ERROR, "getting file context %s: %s\n", src,
+                strerror(errno));
+        return selinux_enforce;
+     }
+-    hasErrors = setSecCtx(fd, src, pPrevCtx);
+-    close(fd);
+
+    return setSecCtx(srcCtx, pPrevCtx);
+ #else
+     (void) src;
+-    (void) log;
+     (void) pPrevCtx;
+-#endif
+-    return hasErrors;
+    return 0;
+#endif /* WITH_SELINUX */
+ }
+ 
+ static void restoreSecCtx(char **pPrevCtx)
+@@ -853,7 +866,7 @@ static int compressLogFile(const char *name, const struct logInfo *log, const st
+         return 1;
+     }
+ 
+-    if (setSecCtx(inFile, name, &prevCtx) != 0) {
+    if (setSecCtxByFd(inFile, name, &prevCtx) != 0) {
+         /* error msg already printed */
+         close(inFile);
+         return 1;
+@@ -1290,7 +1303,7 @@ static int copyTruncate(const char *currLog, const char *saveLog, const struct s
+         if (!skip_copy) {
+             char *prevCtx;
+ 
+-            if (setSecCtx(fdcurr, currLog, &prevCtx) != 0) {
+            if (setSecCtxByFd(fdcurr, currLog, &prevCtx) != 0) {
+                 /* error msg already printed */
+                 goto fail;
+             }
+@@ -1888,7 +1901,7 @@ static int prerotateSingleLog(const struct logInfo *log, unsigned logNum,
+     message(MESS_DEBUG, "dateext suffix '%s'\n", dext_str);
+     message(MESS_DEBUG, "glob pattern '%s'\n", dext_pattern);
+ 
+-    if (setSecCtxByName(log->files[logNum], log, &prev_context) != 0) {
+    if (setSecCtxByName(log->files[logNum], &prev_context) != 0) {
+         /* error msg already printed */
+         return 1;
+     }
+@@ -2169,7 +2182,7 @@ static int rotateSingleLog(const struct logInfo *log, unsigned logNum,
+     if (!hasErrors) {
+ 
+         if (!(log->flags & (LOG_FLAG_COPYTRUNCATE | LOG_FLAG_COPY))) {
+-            if (setSecCtxByName(log->files[logNum], log, &savedContext) != 0) {
+            if (setSecCtxByName(log->files[logNum], &savedContext) != 0) {
+                 /* error msg already printed */
+                 return 1;
+             }
+@@ -2711,7 +2724,7 @@ static int writeState(const char *stateFilename)
+ 
+     /* get attributes, to assign them to the new state file */
+ 
+-    if (setSecCtx(fdcurr, stateFilename, &prevCtx) != 0) {
+    if (setSecCtxByFd(fdcurr, stateFilename, &prevCtx) != 0) {
+         /* error msg already printed */
+         free(tmpFilename);
+         close(fdcurr);
+-- 
+2.46.2
+
--- a/logrotate.spec
+++ b/logrotate.spec
@ -1,7 +1,7 @@
 Summary: Rotates, compresses, removes and mails system log files
 Name: logrotate
 Version: 3.22.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPL-2.0-or-later
 URL: https://github.com/logrotate/logrotate
 Source0: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz
@ -13,6 +13,9 @@ Source2: cgzones.pgp

 Source3: rwtab

+# https://github.com/logrotate/logrotate/pull/633
+Patch001: 001-Avoid-opening-log-file-for-getting-SELinux-context.patch
+
 BuildRequires: acl
 BuildRequires: automake
 BuildRequires: gcc
@ -115,6 +118,9 @@ fi
 %config(noreplace) %{_sysconfdir}/rwtab.d/logrotate

 %changelog
+* Tue Oct 01 2024 Jan Macku <jamacku@redhat.com> - 3.22.0-3
+- Fix test_0112.sh fails on SELinux-enabled systems (RHEL-61155)
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.22.0-2
 - Bump release for June 2024 mass rebuild