From fb909a98f1854602bb23a06b75b2d32661ffec8d Mon Sep 17 00:00:00 2001 From: Jan Macku Date: Tue, 1 Oct 2024 14:09:45 +0200 Subject: [PATCH] fix: test_0112.sh fails on SELinux-enabled systems Resolves: RHEL-61155 --- ...log-file-for-getting-SELinux-context.patch | 184 ++++++++++++++++++ logrotate.spec | 8 +- 2 files changed, 191 insertions(+), 1 deletion(-) create mode 100644 001-Avoid-opening-log-file-for-getting-SELinux-context.patch diff --git a/001-Avoid-opening-log-file-for-getting-SELinux-context.patch b/001-Avoid-opening-log-file-for-getting-SELinux-context.patch new file mode 100644 index 0000000..0b2e3fe --- /dev/null +++ b/001-Avoid-opening-log-file-for-getting-SELinux-context.patch @@ -0,0 +1,184 @@ +From 5f3274417c0cfa54841f2817eb9a3c5168846ec1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Sat, 3 Aug 2024 19:07:38 +0200 +Subject: [PATCH] Avoid opening log file for getting SELinux context + +Currently setSecCtxByName() uses open_logfile() to get a file descriptor +to the current log file to retrieve its security context. +open_logfile() performs additional checks, like whether the file is a +regular file, which alter the control flow between systems with SELinux +enabled and disabled. This can be observed in the reported issue #632. +Use lgetfilecon_raw() instead to have the same behavior for SELinux +enabled and disabled systems and delay the checks for invalid log files +to code executed in both cases. + +Closes: #632 +(cherry picked from commit e4a833015eb5590cf86a6a78895ff399174ade4f) +--- + logrotate.c | 89 ++++++++++++++++++++++++++++++----------------------- + 1 file changed, 51 insertions(+), 38 deletions(-) + +diff --git a/logrotate.c b/logrotate.c +index 1292b46..40b5295 100644 +--- a/logrotate.c ++++ b/logrotate.c +@@ -360,27 +360,9 @@ static int movefd(int oldfd, int newfd) + return rc; + } + +-static int setSecCtx(int fdSrc, const char *src, char **pPrevCtx) +-{ + #ifdef WITH_SELINUX +- char *srcCtx; +- *pPrevCtx = NULL; +- +- if (!selinux_enabled) +- /* pretend success */ +- return 0; +- +- /* read security context of fdSrc */ +- if (fgetfilecon_raw(fdSrc, &srcCtx) < 0) { +- if (errno == ENOTSUP) +- /* pretend success */ +- return 0; +- +- message(MESS_ERROR, "getting file context %s: %s\n", src, +- strerror(errno)); +- return selinux_enforce; +- } +- ++static int setSecCtx(char *srcCtx, char **pPrevCtx) ++{ + /* save default security context for restoreSecCtx() */ + if (getfscreatecon_raw(pPrevCtx) < 0) { + message(MESS_ERROR, "getting default context: %s\n", strerror(errno)); +@@ -400,37 +382,68 @@ static int setSecCtx(int fdSrc, const char *src, char **pPrevCtx) + + message(MESS_DEBUG, "set default create context to %s\n", srcCtx); + freecon(srcCtx); ++ ++ return 0; ++} ++#endif /* WITH_SELINUX */ ++ ++static int setSecCtxByFd(int fdSrc, const char *src, char **pPrevCtx) ++{ ++#ifdef WITH_SELINUX ++ char *srcCtx; ++ *pPrevCtx = NULL; ++ ++ if (!selinux_enabled) ++ /* pretend success */ ++ return 0; ++ ++ /* read security context of fdSrc */ ++ if (fgetfilecon_raw(fdSrc, &srcCtx) < 0) { ++ if (errno == ENOTSUP) ++ /* pretend success */ ++ return 0; ++ ++ message(MESS_ERROR, "getting file context %s: %s\n", src, ++ strerror(errno)); ++ return selinux_enforce; ++ } ++ ++ return setSecCtx(srcCtx, pPrevCtx); + #else + (void) fdSrc; + (void) src; + (void) pPrevCtx; +-#endif + return 0; ++#endif /* WITH_SELINUX */ + } + +-static int setSecCtxByName(const char *src, const struct logInfo *log, char **pPrevCtx) ++static int setSecCtxByName(const char *src, char **pPrevCtx) + { +- int hasErrors = 0; + #ifdef WITH_SELINUX +- int fd; ++ char *srcCtx; ++ *pPrevCtx = NULL; + + if (!selinux_enabled) + /* pretend success */ + return 0; + +- fd = open_logfile(src, log, 0); +- if (fd < 0) { +- message(MESS_ERROR, "error opening %s: %s\n", src, strerror(errno)); +- return 1; ++ /* read security context of src */ ++ if (lgetfilecon_raw(src, &srcCtx) < 0) { ++ if (errno == ENOTSUP) ++ /* pretend success */ ++ return 0; ++ ++ message(MESS_ERROR, "getting file context %s: %s\n", src, ++ strerror(errno)); ++ return selinux_enforce; + } +- hasErrors = setSecCtx(fd, src, pPrevCtx); +- close(fd); ++ ++ return setSecCtx(srcCtx, pPrevCtx); + #else + (void) src; +- (void) log; + (void) pPrevCtx; +-#endif +- return hasErrors; ++ return 0; ++#endif /* WITH_SELINUX */ + } + + static void restoreSecCtx(char **pPrevCtx) +@@ -853,7 +866,7 @@ static int compressLogFile(const char *name, const struct logInfo *log, const st + return 1; + } + +- if (setSecCtx(inFile, name, &prevCtx) != 0) { ++ if (setSecCtxByFd(inFile, name, &prevCtx) != 0) { + /* error msg already printed */ + close(inFile); + return 1; +@@ -1290,7 +1303,7 @@ static int copyTruncate(const char *currLog, const char *saveLog, const struct s + if (!skip_copy) { + char *prevCtx; + +- if (setSecCtx(fdcurr, currLog, &prevCtx) != 0) { ++ if (setSecCtxByFd(fdcurr, currLog, &prevCtx) != 0) { + /* error msg already printed */ + goto fail; + } +@@ -1888,7 +1901,7 @@ static int prerotateSingleLog(const struct logInfo *log, unsigned logNum, + message(MESS_DEBUG, "dateext suffix '%s'\n", dext_str); + message(MESS_DEBUG, "glob pattern '%s'\n", dext_pattern); + +- if (setSecCtxByName(log->files[logNum], log, &prev_context) != 0) { ++ if (setSecCtxByName(log->files[logNum], &prev_context) != 0) { + /* error msg already printed */ + return 1; + } +@@ -2169,7 +2182,7 @@ static int rotateSingleLog(const struct logInfo *log, unsigned logNum, + if (!hasErrors) { + + if (!(log->flags & (LOG_FLAG_COPYTRUNCATE | LOG_FLAG_COPY))) { +- if (setSecCtxByName(log->files[logNum], log, &savedContext) != 0) { ++ if (setSecCtxByName(log->files[logNum], &savedContext) != 0) { + /* error msg already printed */ + return 1; + } +@@ -2711,7 +2724,7 @@ static int writeState(const char *stateFilename) + + /* get attributes, to assign them to the new state file */ + +- if (setSecCtx(fdcurr, stateFilename, &prevCtx) != 0) { ++ if (setSecCtxByFd(fdcurr, stateFilename, &prevCtx) != 0) { + /* error msg already printed */ + free(tmpFilename); + close(fdcurr); +-- +2.46.2 + diff --git a/logrotate.spec b/logrotate.spec index 91c98fa..154cdde 100644 --- a/logrotate.spec +++ b/logrotate.spec @@ -1,7 +1,7 @@ Summary: Rotates, compresses, removes and mails system log files Name: logrotate Version: 3.22.0 -Release: 2%{?dist} +Release: 3%{?dist} License: GPL-2.0-or-later URL: https://github.com/logrotate/logrotate Source0: https://github.com/logrotate/logrotate/releases/download/%{version}/logrotate-%{version}.tar.xz @@ -13,6 +13,9 @@ Source2: cgzones.pgp Source3: rwtab +# https://github.com/logrotate/logrotate/pull/633 +Patch001: 001-Avoid-opening-log-file-for-getting-SELinux-context.patch + BuildRequires: acl BuildRequires: automake BuildRequires: gcc @@ -115,6 +118,9 @@ fi %config(noreplace) %{_sysconfdir}/rwtab.d/logrotate %changelog +* Tue Oct 01 2024 Jan Macku - 3.22.0-3 +- Fix test_0112.sh fails on SELinux-enabled systems (RHEL-61155) + * Mon Jun 24 2024 Troy Dawson - 3.22.0-2 - Bump release for June 2024 mass rebuild