97 lines
3.5 KiB
Diff
97 lines
3.5 KiB
Diff
commit e4523aa66ad9e3381086f2ba8c0e07cfa3661e51
|
|
Author: Nathan Scott <nathans@redhat.com>
|
|
Date: Fri Apr 30 11:25:56 2021 +1000
|
|
|
|
selinux: fix detection of lockdown policy class
|
|
|
|
Resolves Fedora BZ #1929259
|
|
|
|
diff --git a/configure b/configure
|
|
index 12fe8cde5..e6885234a 100755
|
|
--- a/configure
|
|
+++ b/configure
|
|
@@ -732,6 +732,7 @@ pcp_selinux_chkpwd_exec
|
|
pcp_selinux_security
|
|
pcp_selinux_sudo_exec
|
|
pcp_selinux_initrc_tmp
|
|
+pcp_selinux_lockdown_class
|
|
pcp_selinux_icmp_socket_class
|
|
pcp_selinux_cap2_syslog
|
|
pcp_selinux_sbd_exec
|
|
@@ -11970,6 +11971,10 @@ if test "x$enable_selinux" != "xfalse"; then :
|
|
| egrep '^[ ][ ]*(class |)icmp_socket$' >/dev/null \
|
|
&& pcp_selinux_icmp_socket_class=true
|
|
|
|
+ seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
|
|
+ | egrep '^[ ][ ]*(class |)lockdown$' >/dev/null \
|
|
+ && pcp_selinux_lockdown_class=true
|
|
+
|
|
|
|
seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \
|
|
| egrep '^[ ][ ]*(class |)netlink_selinux_socket$' >/dev/null \
|
|
@@ -11987,10 +11992,6 @@ if test "x$enable_selinux" != "xfalse"; then :
|
|
| egrep '^[ ][ ]*(class |)security$' >/dev/null \
|
|
&& pcp_selinux_security_class=true
|
|
|
|
- seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
|
|
- | egrep '^[ ][ ]*(class |)lockdown$' >/dev/null \
|
|
- && pcp_selinux_lockdown_class=true
|
|
-
|
|
seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \
|
|
| egrep '^[ ][ ]*(class |)dir$' >/dev/null \
|
|
&& pcp_selinux_dir_class=true
|
|
@@ -12046,6 +12047,7 @@ fi
|
|
|
|
|
|
|
|
+
|
|
|
|
|
|
pcp_selinux_files_mmap_all_files=false
|
|
diff --git a/configure.ac b/configure.ac
|
|
index aa08ea18f..dcd60b67d 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -2132,6 +2132,10 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [
|
|
| egrep '^[[ ]][[ ]]*(class |)icmp_socket$' >/dev/null \
|
|
&& pcp_selinux_icmp_socket_class=true
|
|
|
|
+ seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
|
|
+ | egrep '^[[ ]][[ ]]*(class |)lockdown$' >/dev/null \
|
|
+ && pcp_selinux_lockdown_class=true
|
|
+
|
|
dnl these ones are for pcpqa.te
|
|
|
|
seinfo -x --class=netlink_selinux_socket $seinfo_common_flag 2>/dev/null \
|
|
@@ -2150,10 +2154,6 @@ AS_IF([test "x$enable_selinux" != "xfalse"], [
|
|
| egrep '^[[ ]][[ ]]*(class |)security$' >/dev/null \
|
|
&& pcp_selinux_security_class=true
|
|
|
|
- seinfo -x --class=lockdown $seinfo_common_flag 2>/dev/null \
|
|
- | egrep '^[[ ]][[ ]]*(class |)lockdown$' >/dev/null \
|
|
- && pcp_selinux_lockdown_class=true
|
|
-
|
|
dnl pcp_selinux_dir already used for something else, so name to
|
|
dnl set is pcp_selinux_dir_class
|
|
seinfo -x --class=dir $seinfo_common_flag 2>/dev/null \
|
|
@@ -2192,6 +2192,7 @@ AC_SUBST(pcp_selinux_proc_security)
|
|
AC_SUBST(pcp_selinux_sbd_exec)
|
|
AC_SUBST(pcp_selinux_cap2_syslog)
|
|
AC_SUBST(pcp_selinux_icmp_socket_class)
|
|
+AC_SUBST(pcp_selinux_lockdown_class)
|
|
|
|
dnl for pcpqa.te
|
|
AC_SUBST(pcp_selinux_initrc_tmp)
|
|
diff --git a/src/include/builddefs.in b/src/include/builddefs.in
|
|
index 93038f446..126fab4d3 100644
|
|
--- a/src/include/builddefs.in
|
|
+++ b/src/include/builddefs.in
|
|
@@ -282,7 +282,6 @@ PCP_SELINUX_SBD_EXEC = @pcp_selinux_sbd_exec@
|
|
PCP_SELINUX_FILES_MMAP_ALL_FILES = @pcp_selinux_files_mmap_all_files@
|
|
PCP_SELINUX_CAP2_SYSLOG = @pcp_selinux_cap2_syslog@
|
|
PCP_SELINUX_ICMP_SOCKET_CLASS = @pcp_selinux_icmp_socket_class@
|
|
-PCP_SELINUX_LOCKDOWN = @pcp_selinux_lockdown@
|
|
PCP_SELINUX_LOCKDOWN_CLASS = @pcp_selinux_lockdown_class@
|
|
# pcpqa.te
|
|
PCP_SELINUX_INITRC_TMP = @pcp_selinux_initrc_tmp@
|