rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add check for config file consistency 

Make sure the config is consistent with what packages are (being)
installed in the system.

This should ensure that the package corresponding to SELINUXTYPE
in the config is always present in the system, or selinux is DISABLED
(both before policy_load is called and after any RPM transaction involving
selinux-policy-* package). Targeted mode is used when possible.

Resolves: rhbz#1641631

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
This commit is contained in:
Vit Mojzis 2019-02-14 15:42:36 +01:00
parent a8da133b94
commit 7fd6024816
1 changed files with 73 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
selinux-policy.spec
View File

@ -337,6 +337,58 @@ mkdir -p %{buildroot}/%{_libexecdir}/selinux/ \
#install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \ #install -m 644 -p %{SOURCE101} %{buildroot}/%{_unitdir}/ \
#ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service #ln -s ../selinux-factory-reset@.service %{buildroot}/%{_unitdir}/basic.target.wants/selinux-factory-reset@%1.service
# Make sure the config is consistent with what packages are installed in the system
# this covers cases when system is installed with selinux-policy-{mls,minimal}
# or selinux-policy-{targeted,mls,minimal} where switched but the machine has not
# been rebooted yet.
# The macro should be called at the beginning of "post" (to make sure load_policy does not fail)
# and in "posttrans" (to make sure that the store is consistent when all package transitions are done)
# Parameter determines the policy type to be set in case of miss-configuration (if backup value is not usable)
# Steps:
# * load values from config and its backup
# * check whether SELINUXTYPE from backup is usable and make sure that it's set in the config if so
# * use "targeted" if it's being installed and BACKUP_SELINUXTYPE cannot be used
# * check whether SELINUXTYPE in the config is usable and change it to newly installed policy if it isn't
%define checkConfigConsistency() \
. %{_sysconfdir}/selinux/config; \
if [ -f %{_sysconfdir}/selinux/.config_backup ]; then \
. %{_sysconfdir}/selinux/.config_backup; \
else \
BACKUP_SELINUXTYPE=targeted; \
fi; \
if ls %{_sysconfdir}/selinux/$BACKUP_SELINUXTYPE/policy/policy.* &>/dev/null; then \
if [ "$BACKUP_SELINUXTYPE" != "$SELINUXTYPE" ]; then \
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE='"$BACKUP_SELINUXTYPE"'/g' %{_sysconfdir}/selinux/config; \
fi; \
elif [ "%1" = "targeted" ]; then \
if [ "%1" != "$SELINUXTYPE" ]; then \
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
fi; \
elif ! ls %{_sysconfdir}/selinux/$SELINUXTYPE/policy/policy.* &>/dev/null; then \
if [ "%1" != "$SELINUXTYPE" ]; then \
sed -i 's/^SELINUXTYPE=.*/SELINUXTYPE=%1/g' %{_sysconfdir}/selinux/config; \
fi; \
fi;
# Create hidden backup of /etc/selinux/config and prepend BACKUP_ to names
# of variables inside so that they are easy to use later
# This should be done in "pretrans" because config content can change during RPM operations
# The macro has to be used in a script slot with "-p <lua>"
%define backupConfigLua() \
local sysconfdir = rpm.expand("%{_sysconfdir}") \
local config_file = sysconfdir .. "/selinux/config" \
local config_backup = sysconfdir .. "/selinux/.config_backup" \
os.remove(config_backup) \
if posix.stat(config_file) then \
local f = assert(io.open(config_file, "r"), "Failed to read " .. config_file) \
local content = f:read("*all") \
f:close() \
local backup = content:gsub("SELINUX", "BACKUP_SELINUX") \
local bf = assert(io.open(config_backup, "w"), "Failed to open " .. config_backup) \
bf:write(backup) \
bf:close() \
end
%build %build
%prep %prep
@ -493,13 +545,20 @@ Conflicts: container-selinux < 2:1.12.1-22
%description targeted %description targeted
SELinux Reference policy targeted base module. SELinux Reference policy targeted base module.
%pretrans targeted -p <lua>
%backupConfigLua
%pre targeted %pre targeted
%preInstall targeted %preInstall targeted
%post targeted %post targeted
%checkConfigConsistency targeted
%postInstall $1 targeted %postInstall $1 targeted
exit 0 exit 0
%posttrans targeted
%checkConfigConsistency targeted
%postun targeted %postun targeted
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source /etc/selinux/config source /etc/selinux/config
@ -565,6 +624,9 @@ Conflicts: container-selinux <= 1.9.0-9
%description minimum %description minimum
SELinux Reference policy minimum base module. SELinux Reference policy minimum base module.
%pretrans minimum -p <lua>
%backupConfigLua
%pre minimum %pre minimum
%preInstall minimum %preInstall minimum
if [ $1 -ne 1 ]; then if [ $1 -ne 1 ]; then
@ -572,6 +634,7 @@ if [ $1 -ne 1 ]; then
fi fi
%post minimum %post minimum
%checkConfigConsistency minimum
contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst` contribpackages=`cat /usr/share/selinux/minimum/modules-contrib.lst`
basepackages=`cat /usr/share/selinux/minimum/modules-base.lst` basepackages=`cat /usr/share/selinux/minimum/modules-base.lst`
if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then if [ ! -d /var/lib/selinux/minimum/active/modules/disabled ]; then
@ -603,6 +666,9 @@ done
fi fi
exit 0 exit 0
%posttrans minimum
%checkConfigConsistency minimum
%postun minimum %postun minimum
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source /etc/selinux/config source /etc/selinux/config
@ -660,13 +726,20 @@ Conflicts: container-selinux <= 1.9.0-9
%description mls %description mls
SELinux Reference policy mls base module. SELinux Reference policy mls base module.
%pretrans mls -p <lua>
%backupConfigLua
%pre mls %pre mls
%preInstall mls %preInstall mls
%post mls %post mls
%checkConfigConsistency mls
%postInstall $1 mls %postInstall $1 mls
exit 0 exit 0
%posttrans mls
%checkConfigConsistency mls
%postun mls %postun mls
if [ $1 = 0 ]; then if [ $1 = 0 ]; then
source /etc/selinux/config source /etc/selinux/config