import setroubleshoot-plugins-3.3.10-3.el8

2019-11-05 15:19:50 -05:00 · 2019-11-05 15:19:50 -05:00 · e60fbaa497
parent 95a752d80c
commit e60fbaa497
4 changed files with 227 additions and 1 deletions
--- a/SOURCES/0001-plugins-update-file-plugin.patch
+++ b/SOURCES/0001-plugins-update-file-plugin.patch
@ -0,0 +1,73 @@
+From 33530a96afc489e3fca4ac8eb88073a4b29858d8 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 2 Aug 2019 16:32:06 +0200
+Subject: [PATCH 1/3] plugins: update "file" plugin
+
+- replace file_t references by unlabeled_t since file_t is an alias
+- add fix commands for both versions of the plugin suggestions
+
+Resolves: rhbz#1649818
+---
+ plugins/src/file.py | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+diff --git a/plugins/src/file.py b/plugins/src/file.py
+index 9bcfe80..ac24bf9 100644
+--- a/plugins/src/file.py
+++ b/plugins/src/file.py
+@@ -25,16 +25,16 @@ from setroubleshoot.Plugin import Plugin
+ 
+ class plugin(Plugin):
+     summary =_('''
+-    SELinux is preventing access to files with the label, file_t.
+    SELinux is preventing access to a file labeled unlabeled_t.
+     ''')
+ 
+     problem_description = _('''
+-    SELinux permission checks on files labeled file_t are being
+-    denied.  file_t is the context the SELinux kernel gives to files
+    SELinux permission checks on files labeled unlabeled_t are being
+    denied. unlabeled_t is a context the SELinux kernel gives to files
+     that do not have a label. This indicates a serious labeling
+-    problem. No files on an SELinux box should ever be labeled file_t.
+-    If you have just added a disk drive to the system you can
+-    relabel it using the restorecon command.  For example if you saved the
+    problem. No files on an SELinux box should ever be labeled unlabeled_t.
+    If you have just added a disk drive to the system, you can
+    relabel it using the restorecon command. For example if you saved the
+ home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels.  Otherwise you should
+     relabel the entire file system.
+     ''')
+@@ -62,13 +62,27 @@ home directory from a previous installation that did not use SELinux, 'restoreco
+         else:
+             return 'touch /.autorelabel; reboot'
+ 
+    def get_fix_cmd(self, avc, args):
+        if args == (1,0):
+            return '/sbin/restorecon -R -v $TARGET_PATH'
+        else:
+            return 'touch /.autorelabel; reboot'
+
+    def init_args(self, args):
+        if args == (1,0):
+            self.button_text = _("Try to fix the label.")
+            self.set_priority(70)
+        else:
+            self.button_text = _("Relabel the whole file system. Includes reboot!")
+            self.set_priority(30)
+
+     def __init__(self):
+         Plugin.__init__(self,__name__)
+         self.level="green"
+-        self.set_priority(8)
+        self.fixable=True
+ 
+     def analyze(self, avc):
+-        if avc.matches_target_types(['file_t']):
+        if avc.matches_target_types(['unlabeled_t']):
+             # MATCH
+             reports = []
+             reports.append(self.report((1,0)))
+-- 
+2.17.2
+
--- a/SOURCES/0002-plugins-Update-xen_image-plugin.patch
+++ b/SOURCES/0002-plugins-Update-xen_image-plugin.patch
@ -0,0 +1,42 @@
+From e51acac53be8e8dea80f3a025f9cd7d5e8e910d7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 2 Aug 2019 17:20:16 +0200
+Subject: [PATCH 2/3] plugins: Update "xen_image" plugin
+
+- use virsh_t instead of xm_t, which is now an alias
+- Enable fix button
+
+Resolves: rhbz#1649831
+---
+ plugins/src/xen_image.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/plugins/src/xen_image.py b/plugins/src/xen_image.py
+index 5dcdbab..a46798d 100644
+--- a/plugins/src/xen_image.py
+++ b/plugins/src/xen_image.py
+@@ -43,7 +43,7 @@ class plugin(Plugin):
+     You must also change the default file context files on the system in order to preserve them even on a full relabel.  "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'"
+     ''')
+ 
+-    fix_cmd = "chcon -t xen_image_t '$TARGET_PATH'"
+    fix_cmd = "/usr/bin/chcon -t xen_image_t '$TARGET_PATH'"
+ 
+     then_text = _("You need to change the label on '$FIX_TARGET_PATH'")
+ 
+@@ -52,9 +52,11 @@ class plugin(Plugin):
+ 
+     def __init__(self):
+         Plugin.__init__(self, __name__)
+        self.fixable=True
+        self.button_text = _("Change the file label to xen_image_t.")
+ 
+     def analyze(self, avc):
+-        if (avc.matches_source_types(['xend_t', 'xm_t'])                 and
+        if (avc.matches_source_types(['xend_t', 'virsh_t'])              and
+             avc.all_accesses_are_in(avc.r_file_perms + avc.r_dir_perms)  and
+             avc.has_tclass_in(['file', 'dir'])                           and
+             avc.path_is_not_standard_directory()):
+-- 
+2.17.2
+
--- a/SOURCES/0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch
+++ b/SOURCES/0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch
@ -0,0 +1,100 @@
+From 10f47305045de28351614989b53bdf830cdc6dd3 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 2 Aug 2019 18:01:11 +0200
+Subject: [PATCH 3/3] plugins: Update qemu_blk_image and qemu_file_image
+
+- Use svirt_t instead of qemu_t, which is now an alias
+- Enable the fix button
+
+Resolves: rhbz#1649838
+---
+ plugins/src/qemu_blk_image.py  | 11 +++++++----
+ plugins/src/qemu_file_image.py | 14 +++++++++-----
+ 2 files changed, 16 insertions(+), 9 deletions(-)
+
+diff --git a/plugins/src/qemu_blk_image.py b/plugins/src/qemu_blk_image.py
+index fda7e41..48b3b83 100644
+--- a/plugins/src/qemu_blk_image.py
+++ b/plugins/src/qemu_blk_image.py
+@@ -29,9 +29,9 @@ class plugin(Plugin):
+     ''')
+ 
+     problem_description = _('''
+-    SELinux denied qemu access to the block device $TARGET_PATH.
+    SELinux denied svirt access to the block device $TARGET_PATH.
+     If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel $TARGET_PATH to be virt_image_t using chcon.  You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
+-    new path to the system defaults. If you did not intend to use $TARGET_PATH as a qemu
+    new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization
+     image it could indicate either a bug or an intrusion attempt.
+     ''')
+ 
+@@ -40,7 +40,7 @@ class plugin(Plugin):
+     You must also change the default file context files on the system in order to preserve them even on a full relabel.  "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
+     ''')
+ 
+-    fix_cmd = "chcon -t virt_image_t '$TARGET_PATH'"
+    fix_cmd = "/usr/bin/chcon -t virt_image_t '$TARGET_PATH'"
+ 
+     then_text = _("You need to change the label on '$FIX_TARGET_PATH'")
+     do_text = _("""# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
+@@ -48,9 +48,12 @@ class plugin(Plugin):
+ 
+     def __init__(self):
+         Plugin.__init__(self, __name__)
+        self.set_priority(60)
+        self.fixable=True
+        self.button_text = _("Set the image label to virt_image_t.")
+ 
+     def analyze(self, avc):
+-        if (avc.matches_source_types(['qemu_t']) and
+        if (avc.matches_source_types(['svirt_t']) and
+            avc.all_accesses_are_in(avc.rw_file_perms + avc.r_dir_perms) and
+            avc.has_tclass_in(['blk_file'])):
+             # MATCH
+diff --git a/plugins/src/qemu_file_image.py b/plugins/src/qemu_file_image.py
+index 7ae716d..98562e1 100644
+--- a/plugins/src/qemu_file_image.py
+++ b/plugins/src/qemu_file_image.py
+@@ -29,12 +29,12 @@ class plugin(Plugin):
+     ''')
+ 
+     problem_description = _('''
+-    SELinux denied qemu access to $TARGET_PATH.
+    SELinux denied svirt access to $TARGET_PATH.
+     If this is a virtualization image, it has to have a file context label of
+     virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images
+     correctly.  We recommend that you copy your image file to /var/lib/libvirt/images.
+-    If you really want to have your qemu image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon.  You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
+-    new path to the system defaults. If you did not intend to use $TARGET_PATH as a qemu
+    If you really want to have your image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon.  You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
+    new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization
+     image it could indicate either a bug or an intrusion attempt.
+     ''')
+ 
+@@ -43,17 +43,21 @@ class plugin(Plugin):
+     You must also change the default file context files on the system in order to preserve them even on a full relabel.  "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
+     ''')
+ 
+-    fix_cmd = "chcon -t virt_image_t '$TARGET_PATH'"
+    fix_cmd = "/usr/bin/chcon -t virt_image_t '$TARGET_PATH'"
+ 
+     if_text = _("If $TARGET_BASE_PATH is a virtualization target")
+     then_text = _("You need to change the label on $TARGET_BASE_PATH'")
+     do_text = """# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
+ # restorecon -v '$FIX_TARGET_PATH'"""
+
+     def __init__(self):
+         Plugin.__init__(self, __name__)
+        self.set_priority(60)
+        self.fixable=True
+        self.button_text = _("Set the image label to virt_image_t.")
+ 
+     def analyze(self, avc):
+-        if (avc.matches_source_types(['qemu_t']) and
+        if (avc.matches_source_types(['svirt_t']) and
+             avc.all_accesses_are_in(avc.rw_file_perms + avc.r_dir_perms) and
+             avc.has_tclass_in(['file', 'dir']) and
+             avc.path_is_not_standard_directory()):
+-- 
+2.17.2
+
--- a/SPECS/setroubleshoot-plugins.spec
+++ b/SPECS/setroubleshoot-plugins.spec
@ -3,11 +3,14 @@
 Summary: Analysis plugins for use with setroubleshoot
 Name: setroubleshoot-plugins
 Version: 3.3.10
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: Applications/System
 URL: https://github.com/fedora-selinux/setroubleshoot
 Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
+Patch1: 0001-plugins-update-file-plugin.patch
+Patch2: 0002-plugins-Update-xen_image-plugin.patch
+Patch3: 0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch
 BuildArch: noarch

 BuildRequires: perl-XML-Parser
@ -41,6 +44,14 @@ rm -rf %{buildroot}
 %{_datadir}/setroubleshoot/plugins

 %changelog
+* Mon Aug 19 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.10-3
+- Rebuild with gating enabled (#1682462)
+
+* Fri Aug 16 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.10-2
+- update "file" plugin (#1649818)
+- Update "xen_image" plugin (#1649831)
+- Update qemu_blk_image and qemu_file_image (#1649838)
+
 * Fri Dec  7 2018 Petr Lautrbach <plautrba@redhat.com> - 3.3.10-1
 - Handle no "allowed_target_types" properly
 - bind_ports: Do not use when there are no allowed_target_types