import setroubleshoot-plugins-3.3.10-3.el8
This commit is contained in:
parent
95a752d80c
commit
e60fbaa497
|
@ -0,0 +1,73 @@
|
|||
From 33530a96afc489e3fca4ac8eb88073a4b29858d8 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Fri, 2 Aug 2019 16:32:06 +0200
|
||||
Subject: [PATCH 1/3] plugins: update "file" plugin
|
||||
|
||||
- replace file_t references by unlabeled_t since file_t is an alias
|
||||
- add fix commands for both versions of the plugin suggestions
|
||||
|
||||
Resolves: rhbz#1649818
|
||||
---
|
||||
plugins/src/file.py | 30 ++++++++++++++++++++++--------
|
||||
1 file changed, 22 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/plugins/src/file.py b/plugins/src/file.py
|
||||
index 9bcfe80..ac24bf9 100644
|
||||
--- a/plugins/src/file.py
|
||||
+++ b/plugins/src/file.py
|
||||
@@ -25,16 +25,16 @@ from setroubleshoot.Plugin import Plugin
|
||||
|
||||
class plugin(Plugin):
|
||||
summary =_('''
|
||||
- SELinux is preventing access to files with the label, file_t.
|
||||
+ SELinux is preventing access to a file labeled unlabeled_t.
|
||||
''')
|
||||
|
||||
problem_description = _('''
|
||||
- SELinux permission checks on files labeled file_t are being
|
||||
- denied. file_t is the context the SELinux kernel gives to files
|
||||
+ SELinux permission checks on files labeled unlabeled_t are being
|
||||
+ denied. unlabeled_t is a context the SELinux kernel gives to files
|
||||
that do not have a label. This indicates a serious labeling
|
||||
- problem. No files on an SELinux box should ever be labeled file_t.
|
||||
- If you have just added a disk drive to the system you can
|
||||
- relabel it using the restorecon command. For example if you saved the
|
||||
+ problem. No files on an SELinux box should ever be labeled unlabeled_t.
|
||||
+ If you have just added a disk drive to the system, you can
|
||||
+ relabel it using the restorecon command. For example if you saved the
|
||||
home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should
|
||||
relabel the entire file system.
|
||||
''')
|
||||
@@ -62,13 +62,27 @@ home directory from a previous installation that did not use SELinux, 'restoreco
|
||||
else:
|
||||
return 'touch /.autorelabel; reboot'
|
||||
|
||||
+ def get_fix_cmd(self, avc, args):
|
||||
+ if args == (1,0):
|
||||
+ return '/sbin/restorecon -R -v $TARGET_PATH'
|
||||
+ else:
|
||||
+ return 'touch /.autorelabel; reboot'
|
||||
+
|
||||
+ def init_args(self, args):
|
||||
+ if args == (1,0):
|
||||
+ self.button_text = _("Try to fix the label.")
|
||||
+ self.set_priority(70)
|
||||
+ else:
|
||||
+ self.button_text = _("Relabel the whole file system. Includes reboot!")
|
||||
+ self.set_priority(30)
|
||||
+
|
||||
def __init__(self):
|
||||
Plugin.__init__(self,__name__)
|
||||
self.level="green"
|
||||
- self.set_priority(8)
|
||||
+ self.fixable=True
|
||||
|
||||
def analyze(self, avc):
|
||||
- if avc.matches_target_types(['file_t']):
|
||||
+ if avc.matches_target_types(['unlabeled_t']):
|
||||
# MATCH
|
||||
reports = []
|
||||
reports.append(self.report((1,0)))
|
||||
--
|
||||
2.17.2
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
From e51acac53be8e8dea80f3a025f9cd7d5e8e910d7 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Fri, 2 Aug 2019 17:20:16 +0200
|
||||
Subject: [PATCH 2/3] plugins: Update "xen_image" plugin
|
||||
|
||||
- use virsh_t instead of xm_t, which is now an alias
|
||||
- Enable fix button
|
||||
|
||||
Resolves: rhbz#1649831
|
||||
---
|
||||
plugins/src/xen_image.py | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/plugins/src/xen_image.py b/plugins/src/xen_image.py
|
||||
index 5dcdbab..a46798d 100644
|
||||
--- a/plugins/src/xen_image.py
|
||||
+++ b/plugins/src/xen_image.py
|
||||
@@ -43,7 +43,7 @@ class plugin(Plugin):
|
||||
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'"
|
||||
''')
|
||||
|
||||
- fix_cmd = "chcon -t xen_image_t '$TARGET_PATH'"
|
||||
+ fix_cmd = "/usr/bin/chcon -t xen_image_t '$TARGET_PATH'"
|
||||
|
||||
then_text = _("You need to change the label on '$FIX_TARGET_PATH'")
|
||||
|
||||
@@ -52,9 +52,11 @@ class plugin(Plugin):
|
||||
|
||||
def __init__(self):
|
||||
Plugin.__init__(self, __name__)
|
||||
+ self.fixable=True
|
||||
+ self.button_text = _("Change the file label to xen_image_t.")
|
||||
|
||||
def analyze(self, avc):
|
||||
- if (avc.matches_source_types(['xend_t', 'xm_t']) and
|
||||
+ if (avc.matches_source_types(['xend_t', 'virsh_t']) and
|
||||
avc.all_accesses_are_in(avc.r_file_perms + avc.r_dir_perms) and
|
||||
avc.has_tclass_in(['file', 'dir']) and
|
||||
avc.path_is_not_standard_directory()):
|
||||
--
|
||||
2.17.2
|
||||
|
|
@ -0,0 +1,100 @@
|
|||
From 10f47305045de28351614989b53bdf830cdc6dd3 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Fri, 2 Aug 2019 18:01:11 +0200
|
||||
Subject: [PATCH 3/3] plugins: Update qemu_blk_image and qemu_file_image
|
||||
|
||||
- Use svirt_t instead of qemu_t, which is now an alias
|
||||
- Enable the fix button
|
||||
|
||||
Resolves: rhbz#1649838
|
||||
---
|
||||
plugins/src/qemu_blk_image.py | 11 +++++++----
|
||||
plugins/src/qemu_file_image.py | 14 +++++++++-----
|
||||
2 files changed, 16 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/plugins/src/qemu_blk_image.py b/plugins/src/qemu_blk_image.py
|
||||
index fda7e41..48b3b83 100644
|
||||
--- a/plugins/src/qemu_blk_image.py
|
||||
+++ b/plugins/src/qemu_blk_image.py
|
||||
@@ -29,9 +29,9 @@ class plugin(Plugin):
|
||||
''')
|
||||
|
||||
problem_description = _('''
|
||||
- SELinux denied qemu access to the block device $TARGET_PATH.
|
||||
+ SELinux denied svirt access to the block device $TARGET_PATH.
|
||||
If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
|
||||
- new path to the system defaults. If you did not intend to use $TARGET_PATH as a qemu
|
||||
+ new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization
|
||||
image it could indicate either a bug or an intrusion attempt.
|
||||
''')
|
||||
|
||||
@@ -40,7 +40,7 @@ class plugin(Plugin):
|
||||
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
|
||||
''')
|
||||
|
||||
- fix_cmd = "chcon -t virt_image_t '$TARGET_PATH'"
|
||||
+ fix_cmd = "/usr/bin/chcon -t virt_image_t '$TARGET_PATH'"
|
||||
|
||||
then_text = _("You need to change the label on '$FIX_TARGET_PATH'")
|
||||
do_text = _("""# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
|
||||
@@ -48,9 +48,12 @@ class plugin(Plugin):
|
||||
|
||||
def __init__(self):
|
||||
Plugin.__init__(self, __name__)
|
||||
+ self.set_priority(60)
|
||||
+ self.fixable=True
|
||||
+ self.button_text = _("Set the image label to virt_image_t.")
|
||||
|
||||
def analyze(self, avc):
|
||||
- if (avc.matches_source_types(['qemu_t']) and
|
||||
+ if (avc.matches_source_types(['svirt_t']) and
|
||||
avc.all_accesses_are_in(avc.rw_file_perms + avc.r_dir_perms) and
|
||||
avc.has_tclass_in(['blk_file'])):
|
||||
# MATCH
|
||||
diff --git a/plugins/src/qemu_file_image.py b/plugins/src/qemu_file_image.py
|
||||
index 7ae716d..98562e1 100644
|
||||
--- a/plugins/src/qemu_file_image.py
|
||||
+++ b/plugins/src/qemu_file_image.py
|
||||
@@ -29,12 +29,12 @@ class plugin(Plugin):
|
||||
''')
|
||||
|
||||
problem_description = _('''
|
||||
- SELinux denied qemu access to $TARGET_PATH.
|
||||
+ SELinux denied svirt access to $TARGET_PATH.
|
||||
If this is a virtualization image, it has to have a file context label of
|
||||
virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images
|
||||
correctly. We recommend that you copy your image file to /var/lib/libvirt/images.
|
||||
- If you really want to have your qemu image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
|
||||
- new path to the system defaults. If you did not intend to use $TARGET_PATH as a qemu
|
||||
+ If you really want to have your image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this
|
||||
+ new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization
|
||||
image it could indicate either a bug or an intrusion attempt.
|
||||
''')
|
||||
|
||||
@@ -43,17 +43,21 @@ class plugin(Plugin):
|
||||
You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'"
|
||||
''')
|
||||
|
||||
- fix_cmd = "chcon -t virt_image_t '$TARGET_PATH'"
|
||||
+ fix_cmd = "/usr/bin/chcon -t virt_image_t '$TARGET_PATH'"
|
||||
|
||||
if_text = _("If $TARGET_BASE_PATH is a virtualization target")
|
||||
then_text = _("You need to change the label on $TARGET_BASE_PATH'")
|
||||
do_text = """# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'
|
||||
# restorecon -v '$FIX_TARGET_PATH'"""
|
||||
+
|
||||
def __init__(self):
|
||||
Plugin.__init__(self, __name__)
|
||||
+ self.set_priority(60)
|
||||
+ self.fixable=True
|
||||
+ self.button_text = _("Set the image label to virt_image_t.")
|
||||
|
||||
def analyze(self, avc):
|
||||
- if (avc.matches_source_types(['qemu_t']) and
|
||||
+ if (avc.matches_source_types(['svirt_t']) and
|
||||
avc.all_accesses_are_in(avc.rw_file_perms + avc.r_dir_perms) and
|
||||
avc.has_tclass_in(['file', 'dir']) and
|
||||
avc.path_is_not_standard_directory()):
|
||||
--
|
||||
2.17.2
|
||||
|
|
@ -3,11 +3,14 @@
|
|||
Summary: Analysis plugins for use with setroubleshoot
|
||||
Name: setroubleshoot-plugins
|
||||
Version: 3.3.10
|
||||
Release: 1%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: Applications/System
|
||||
URL: https://github.com/fedora-selinux/setroubleshoot
|
||||
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
|
||||
Patch1: 0001-plugins-update-file-plugin.patch
|
||||
Patch2: 0002-plugins-Update-xen_image-plugin.patch
|
||||
Patch3: 0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: perl-XML-Parser
|
||||
|
@ -41,6 +44,14 @@ rm -rf %{buildroot}
|
|||
%{_datadir}/setroubleshoot/plugins
|
||||
|
||||
%changelog
|
||||
* Mon Aug 19 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.10-3
|
||||
- Rebuild with gating enabled (#1682462)
|
||||
|
||||
* Fri Aug 16 2019 Vit Mojzis <vmojzis@redhat.com> - 3.3.10-2
|
||||
- update "file" plugin (#1649818)
|
||||
- Update "xen_image" plugin (#1649831)
|
||||
- Update qemu_blk_image and qemu_file_image (#1649838)
|
||||
|
||||
* Fri Dec 7 2018 Petr Lautrbach <plautrba@redhat.com> - 3.3.10-1
|
||||
- Handle no "allowed_target_types" properly
|
||||
- bind_ports: Do not use when there are no allowed_target_types
|
||||
|
|
Loading…
Reference in New Issue