diff --git a/SOURCES/0001-plugins-update-file-plugin.patch b/SOURCES/0001-plugins-update-file-plugin.patch new file mode 100644 index 0000000..dc94afc --- /dev/null +++ b/SOURCES/0001-plugins-update-file-plugin.patch @@ -0,0 +1,73 @@ +From 33530a96afc489e3fca4ac8eb88073a4b29858d8 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 2 Aug 2019 16:32:06 +0200 +Subject: [PATCH 1/3] plugins: update "file" plugin + +- replace file_t references by unlabeled_t since file_t is an alias +- add fix commands for both versions of the plugin suggestions + +Resolves: rhbz#1649818 +--- + plugins/src/file.py | 30 ++++++++++++++++++++++-------- + 1 file changed, 22 insertions(+), 8 deletions(-) + +diff --git a/plugins/src/file.py b/plugins/src/file.py +index 9bcfe80..ac24bf9 100644 +--- a/plugins/src/file.py ++++ b/plugins/src/file.py +@@ -25,16 +25,16 @@ from setroubleshoot.Plugin import Plugin + + class plugin(Plugin): + summary =_(''' +- SELinux is preventing access to files with the label, file_t. ++ SELinux is preventing access to a file labeled unlabeled_t. + ''') + + problem_description = _(''' +- SELinux permission checks on files labeled file_t are being +- denied. file_t is the context the SELinux kernel gives to files ++ SELinux permission checks on files labeled unlabeled_t are being ++ denied. unlabeled_t is a context the SELinux kernel gives to files + that do not have a label. This indicates a serious labeling +- problem. No files on an SELinux box should ever be labeled file_t. +- If you have just added a disk drive to the system you can +- relabel it using the restorecon command. For example if you saved the ++ problem. No files on an SELinux box should ever be labeled unlabeled_t. ++ If you have just added a disk drive to the system, you can ++ relabel it using the restorecon command. For example if you saved the + home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should + relabel the entire file system. + ''') +@@ -62,13 +62,27 @@ home directory from a previous installation that did not use SELinux, 'restoreco + else: + return 'touch /.autorelabel; reboot' + ++ def get_fix_cmd(self, avc, args): ++ if args == (1,0): ++ return '/sbin/restorecon -R -v $TARGET_PATH' ++ else: ++ return 'touch /.autorelabel; reboot' ++ ++ def init_args(self, args): ++ if args == (1,0): ++ self.button_text = _("Try to fix the label.") ++ self.set_priority(70) ++ else: ++ self.button_text = _("Relabel the whole file system. Includes reboot!") ++ self.set_priority(30) ++ + def __init__(self): + Plugin.__init__(self,__name__) + self.level="green" +- self.set_priority(8) ++ self.fixable=True + + def analyze(self, avc): +- if avc.matches_target_types(['file_t']): ++ if avc.matches_target_types(['unlabeled_t']): + # MATCH + reports = [] + reports.append(self.report((1,0))) +-- +2.17.2 + diff --git a/SOURCES/0002-plugins-Update-xen_image-plugin.patch b/SOURCES/0002-plugins-Update-xen_image-plugin.patch new file mode 100644 index 0000000..6899b80 --- /dev/null +++ b/SOURCES/0002-plugins-Update-xen_image-plugin.patch @@ -0,0 +1,42 @@ +From e51acac53be8e8dea80f3a025f9cd7d5e8e910d7 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 2 Aug 2019 17:20:16 +0200 +Subject: [PATCH 2/3] plugins: Update "xen_image" plugin + +- use virsh_t instead of xm_t, which is now an alias +- Enable fix button + +Resolves: rhbz#1649831 +--- + plugins/src/xen_image.py | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/plugins/src/xen_image.py b/plugins/src/xen_image.py +index 5dcdbab..a46798d 100644 +--- a/plugins/src/xen_image.py ++++ b/plugins/src/xen_image.py +@@ -43,7 +43,7 @@ class plugin(Plugin): + You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'" + ''') + +- fix_cmd = "chcon -t xen_image_t '$TARGET_PATH'" ++ fix_cmd = "/usr/bin/chcon -t xen_image_t '$TARGET_PATH'" + + then_text = _("You need to change the label on '$FIX_TARGET_PATH'") + +@@ -52,9 +52,11 @@ class plugin(Plugin): + + def __init__(self): + Plugin.__init__(self, __name__) ++ self.fixable=True ++ self.button_text = _("Change the file label to xen_image_t.") + + def analyze(self, avc): +- if (avc.matches_source_types(['xend_t', 'xm_t']) and ++ if (avc.matches_source_types(['xend_t', 'virsh_t']) and + avc.all_accesses_are_in(avc.r_file_perms + avc.r_dir_perms) and + avc.has_tclass_in(['file', 'dir']) and + avc.path_is_not_standard_directory()): +-- +2.17.2 + diff --git a/SOURCES/0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch b/SOURCES/0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch new file mode 100644 index 0000000..21a55c1 --- /dev/null +++ b/SOURCES/0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch @@ -0,0 +1,100 @@ +From 10f47305045de28351614989b53bdf830cdc6dd3 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 2 Aug 2019 18:01:11 +0200 +Subject: [PATCH 3/3] plugins: Update qemu_blk_image and qemu_file_image + +- Use svirt_t instead of qemu_t, which is now an alias +- Enable the fix button + +Resolves: rhbz#1649838 +--- + plugins/src/qemu_blk_image.py | 11 +++++++---- + plugins/src/qemu_file_image.py | 14 +++++++++----- + 2 files changed, 16 insertions(+), 9 deletions(-) + +diff --git a/plugins/src/qemu_blk_image.py b/plugins/src/qemu_blk_image.py +index fda7e41..48b3b83 100644 +--- a/plugins/src/qemu_blk_image.py ++++ b/plugins/src/qemu_blk_image.py +@@ -29,9 +29,9 @@ class plugin(Plugin): + ''') + + problem_description = _(''' +- SELinux denied qemu access to the block device $TARGET_PATH. ++ SELinux denied svirt access to the block device $TARGET_PATH. + If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this +- new path to the system defaults. If you did not intend to use $TARGET_PATH as a qemu ++ new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization + image it could indicate either a bug or an intrusion attempt. + ''') + +@@ -40,7 +40,7 @@ class plugin(Plugin): + You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'" + ''') + +- fix_cmd = "chcon -t virt_image_t '$TARGET_PATH'" ++ fix_cmd = "/usr/bin/chcon -t virt_image_t '$TARGET_PATH'" + + then_text = _("You need to change the label on '$FIX_TARGET_PATH'") + do_text = _("""# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' +@@ -48,9 +48,12 @@ class plugin(Plugin): + + def __init__(self): + Plugin.__init__(self, __name__) ++ self.set_priority(60) ++ self.fixable=True ++ self.button_text = _("Set the image label to virt_image_t.") + + def analyze(self, avc): +- if (avc.matches_source_types(['qemu_t']) and ++ if (avc.matches_source_types(['svirt_t']) and + avc.all_accesses_are_in(avc.rw_file_perms + avc.r_dir_perms) and + avc.has_tclass_in(['blk_file'])): + # MATCH +diff --git a/plugins/src/qemu_file_image.py b/plugins/src/qemu_file_image.py +index 7ae716d..98562e1 100644 +--- a/plugins/src/qemu_file_image.py ++++ b/plugins/src/qemu_file_image.py +@@ -29,12 +29,12 @@ class plugin(Plugin): + ''') + + problem_description = _(''' +- SELinux denied qemu access to $TARGET_PATH. ++ SELinux denied svirt access to $TARGET_PATH. + If this is a virtualization image, it has to have a file context label of + virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images + correctly. We recommend that you copy your image file to /var/lib/libvirt/images. +- If you really want to have your qemu image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this +- new path to the system defaults. If you did not intend to use $TARGET_PATH as a qemu ++ If you really want to have your image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this ++ new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization + image it could indicate either a bug or an intrusion attempt. + ''') + +@@ -43,17 +43,21 @@ class plugin(Plugin): + You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'" + ''') + +- fix_cmd = "chcon -t virt_image_t '$TARGET_PATH'" ++ fix_cmd = "/usr/bin/chcon -t virt_image_t '$TARGET_PATH'" + + if_text = _("If $TARGET_BASE_PATH is a virtualization target") + then_text = _("You need to change the label on $TARGET_BASE_PATH'") + do_text = """# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' + # restorecon -v '$FIX_TARGET_PATH'""" ++ + def __init__(self): + Plugin.__init__(self, __name__) ++ self.set_priority(60) ++ self.fixable=True ++ self.button_text = _("Set the image label to virt_image_t.") + + def analyze(self, avc): +- if (avc.matches_source_types(['qemu_t']) and ++ if (avc.matches_source_types(['svirt_t']) and + avc.all_accesses_are_in(avc.rw_file_perms + avc.r_dir_perms) and + avc.has_tclass_in(['file', 'dir']) and + avc.path_is_not_standard_directory()): +-- +2.17.2 + diff --git a/SPECS/setroubleshoot-plugins.spec b/SPECS/setroubleshoot-plugins.spec index c8582c0..106b68c 100644 --- a/SPECS/setroubleshoot-plugins.spec +++ b/SPECS/setroubleshoot-plugins.spec @@ -3,11 +3,14 @@ Summary: Analysis plugins for use with setroubleshoot Name: setroubleshoot-plugins Version: 3.3.10 -Release: 1%{?dist} +Release: 3%{?dist} License: GPLv2+ Group: Applications/System URL: https://github.com/fedora-selinux/setroubleshoot Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz +Patch1: 0001-plugins-update-file-plugin.patch +Patch2: 0002-plugins-Update-xen_image-plugin.patch +Patch3: 0003-plugins-Update-qemu_blk_image-and-qemu_file_image.patch BuildArch: noarch BuildRequires: perl-XML-Parser @@ -41,6 +44,14 @@ rm -rf %{buildroot} %{_datadir}/setroubleshoot/plugins %changelog +* Mon Aug 19 2019 Vit Mojzis - 3.3.10-3 +- Rebuild with gating enabled (#1682462) + +* Fri Aug 16 2019 Vit Mojzis - 3.3.10-2 +- update "file" plugin (#1649818) +- Update "xen_image" plugin (#1649831) +- Update qemu_blk_image and qemu_file_image (#1649838) + * Fri Dec 7 2018 Petr Lautrbach - 3.3.10-1 - Handle no "allowed_target_types" properly - bind_ports: Do not use when there are no allowed_target_types