rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add workaround for selinux preventing use of selinux status page

Browse Source
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2020-10-27 19:50:43 +01:00
parent b6a8363c43
commit a734fa3ff3
2 changed files with 68 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
0001-selinux-fall-back-to-the-netlink-based-API.patch Normal file
View File

@ -0,0 +1,65 @@
From bef6d96b5aa48ce4b90633c847158f0ae27c7a10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 27 Oct 2020 19:47:26 +0100
Subject: [PATCH] selinux: fall back to the netlink-based API
Fedora Rawhide still has the old policy, so selinux prevents our selinux code
from checking if selinux is enabled. But it seems smart to fall back to the old
API anyway.
Follow-up for fd5e402fa9377f2860e02bdb5b84d5f5942e73f4.
---
src/basic/selinux-util.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index 1791aeecde..c239634e48 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -133,6 +133,7 @@ static int open_label_db(void) {
int mac_selinux_init(void) {
#if HAVE_SELINUX
int r;
+ bool have_status_page = false;
if (initialized)
return 0;
@@ -140,9 +141,15 @@ int mac_selinux_init(void) {
if (!mac_selinux_use())
return 0;
- r = selinux_status_open(/* no netlink fallback */ 0);
- if (r < 0)
- return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+ r = selinux_status_open(/* netlink fallback */ 1);
+ if (r < 0) {
+ if (!ERRNO_IS_PRIVILEGE(errno))
+ return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+ log_warning_errno(errno, "selinux_status_open() failed, using the netlink fallback: %m");
+ } else if (r == 1)
+ log_warning("selinux_status_open() failed to open the status page, using the netlink fallback.");
+ else
+ have_status_page = true;
r = open_label_db();
if (r < 0) {
@@ -150,13 +157,14 @@ int mac_selinux_init(void) {
return r;
}
- /* save the current policyload sequence number, so `mac_selinux_maybe_reload()` does
- not trigger on first call without any actual change */
+ /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
+ * first call without any actual change. */
last_policyload = selinux_status_policyload();
- /* now that the SELinux status page has been successfully opened,
- retrieve the enforcing status over it (to avoid system calls in `security_getenforce()`) */
- enforcing_status_func = selinux_status_getenforce;
+ if (have_status_page)
+ /* Now that the SELinux status page has been successfully opened, retrieve the enforcing
+ * status over it (to avoid system calls in security_getenforce()). */
+ enforcing_status_func = selinux_status_getenforce;
initialized = true;
#endif

3
systemd.spec
View File

@ -71,6 +71,9 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
Patch0001: use-bfq-scheduler.patch Patch0001: use-bfq-scheduler.patch
# While we don't have https://github.com/SELinuxProject/refpolicy/pull/308
Patch0002: 0001-selinux-fall-back-to-the-netlink-based-API.patch
Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch
%ifarch %{ix86} x86_64 aarch64 %ifarch %{ix86} x86_64 aarch64