Bugfix for selinux issue
This commit is contained in:
parent
cfcb358dcf
commit
dc60e841f2
46
0078-Add-IFLA_VTI-defines-to-missing.h.patch
Normal file
46
0078-Add-IFLA_VTI-defines-to-missing.h.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From 9f2dae12f4ee324e3c1cb26ce3ea382e586235b6 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jean-Andr=C3=A9=20Santoni?= <jean.andre.santoni@gmail.com>
|
||||
Date: Mon, 21 Jul 2014 21:04:44 -0400
|
||||
Subject: [PATCH] Add IFLA_VTI defines to missing.h
|
||||
|
||||
(cherry picked from commit 6589d0dba2b1ccf2406db527c2c1b51c7143e117)
|
||||
---
|
||||
configure.ac | 1 +
|
||||
src/shared/missing.h | 12 ++++++++++++
|
||||
2 files changed, 13 insertions(+)
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index df6b3571d1..8925eb5435 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -311,6 +311,7 @@ AC_CHECK_DECLS([gettid, pivot_root, name_to_handle_at, setns, LO_FLAGS_PARTSCAN]
|
||||
]])
|
||||
|
||||
AC_CHECK_DECLS([IFLA_MACVLAN_FLAGS,
|
||||
+ IFLA_VTI_REMOTE,
|
||||
IFLA_PHYS_PORT_ID,
|
||||
IFLA_BOND_AD_INFO,
|
||||
IFLA_VLAN_PROTOCOL,
|
||||
diff --git a/src/shared/missing.h b/src/shared/missing.h
|
||||
index 818d704f92..2985285409 100644
|
||||
--- a/src/shared/missing.h
|
||||
+++ b/src/shared/missing.h
|
||||
@@ -380,6 +380,18 @@ static inline int setns(int fd, int nstype) {
|
||||
#define IFLA_MACVLAN_MAX (__IFLA_MACVLAN_MAX - 1)
|
||||
#endif
|
||||
|
||||
+#if !HAVE_DECL_IFLA_VTI_REMOTE
|
||||
+#define IFLA_VTI_UNSPEC 0
|
||||
+#define IFLA_VTI_LINK 1
|
||||
+#define IFLA_VTI_IKEY 2
|
||||
+#define IFLA_VTI_OKEY 3
|
||||
+#define IFLA_VTI_LOCAL 4
|
||||
+#define IFLA_VTI_REMOTE 5
|
||||
+#define __IFLA_VTI_MAX 6
|
||||
+
|
||||
+#define IFLA_VTI_MAX (__IFLA_VTI_MAX - 1)
|
||||
+#endif
|
||||
+
|
||||
#if !HAVE_DECL_IFLA_PHYS_PORT_ID
|
||||
#undef IFLA_PROMISCUITY
|
||||
#define IFLA_PROMISCUITY 30
|
@ -0,0 +1,27 @@
|
||||
From 766fa6bb149ece2ed4bb0d58e4f836a86bb51893 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Olbrich <m.olbrich@pengutronix.de>
|
||||
Date: Fri, 18 Jul 2014 06:33:52 +0200
|
||||
Subject: [PATCH] install: systemd-timesyncd.service is enabled by
|
||||
sysinit.target
|
||||
|
||||
systemd-timesyncd.service has a "WantedBy=sysinit.target" so the
|
||||
initially generated link should match that.
|
||||
|
||||
(cherry picked from commit e9b11a8457293c553296e5d986a0bb7f86f275d5)
|
||||
---
|
||||
Makefile.am | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 2b0c855da2..53f82f9fce 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -4346,7 +4346,7 @@ nodist_systemunit_DATA += \
|
||||
units/systemd-timesyncd.service
|
||||
|
||||
GENERAL_ALIASES += \
|
||||
- $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/multi-user.target.wants/systemd-timesyncd.service
|
||||
+ $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service
|
||||
|
||||
EXTRA_DIST += \
|
||||
units/systemd-timesyncd.service.in
|
44
0080-bash-completion-p-option-for-journalctl.patch
Normal file
44
0080-bash-completion-p-option-for-journalctl.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From de92879c4fd08974b90bc73f3bd3129774486a1f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Sat, 19 Jul 2014 19:46:04 -0400
|
||||
Subject: [PATCH] bash-completion: -p option for journalctl
|
||||
|
||||
(cherry picked from commit be8f4a9fa732d61e845e1ab1a62ac3a6b368d3a7)
|
||||
---
|
||||
shell-completion/bash/journalctl | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
|
||||
index e4b2f4ac84..14dcd223b3 100644
|
||||
--- a/shell-completion/bash/journalctl
|
||||
+++ b/shell-completion/bash/journalctl
|
||||
@@ -35,6 +35,8 @@ __journal_fields=(MESSAGE{,_ID} PRIORITY CODE_{FILE,LINE,FUNC}
|
||||
_UDEV_{SYSNAME,DEVNODE,DEVLINK}
|
||||
__CURSOR __{REALTIME,MONOTONIC}_TIMESTAMP)
|
||||
|
||||
+__syslog_priorities=(emerg alert crit err warning notice info debug)
|
||||
+
|
||||
_journalctl() {
|
||||
local field_vals= cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
local -A OPTS=(
|
||||
@@ -44,8 +46,8 @@ _journalctl() {
|
||||
--no-tail -q --quiet --setup-keys --this-boot --verify
|
||||
--version --list-catalog --update-catalog --list-boots'
|
||||
[ARG]='-b --boot --this-boot -D --directory --file -F --field
|
||||
- -o --output -u --unit --user-unit'
|
||||
- [ARGUNKNOWN]='-c --cursor --interval -n --lines -p --priority --since --until
|
||||
+ -o --output -u --unit --user-unit -p --priority'
|
||||
+ [ARGUNKNOWN]='-c --cursor --interval -n --lines --since --until
|
||||
--verify-key'
|
||||
)
|
||||
|
||||
@@ -68,6 +70,9 @@ _journalctl() {
|
||||
--field|-F)
|
||||
comps=${__journal_fields[*]}
|
||||
;;
|
||||
+ --priority|-p)
|
||||
+ comps=${__syslog_priorities[*]}
|
||||
+ ;;
|
||||
--unit|-u)
|
||||
comps=$(journalctl -F '_SYSTEMD_UNIT' 2>/dev/null)
|
||||
;;
|
122
0081-sysusers-fix-selinux-context-of-backup-files.patch
Normal file
122
0081-sysusers-fix-selinux-context-of-backup-files.patch
Normal file
@ -0,0 +1,122 @@
|
||||
From ec300fdabb27c41258cf5aea91dae518a3b88a04 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Mon, 21 Jul 2014 20:41:19 -0400
|
||||
Subject: [PATCH] sysusers: fix selinux context of backup files
|
||||
|
||||
Also, fix fopen_temporary_label to set proper context. By chance,
|
||||
all users so far used the same context, so the error didn't matter.
|
||||
|
||||
Also, check return value from label_init().
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1121806
|
||||
(cherry picked from commit 9f1c19405a1ccaf59dcc8c32c13a1619541189ad)
|
||||
---
|
||||
src/shared/fileio-label.c | 2 +-
|
||||
src/sysusers/sysusers.c | 45 ++++++++++++++++++++++++---------------------
|
||||
2 files changed, 25 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c
|
||||
index 417ca5695a..c3def3c568 100644
|
||||
--- a/src/shared/fileio-label.c
|
||||
+++ b/src/shared/fileio-label.c
|
||||
@@ -59,7 +59,7 @@ int fopen_temporary_label(const char *target,
|
||||
const char *path, FILE **f, char **temp_path) {
|
||||
int r;
|
||||
|
||||
- r = label_context_set("/etc/passwd", S_IFREG);
|
||||
+ r = label_context_set(target, S_IFREG);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
|
||||
index bf2fbbc252..2387d5873a 100644
|
||||
--- a/src/sysusers/sysusers.c
|
||||
+++ b/src/sysusers/sysusers.c
|
||||
@@ -195,8 +195,9 @@ static int load_group_database(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int make_backup(const char *x) {
|
||||
- _cleanup_close_ int src = -1, dst = -1;
|
||||
+static int make_backup(const char *target, const char *x) {
|
||||
+ _cleanup_close_ int src = -1;
|
||||
+ _cleanup_fclose_ FILE *dst = NULL;
|
||||
char *backup, *temp;
|
||||
struct timespec ts[2];
|
||||
struct stat st;
|
||||
@@ -213,30 +214,30 @@ static int make_backup(const char *x) {
|
||||
if (fstat(src, &st) < 0)
|
||||
return -errno;
|
||||
|
||||
- temp = strappenda(x, ".XXXXXX");
|
||||
- dst = mkostemp_safe(temp, O_WRONLY|O_CLOEXEC|O_NOCTTY);
|
||||
- if (dst < 0)
|
||||
- return dst;
|
||||
+ r = fopen_temporary_label(target, x, &dst, &temp);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
|
||||
- r = copy_bytes(src, dst, (off_t) -1);
|
||||
+ r = copy_bytes(src, fileno(dst), (off_t) -1);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
||||
+ /* Don't fail on chmod() or chown(). If it stays owned by us
|
||||
+ * and/or unreadable by others, then it isn't too bad... */
|
||||
+
|
||||
+ backup = strappenda(x, "-");
|
||||
+
|
||||
/* Copy over the access mask */
|
||||
- if (fchmod(dst, st.st_mode & 07777) < 0) {
|
||||
- r = -errno;
|
||||
- goto fail;
|
||||
- }
|
||||
+ if (fchmod(fileno(dst), st.st_mode & 07777) < 0)
|
||||
+ log_warning("Failed to change mode on %s: %m", backup);
|
||||
|
||||
- /* Don't fail on chmod(). If it stays owned by us, then it
|
||||
- * isn't too bad... */
|
||||
- fchown(dst, st.st_uid, st.st_gid);
|
||||
+ if (fchown(fileno(dst), st.st_uid, st.st_gid)< 0)
|
||||
+ log_warning("Failed to change ownership of %s: %m", backup);
|
||||
|
||||
ts[0] = st.st_atim;
|
||||
ts[1] = st.st_mtim;
|
||||
- futimens(dst, ts);
|
||||
+ futimens(fileno(dst), ts);
|
||||
|
||||
- backup = strappenda(x, "-");
|
||||
if (rename(temp, backup) < 0)
|
||||
goto fail;
|
||||
|
||||
@@ -469,13 +470,13 @@ static int write_files(void) {
|
||||
|
||||
/* Make a backup of the old files */
|
||||
if (group && group_changed) {
|
||||
- r = make_backup(group_path);
|
||||
+ r = make_backup("/etc/group", group_path);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
if (passwd) {
|
||||
- r = make_backup(passwd_path);
|
||||
+ r = make_backup("/etc/passwd", passwd_path);
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
@@ -1529,9 +1530,11 @@ int main(int argc, char *argv[]) {
|
||||
|
||||
umask(0022);
|
||||
|
||||
- label_init(NULL);
|
||||
-
|
||||
- r = 0;
|
||||
+ r = label_init(NULL);
|
||||
+ if (r < 0) {
|
||||
+ log_error("SELinux setup failed: %s", strerror(-r));
|
||||
+ goto finish;
|
||||
+ }
|
||||
|
||||
if (optind < argc) {
|
||||
int j;
|
@ -0,0 +1,86 @@
|
||||
From 62ae78fdcc50515d292f7622aeff7a89a5b2bfd3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||
Date: Mon, 21 Jul 2014 20:56:29 -0400
|
||||
Subject: [PATCH] update-done: set proper selinux context for .updated
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1121806
|
||||
(cherry picked from commit 7dbb1d08f66cd44b1296be3ee8e3629b989e19a8)
|
||||
---
|
||||
Makefile.am | 1 +
|
||||
src/update-done/update-done.c | 25 ++++++++++++++++++++-----
|
||||
2 files changed, 21 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/Makefile.am b/Makefile.am
|
||||
index 53f82f9fce..764a4fde58 100644
|
||||
--- a/Makefile.am
|
||||
+++ b/Makefile.am
|
||||
@@ -1724,6 +1724,7 @@ systemd_update_done_SOURCES = \
|
||||
|
||||
systemd_update_done_LDADD = \
|
||||
libsystemd-internal.la \
|
||||
+ libsystemd-label.la \
|
||||
libsystemd-shared.la
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c
|
||||
index 10ba85ca92..b199a68972 100644
|
||||
--- a/src/update-done/update-done.c
|
||||
+++ b/src/update-done/update-done.c
|
||||
@@ -20,6 +20,7 @@
|
||||
***/
|
||||
|
||||
#include "util.h"
|
||||
+#include "label.h"
|
||||
|
||||
static int apply_timestamp(const char *path, struct timespec *ts) {
|
||||
struct timespec twice[2];
|
||||
@@ -51,10 +52,20 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
|
||||
|
||||
} else if (errno == ENOENT) {
|
||||
_cleanup_close_ int fd = -1;
|
||||
+ int r;
|
||||
|
||||
/* The timestamp file doesn't exist yet? Then let's create it. */
|
||||
|
||||
+ r = label_context_set(path, S_IFREG);
|
||||
+ if (r < 0) {
|
||||
+ log_error("Failed to set SELinux context for %s: %s",
|
||||
+ path, strerror(-r));
|
||||
+ return r;
|
||||
+ }
|
||||
+
|
||||
fd = open(path, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644);
|
||||
+ label_context_clear();
|
||||
+
|
||||
if (fd < 0) {
|
||||
|
||||
if (errno == EROFS) {
|
||||
@@ -83,7 +94,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
struct stat st;
|
||||
- int r, q;
|
||||
+ int r, q = 0;
|
||||
|
||||
log_set_target(LOG_TARGET_AUTO);
|
||||
log_parse_environment();
|
||||
@@ -94,11 +105,15 @@ int main(int argc, char *argv[]) {
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
- r = apply_timestamp("/etc/.updated", &st.st_mtim);
|
||||
+ r = label_init(NULL);
|
||||
+ if (r < 0) {
|
||||
+ log_error("SELinux setup failed: %s", strerror(-r));
|
||||
+ goto finish;
|
||||
+ }
|
||||
|
||||
+ r = apply_timestamp("/etc/.updated", &st.st_mtim);
|
||||
q = apply_timestamp("/var/.updated", &st.st_mtim);
|
||||
- if (q < 0 && r == 0)
|
||||
- r = q;
|
||||
|
||||
- return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
|
||||
+finish:
|
||||
+ return r < 0 || q < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
|
||||
}
|
12
systemd.spec
12
systemd.spec
@ -16,7 +16,7 @@
|
||||
Name: systemd
|
||||
Url: http://www.freedesktop.org/wiki/Software/systemd
|
||||
Version: 215
|
||||
Release: 4%{?gitcommit:.git%{gitcommit}}%{?dist}
|
||||
Release: 5%{?gitcommit:.git%{gitcommit}}%{?dist}
|
||||
# For a breakdown of the licensing, see README
|
||||
License: LGPLv2+ and MIT and GPLv2+
|
||||
Summary: A System and Service Manager
|
||||
@ -116,6 +116,12 @@ Patch074: 0074-man-journal-add-note-about-sd_journal_get_cutoff_mon.patch
|
||||
Patch075: 0075-Be-more-verbose-when-bind-or-listen-fails.patch
|
||||
Patch076: 0076-core-show-timeouts-when-watchdog-howls.patch
|
||||
Patch077: 0077-escape-fix-return-code.patch
|
||||
Patch078: 0078-Add-IFLA_VTI-defines-to-missing.h.patch
|
||||
Patch079: 0079-install-systemd-timesyncd.service-is-enabled-by-sysi.patch
|
||||
Patch080: 0080-bash-completion-p-option-for-journalctl.patch
|
||||
Patch081: 0081-sysusers-fix-selinux-context-of-backup-files.patch
|
||||
Patch082: 0082-update-done-set-proper-selinux-context-for-.updated.patch
|
||||
|
||||
|
||||
# Presently not accepted upstream, but we disable systemd-resolved in
|
||||
# the presets anyways, and this unbreaks anaconda/lorax/livecd-creator
|
||||
@ -845,6 +851,10 @@ getent passwd systemd-journal-gateway >/dev/null 2>&1 || useradd -r -l -u 191 -g
|
||||
%{_datadir}/systemd/gatewayd
|
||||
|
||||
%changelog
|
||||
* Mon Jul 21 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-5
|
||||
- Fix SELinux context of /etc/passwd-, /etc/group-, /etc/.updated (#1121806)
|
||||
- Add missing BR so gnutls and elfutils are used
|
||||
|
||||
* Sat Jul 19 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-4
|
||||
- Various man page updates
|
||||
- Static device node logic is conditionalized on CAP_SYS_MODULES instead of CAP_MKNOD
|
||||
|
Loading…
Reference in New Issue
Block a user