Bugfix for selinux issue

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2014-07-21 23:10:32 -04:00
parent cfcb358dcf
commit dc60e841f2
6 changed files with 336 additions and 1 deletions

View File

@ -0,0 +1,46 @@
From 9f2dae12f4ee324e3c1cb26ce3ea382e586235b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Andr=C3=A9=20Santoni?= <jean.andre.santoni@gmail.com>
Date: Mon, 21 Jul 2014 21:04:44 -0400
Subject: [PATCH] Add IFLA_VTI defines to missing.h
(cherry picked from commit 6589d0dba2b1ccf2406db527c2c1b51c7143e117)
---
configure.ac | 1 +
src/shared/missing.h | 12 ++++++++++++
2 files changed, 13 insertions(+)
diff --git a/configure.ac b/configure.ac
index df6b3571d1..8925eb5435 100644
--- a/configure.ac
+++ b/configure.ac
@@ -311,6 +311,7 @@ AC_CHECK_DECLS([gettid, pivot_root, name_to_handle_at, setns, LO_FLAGS_PARTSCAN]
]])
AC_CHECK_DECLS([IFLA_MACVLAN_FLAGS,
+ IFLA_VTI_REMOTE,
IFLA_PHYS_PORT_ID,
IFLA_BOND_AD_INFO,
IFLA_VLAN_PROTOCOL,
diff --git a/src/shared/missing.h b/src/shared/missing.h
index 818d704f92..2985285409 100644
--- a/src/shared/missing.h
+++ b/src/shared/missing.h
@@ -380,6 +380,18 @@ static inline int setns(int fd, int nstype) {
#define IFLA_MACVLAN_MAX (__IFLA_MACVLAN_MAX - 1)
#endif
+#if !HAVE_DECL_IFLA_VTI_REMOTE
+#define IFLA_VTI_UNSPEC 0
+#define IFLA_VTI_LINK 1
+#define IFLA_VTI_IKEY 2
+#define IFLA_VTI_OKEY 3
+#define IFLA_VTI_LOCAL 4
+#define IFLA_VTI_REMOTE 5
+#define __IFLA_VTI_MAX 6
+
+#define IFLA_VTI_MAX (__IFLA_VTI_MAX - 1)
+#endif
+
#if !HAVE_DECL_IFLA_PHYS_PORT_ID
#undef IFLA_PROMISCUITY
#define IFLA_PROMISCUITY 30

View File

@ -0,0 +1,27 @@
From 766fa6bb149ece2ed4bb0d58e4f836a86bb51893 Mon Sep 17 00:00:00 2001
From: Michael Olbrich <m.olbrich@pengutronix.de>
Date: Fri, 18 Jul 2014 06:33:52 +0200
Subject: [PATCH] install: systemd-timesyncd.service is enabled by
sysinit.target
systemd-timesyncd.service has a "WantedBy=sysinit.target" so the
initially generated link should match that.
(cherry picked from commit e9b11a8457293c553296e5d986a0bb7f86f275d5)
---
Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Makefile.am b/Makefile.am
index 2b0c855da2..53f82f9fce 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4346,7 +4346,7 @@ nodist_systemunit_DATA += \
units/systemd-timesyncd.service
GENERAL_ALIASES += \
- $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/multi-user.target.wants/systemd-timesyncd.service
+ $(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service
EXTRA_DIST += \
units/systemd-timesyncd.service.in

View File

@ -0,0 +1,44 @@
From de92879c4fd08974b90bc73f3bd3129774486a1f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 19 Jul 2014 19:46:04 -0400
Subject: [PATCH] bash-completion: -p option for journalctl
(cherry picked from commit be8f4a9fa732d61e845e1ab1a62ac3a6b368d3a7)
---
shell-completion/bash/journalctl | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/shell-completion/bash/journalctl b/shell-completion/bash/journalctl
index e4b2f4ac84..14dcd223b3 100644
--- a/shell-completion/bash/journalctl
+++ b/shell-completion/bash/journalctl
@@ -35,6 +35,8 @@ __journal_fields=(MESSAGE{,_ID} PRIORITY CODE_{FILE,LINE,FUNC}
_UDEV_{SYSNAME,DEVNODE,DEVLINK}
__CURSOR __{REALTIME,MONOTONIC}_TIMESTAMP)
+__syslog_priorities=(emerg alert crit err warning notice info debug)
+
_journalctl() {
local field_vals= cur=${COMP_WORDS[COMP_CWORD]} prev=${COMP_WORDS[COMP_CWORD-1]}
local -A OPTS=(
@@ -44,8 +46,8 @@ _journalctl() {
--no-tail -q --quiet --setup-keys --this-boot --verify
--version --list-catalog --update-catalog --list-boots'
[ARG]='-b --boot --this-boot -D --directory --file -F --field
- -o --output -u --unit --user-unit'
- [ARGUNKNOWN]='-c --cursor --interval -n --lines -p --priority --since --until
+ -o --output -u --unit --user-unit -p --priority'
+ [ARGUNKNOWN]='-c --cursor --interval -n --lines --since --until
--verify-key'
)
@@ -68,6 +70,9 @@ _journalctl() {
--field|-F)
comps=${__journal_fields[*]}
;;
+ --priority|-p)
+ comps=${__syslog_priorities[*]}
+ ;;
--unit|-u)
comps=$(journalctl -F '_SYSTEMD_UNIT' 2>/dev/null)
;;

View File

@ -0,0 +1,122 @@
From ec300fdabb27c41258cf5aea91dae518a3b88a04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 21 Jul 2014 20:41:19 -0400
Subject: [PATCH] sysusers: fix selinux context of backup files
Also, fix fopen_temporary_label to set proper context. By chance,
all users so far used the same context, so the error didn't matter.
Also, check return value from label_init().
https://bugzilla.redhat.com/show_bug.cgi?id=1121806
(cherry picked from commit 9f1c19405a1ccaf59dcc8c32c13a1619541189ad)
---
src/shared/fileio-label.c | 2 +-
src/sysusers/sysusers.c | 45 ++++++++++++++++++++++++---------------------
2 files changed, 25 insertions(+), 22 deletions(-)
diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c
index 417ca5695a..c3def3c568 100644
--- a/src/shared/fileio-label.c
+++ b/src/shared/fileio-label.c
@@ -59,7 +59,7 @@ int fopen_temporary_label(const char *target,
const char *path, FILE **f, char **temp_path) {
int r;
- r = label_context_set("/etc/passwd", S_IFREG);
+ r = label_context_set(target, S_IFREG);
if (r < 0)
return r;
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index bf2fbbc252..2387d5873a 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -195,8 +195,9 @@ static int load_group_database(void) {
return 0;
}
-static int make_backup(const char *x) {
- _cleanup_close_ int src = -1, dst = -1;
+static int make_backup(const char *target, const char *x) {
+ _cleanup_close_ int src = -1;
+ _cleanup_fclose_ FILE *dst = NULL;
char *backup, *temp;
struct timespec ts[2];
struct stat st;
@@ -213,30 +214,30 @@ static int make_backup(const char *x) {
if (fstat(src, &st) < 0)
return -errno;
- temp = strappenda(x, ".XXXXXX");
- dst = mkostemp_safe(temp, O_WRONLY|O_CLOEXEC|O_NOCTTY);
- if (dst < 0)
- return dst;
+ r = fopen_temporary_label(target, x, &dst, &temp);
+ if (r < 0)
+ return r;
- r = copy_bytes(src, dst, (off_t) -1);
+ r = copy_bytes(src, fileno(dst), (off_t) -1);
if (r < 0)
goto fail;
+ /* Don't fail on chmod() or chown(). If it stays owned by us
+ * and/or unreadable by others, then it isn't too bad... */
+
+ backup = strappenda(x, "-");
+
/* Copy over the access mask */
- if (fchmod(dst, st.st_mode & 07777) < 0) {
- r = -errno;
- goto fail;
- }
+ if (fchmod(fileno(dst), st.st_mode & 07777) < 0)
+ log_warning("Failed to change mode on %s: %m", backup);
- /* Don't fail on chmod(). If it stays owned by us, then it
- * isn't too bad... */
- fchown(dst, st.st_uid, st.st_gid);
+ if (fchown(fileno(dst), st.st_uid, st.st_gid)< 0)
+ log_warning("Failed to change ownership of %s: %m", backup);
ts[0] = st.st_atim;
ts[1] = st.st_mtim;
- futimens(dst, ts);
+ futimens(fileno(dst), ts);
- backup = strappenda(x, "-");
if (rename(temp, backup) < 0)
goto fail;
@@ -469,13 +470,13 @@ static int write_files(void) {
/* Make a backup of the old files */
if (group && group_changed) {
- r = make_backup(group_path);
+ r = make_backup("/etc/group", group_path);
if (r < 0)
goto finish;
}
if (passwd) {
- r = make_backup(passwd_path);
+ r = make_backup("/etc/passwd", passwd_path);
if (r < 0)
goto finish;
}
@@ -1529,9 +1530,11 @@ int main(int argc, char *argv[]) {
umask(0022);
- label_init(NULL);
-
- r = 0;
+ r = label_init(NULL);
+ if (r < 0) {
+ log_error("SELinux setup failed: %s", strerror(-r));
+ goto finish;
+ }
if (optind < argc) {
int j;

View File

@ -0,0 +1,86 @@
From 62ae78fdcc50515d292f7622aeff7a89a5b2bfd3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 21 Jul 2014 20:56:29 -0400
Subject: [PATCH] update-done: set proper selinux context for .updated
https://bugzilla.redhat.com/show_bug.cgi?id=1121806
(cherry picked from commit 7dbb1d08f66cd44b1296be3ee8e3629b989e19a8)
---
Makefile.am | 1 +
src/update-done/update-done.c | 25 ++++++++++++++++++++-----
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 53f82f9fce..764a4fde58 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1724,6 +1724,7 @@ systemd_update_done_SOURCES = \
systemd_update_done_LDADD = \
libsystemd-internal.la \
+ libsystemd-label.la \
libsystemd-shared.la
# ------------------------------------------------------------------------------
diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c
index 10ba85ca92..b199a68972 100644
--- a/src/update-done/update-done.c
+++ b/src/update-done/update-done.c
@@ -20,6 +20,7 @@
***/
#include "util.h"
+#include "label.h"
static int apply_timestamp(const char *path, struct timespec *ts) {
struct timespec twice[2];
@@ -51,10 +52,20 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
} else if (errno == ENOENT) {
_cleanup_close_ int fd = -1;
+ int r;
/* The timestamp file doesn't exist yet? Then let's create it. */
+ r = label_context_set(path, S_IFREG);
+ if (r < 0) {
+ log_error("Failed to set SELinux context for %s: %s",
+ path, strerror(-r));
+ return r;
+ }
+
fd = open(path, O_CREAT|O_EXCL|O_WRONLY|O_TRUNC|O_CLOEXEC|O_NOCTTY|O_NOFOLLOW, 0644);
+ label_context_clear();
+
if (fd < 0) {
if (errno == EROFS) {
@@ -83,7 +94,7 @@ static int apply_timestamp(const char *path, struct timespec *ts) {
int main(int argc, char *argv[]) {
struct stat st;
- int r, q;
+ int r, q = 0;
log_set_target(LOG_TARGET_AUTO);
log_parse_environment();
@@ -94,11 +105,15 @@ int main(int argc, char *argv[]) {
return EXIT_FAILURE;
}
- r = apply_timestamp("/etc/.updated", &st.st_mtim);
+ r = label_init(NULL);
+ if (r < 0) {
+ log_error("SELinux setup failed: %s", strerror(-r));
+ goto finish;
+ }
+ r = apply_timestamp("/etc/.updated", &st.st_mtim);
q = apply_timestamp("/var/.updated", &st.st_mtim);
- if (q < 0 && r == 0)
- r = q;
- return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+finish:
+ return r < 0 || q < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}

View File

@ -16,7 +16,7 @@
Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 215
Release: 4%{?gitcommit:.git%{gitcommit}}%{?dist}
Release: 5%{?gitcommit:.git%{gitcommit}}%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: A System and Service Manager
@ -116,6 +116,12 @@ Patch074: 0074-man-journal-add-note-about-sd_journal_get_cutoff_mon.patch
Patch075: 0075-Be-more-verbose-when-bind-or-listen-fails.patch
Patch076: 0076-core-show-timeouts-when-watchdog-howls.patch
Patch077: 0077-escape-fix-return-code.patch
Patch078: 0078-Add-IFLA_VTI-defines-to-missing.h.patch
Patch079: 0079-install-systemd-timesyncd.service-is-enabled-by-sysi.patch
Patch080: 0080-bash-completion-p-option-for-journalctl.patch
Patch081: 0081-sysusers-fix-selinux-context-of-backup-files.patch
Patch082: 0082-update-done-set-proper-selinux-context-for-.updated.patch
# Presently not accepted upstream, but we disable systemd-resolved in
# the presets anyways, and this unbreaks anaconda/lorax/livecd-creator
@ -845,6 +851,10 @@ getent passwd systemd-journal-gateway >/dev/null 2>&1 || useradd -r -l -u 191 -g
%{_datadir}/systemd/gatewayd
%changelog
* Mon Jul 21 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-5
- Fix SELinux context of /etc/passwd-, /etc/group-, /etc/.updated (#1121806)
- Add missing BR so gnutls and elfutils are used
* Sat Jul 19 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 215-4
- Various man page updates
- Static device node logic is conditionalized on CAP_SYS_MODULES instead of CAP_MKNOD