From 1d04ad9053e1b9e8464cb80de0064fb609ae87a0 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Mon, 2 May 2022 15:59:53 +0200 Subject: [PATCH] udica-0.2.6-4 - Improve label collection for mounts and devices Fixes: https://github.com/containers/udica/issues/98 https://github.com/containers/udica/issues/109 --- ...el-collection-for-mounts-and-devices.patch | 54 +++++++++++++++++++ udica.spec | 8 ++- 2 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 0002-Improve-label-collection-for-mounts-and-devices.patch diff --git a/0002-Improve-label-collection-for-mounts-and-devices.patch b/0002-Improve-label-collection-for-mounts-and-devices.patch new file mode 100644 index 0000000..d8ab991 --- /dev/null +++ b/0002-Improve-label-collection-for-mounts-and-devices.patch @@ -0,0 +1,54 @@ +From 2e1f70537bf556a0f2238104e4fb3cf8518fcfc4 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Fri, 29 Apr 2022 16:15:06 +0200 +Subject: [PATCH] Improve label collection for mounts and devices + +Catch exception triggered by selabel_lookup when it encounters file +context definition containing "<>" + +Real label of given path may differ from what selable_lookup +(matchpathcon) returns. Udica should allow access to both. + +Fixes: + https://github.com/containers/udica/issues/98 + https://github.com/containers/udica/issues/109 +--- + udica/policy.py | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/udica/policy.py b/udica/policy.py +index 07d957c..1d53e2a 100644 +--- a/udica/policy.py ++++ b/udica/policy.py +@@ -67,12 +67,23 @@ def list_contexts(directory): + contexts.append(semanage.semanage_context_get_type(context)) + + selabel = selinux.selabel_open(selinux.SELABEL_CTX_FILE, None, 0) +- (rc, context) = selinux.selabel_lookup(selabel, directory, 0) +- if context == None: +- if exists(directory) == False: +- exit(1) ++ try: ++ (rc, context) = selinux.selabel_lookup(selabel, directory, 0) ++ except FileNotFoundError: ++ # File context definition containing "<>" triggers exception ++ context = None ++ if context: ++ contexts.append(context.split(":")[2]) ++ ++ # Get the real label (ls -lZ) - may differ from what selabel_lookup returns ++ try: + context = selinux.getfilecon(directory)[1] +- contexts.append(context.split(":")[2]) ++ except FileNotFoundError: ++ context = None ++ ++ if context: ++ contexts.append(context.split(":")[2]) ++ + return contexts + + +-- +2.35.1 + diff --git a/udica.spec b/udica.spec index 79f52c5..e108ede 100644 --- a/udica.spec +++ b/udica.spec @@ -1,9 +1,10 @@ Summary: A tool for generating SELinux security policies for containers Name: udica Version: 0.2.6 -Release: 3%{?dist} +Release: 4%{?dist} Source0: https://github.com/containers/udica/archive/v%{version}.tar.gz -Patch0: 0001-Make-sure-each-section-of-the-inspect-exists-before-.patch +Patch0001: 0001-Make-sure-each-section-of-the-inspect-exists-before-.patch +Patch0002: 0002-Improve-label-collection-for-mounts-and-devices.patch License: GPLv3+ BuildArch: noarch Url: https://github.com/containers/udica @@ -59,6 +60,9 @@ install -m 0644 udica/man/man8/udica.8 %{buildroot}%{_mandir}/man8/udica.8 %endif %changelog +* Mon May 02 2022 Vit Mojzis - 0.2.6-4 +- Improve label collection for mounts and devices + * Sat Jan 22 2022 Fedora Release Engineering - 0.2.6-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild