From 58d2db3e7dbaa54208dff6025439ad2795ab03cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Fri, 21 Jun 2024 13:18:26 +0200 Subject: [PATCH] Do not set a default SELinux creation context if SELinux appears to be disabled Resolves: RHEL-43232 --- ...o-perform-labeling-if-SELinux-is-dis.patch | 93 +++++++++++++++++++ libdnf.spec | 7 +- 2 files changed, 99 insertions(+), 1 deletion(-) create mode 100644 0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch diff --git a/0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch b/0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch new file mode 100644 index 0000000..193aed6 --- /dev/null +++ b/0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch @@ -0,0 +1,93 @@ +From d264065ec0d574b70bf376d5ee3777d7cc03030f Mon Sep 17 00:00:00 2001 +From: Colin Walters +Date: Tue, 4 Jun 2024 06:57:19 -0400 +Subject: [PATCH] repo: Don't try to perform labeling if SELinux is disabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The default for container execution is that `/sys/fs/selinux` +is not mounted, and the libselinux library function `is_selinux_enabled` +should be used to dynamically check if the system should attempt to perform SELinux labeling. + +This is how it's done by rpm, ostree, and systemd for example. + +But this code unconditionally tries to label if it finds a policy, +which breaks in an obscure corner case +when executed inside a container that includes policy files (e.g. +fedora/rhel-bootc) but when we're not using overlayfs for the backend +(with BUILDAH_BACKEND=vfs). + +Signed-off-by: Petr Písař +--- + libdnf/repo/Repo.cpp | 50 +++++++++++++++++++++++--------------------- + 1 file changed, 26 insertions(+), 24 deletions(-) + +diff --git a/libdnf/repo/Repo.cpp b/libdnf/repo/Repo.cpp +index 16f15195..10b88813 100644 +--- a/libdnf/repo/Repo.cpp ++++ b/libdnf/repo/Repo.cpp +@@ -679,34 +679,36 @@ static int create_temporary_directory(char *name_template) { + int old_default_context_was_retrieved = 0; + struct selabel_handle *labeling_handle = NULL; + +- /* A purpose of this piece of code is to deal with applications whose +- * security policy overrides a file context for temporary files but don't +- * know that libdnf executes GnuPG which expects a default file context. */ +- if (0 == getfscreatecon(&old_default_context)) { +- old_default_context_was_retrieved = 1; +- } else { +- logger->debug(tfm::format("Failed to retrieve a default SELinux context")); +- } ++ if (is_selinux_enabled()) { ++ /* A purpose of this piece of code is to deal with applications whose ++ * security policy overrides a file context for temporary files but don't ++ * know that libdnf executes GnuPG which expects a default file context. */ ++ if (0 == getfscreatecon(&old_default_context)) { ++ old_default_context_was_retrieved = 1; ++ } else { ++ logger->debug(tfm::format("Failed to retrieve a default SELinux context")); ++ } + +- labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); +- if (NULL == labeling_handle) { +- logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s", +- strerror(errno))); +- } else { +- if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) { +- /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but +- * that value should be really defined in default file context +- * SELinux policy. Only log that the policy is incpomplete. */ +- logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"", +- name_template)); ++ labeling_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0); ++ if (NULL == labeling_handle) { ++ logger->debug(tfm::format("Failed to open a SELinux labeling handle: %s", ++ strerror(errno))); + } else { +- if (setfscreatecon(new_default_context)) { +- logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"", +- new_default_context)); ++ if (selabel_lookup(labeling_handle, &new_default_context, name_template, 0700)) { ++ /* Here we could hard-code "system_u:object_r:user_tmp_t:s0", but ++ * that value should be really defined in default file context ++ * SELinux policy. Only log that the policy is incpomplete. */ ++ logger->debug(tfm::format("Failed to look up a default SELinux label for \"%s\"", ++ name_template)); ++ } else { ++ if (setfscreatecon(new_default_context)) { ++ logger->debug(tfm::format("Failed to set default SELinux context to \"%s\"", ++ new_default_context)); ++ } ++ freecon(new_default_context); + } +- freecon(new_default_context); ++ selabel_close(labeling_handle); + } +- selabel_close(labeling_handle); + } + #endif + +-- +2.45.2 + diff --git a/libdnf.spec b/libdnf.spec index 2694573..72a4e67 100644 --- a/libdnf.spec +++ b/libdnf.spec @@ -58,7 +58,7 @@ Name: libdnf Version: %{libdnf_major_version}.%{libdnf_minor_version}.%{libdnf_micro_version} -Release: 11%{?dist} +Release: 12%{?dist} Summary: Library providing simplified C and Python API to libsolv License: LGPLv2+ URL: https://github.com/rpm-software-management/libdnf @@ -78,6 +78,7 @@ Patch12: 0012-MergedTransaction-Calculate-RPM-difference-between-t.patch Patch13: 0013-MergedTransaction-Fix-invalid-memory-access-when-dro.patch Patch14: 0014-context-use-rpmtsAddReinstallElement-when-doing-a-re.patch Patch15: 0015-Since-we-use-rpmtsAddReinstallElement-rpm-also-unins.patch +Patch16: 0016-repo-Don-t-try-to-perform-labeling-if-SELinux-is-dis.patch BuildRequires: cmake @@ -327,6 +328,10 @@ popd %endif %changelog +* Fri Jun 21 2024 Petr Pisar - 0.69.0-12 +- Do not set a default SELinux creation context if SELinux appears to be + disabled (RHEL-43232) + * Thu May 16 2024 Petr Pisar - 0.69.0-11 - Fix reinstalling packages which conflicts with themselves in dnf_transaction_commit() (RHEL-1454)