From e9ab567ff02c0985f7cf172e5aaa9e3ac5fcaa77329bb575f5456164c34b57ba Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Wed, 13 Jul 2022 12:17:44 +0000 Subject: [PATCH] Accepting request 988987 from home:jsegitz:branches:security:SELinux - Fixed initrd check in selinux-ready (bnc#1186127) - Added restorecon_pin_file.patch. Fixes issus when running fixfiles/restorecon OBS-URL: https://build.opensuse.org/request/show/988987 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/libselinux?expand=0&rev=143 --- libselinux-bindings.spec | 1 + libselinux.changes | 11 +++ libselinux.spec | 2 + restorecon_pin_file.patch | 139 ++++++++++++++++++++++++++++++++++++++ selinux-ready | 69 +++++++++---------- 5 files changed, 184 insertions(+), 38 deletions(-) create mode 100644 restorecon_pin_file.patch diff --git a/libselinux-bindings.spec b/libselinux-bindings.spec index 2c17a2b..d7aacac 100644 --- a/libselinux-bindings.spec +++ b/libselinux-bindings.spec @@ -36,6 +36,7 @@ Patch4: readv-proto.patch # Make linking working even when default pkg-config doesn’t provide -lpython Patch5: python3.8-compat.patch Patch6: swig4_moduleimport.patch +Patch7: restorecon_pin_file.patch BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: python-rpm-macros BuildRequires: python3-devel diff --git a/libselinux.changes b/libselinux.changes index 4944b1e..70ceda6 100644 --- a/libselinux.changes +++ b/libselinux.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Thu Jul 7 12:16:45 UTC 2022 - Johannes Segitz + +- Fixed initrd check in selinux-ready (bnc#1186127) + +------------------------------------------------------------------- +Tue May 31 15:10:26 UTC 2022 - Johannes Segitz + +- Added restorecon_pin_file.patch. Fixes issus when running + fixfiles/restorecon + ------------------------------------------------------------------- Mon May 9 10:23:32 UTC 2022 - Johannes Segitz diff --git a/libselinux.spec b/libselinux.spec index 15270e4..9ad6c93 100644 --- a/libselinux.spec +++ b/libselinux.spec @@ -32,6 +32,7 @@ Source4: baselibs.conf # PATCH-FIX-UPSTREAM Include for readv prototype Patch4: readv-proto.patch Patch5: skip_cycles.patch +Patch7: restorecon_pin_file.patch BuildRequires: fdupes BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: pkgconfig @@ -101,6 +102,7 @@ necessary to develop your own software using libselinux. %setup -q -n libselinux-%{version} %patch4 -p1 %patch5 -p1 +%patch7 -p1 %build %define _lto_cflags %{nil} diff --git a/restorecon_pin_file.patch b/restorecon_pin_file.patch new file mode 100644 index 0000000..22f6cfd --- /dev/null +++ b/restorecon_pin_file.patch @@ -0,0 +1,139 @@ +Index: libselinux-3.4/src/selinux_restorecon.c +=================================================================== +--- libselinux-3.4.orig/src/selinux_restorecon.c ++++ libselinux-3.4/src/selinux_restorecon.c +@@ -623,13 +623,13 @@ out: + return rc; + } + +-static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first) ++static int restorecon_sb(const char *pathname, const struct stat *sb, ++ struct rest_flags *flags, bool first) + { + char *newcon = NULL; + char *curcon = NULL; + char *newtypecon = NULL; +- int fd = -1, rc; +- struct stat stat_buf; ++ int rc; + bool updated = false; + const char *lookup_path = pathname; + float pc; +@@ -644,21 +644,13 @@ static int restorecon_sb(const char *pat + lookup_path += rootpathlen; + } + +- fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL); +- if (fd < 0) +- goto err; +- +- rc = fstat(fd, &stat_buf); +- if (rc < 0) +- goto err; +- + if (rootpath != NULL && lookup_path[0] == '\0') + /* this is actually the root dir of the alt root. */ + rc = selabel_lookup_raw(fc_sehandle, &newcon, "/", +- stat_buf.st_mode); ++ sb->st_mode); + else + rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path, +- stat_buf.st_mode); ++ sb->st_mode); + + if (rc < 0) { + if (errno == ENOENT) { +@@ -667,10 +659,10 @@ static int restorecon_sb(const char *pat + "Warning no default label for %s\n", + lookup_path); + +- goto out; /* no match, but not an error */ ++ return 0; /* no match, but not an error */ + } + +- goto err; ++ return -1; + } + + if (flags->progress) { +@@ -690,17 +682,19 @@ static int restorecon_sb(const char *pat + } + + if (flags->add_assoc) { +- rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags); ++ rc = filespec_add(sb->st_ino, newcon, pathname, flags); + + if (rc < 0) { + selinux_log(SELINUX_ERROR, + "filespec_add error: %s\n", pathname); +- goto out1; ++ freecon(newcon); ++ return -1; + } + + if (rc > 0) { + /* Already an association and it took precedence. */ +- goto out; ++ freecon(newcon); ++ return 0; + } + } + +@@ -708,7 +702,7 @@ static int restorecon_sb(const char *pat + selinux_log(SELINUX_INFO, "%s matched by %s\n", + pathname, newcon); + +- if (fgetfilecon_raw(fd, &curcon) < 0) { ++ if (lgetfilecon_raw(pathname, &curcon) < 0) { + if (errno != ENODATA) + goto err; + +@@ -741,7 +735,7 @@ static int restorecon_sb(const char *pat + } + + if (!flags->nochange) { +- if (fsetfilecon(fd, newcon) < 0) ++ if (lsetfilecon(pathname, newcon) < 0) + goto err; + updated = true; + } +@@ -766,8 +760,6 @@ static int restorecon_sb(const char *pat + out: + rc = 0; + out1: +- if (fd >= 0) +- close(fd); + freecon(curcon); + freecon(newcon); + return rc; +@@ -865,6 +857,7 @@ static void *selinux_restorecon_thread(v + FTSENT *ftsent; + int error; + char ent_path[PATH_MAX]; ++ struct stat ent_st; + bool first = false; + + if (state->parallel) +@@ -963,11 +956,11 @@ loop_body: + /* fall through */ + default: + strcpy(ent_path, ftsent->fts_path); +- ++ ent_st = *ftsent->fts_statp; + if (state->parallel) + pthread_mutex_unlock(&state->mutex); + +- error = restorecon_sb(ent_path, &state->flags, ++ error = restorecon_sb(ent_path, &ent_st, &state->flags, + first); + + if (state->parallel) { +@@ -1163,7 +1156,7 @@ static int selinux_restorecon_common(con + goto cleanup; + } + +- error = restorecon_sb(pathname, &state.flags, true); ++ error = restorecon_sb(pathname, &sb, &state.flags, true); + goto cleanup; + } + diff --git a/selinux-ready b/selinux-ready index 789e0c0..d68b755 100644 --- a/selinux-ready +++ b/selinux-ready @@ -67,54 +67,47 @@ check_boot() check_mkinitrd() { - if [ "$INITRD" == "unknown" ]; then - return 1 - fi MCMD="mount.*/root/proc.*" - if ! [ -f "/boot/$INITRD" ];then - printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n" - return 2 - fi - - cp /boot/$INITRD $TD/ 2>/dev/null - - if ! [ -f "$TD/$INITRD" ];then - printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n" + if ! [ -f "/boot/initrd" ];then + printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/initrd'\n" return 2 fi + cp /boot/initrd $TD/ 2>/dev/null pushd . 2>&1>/dev/null cd $TD mkdir initrd-extracted cd initrd-extracted - INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}') - case $INITRD_FORMAT in - 'XZ' ) - xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; - 'ASCII' ) - /usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; - 'gzip' ) - gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; - * ) - printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n" - return 2 - esac - if [ -d boot ]; then - grep -E -- $MCMD boot/* 2>&1 >/dev/null - FLG1=$? - grep -E -- load_policy boot/* 2>&1 >/dev/null - FLG2=$? - else - # looks like we're using dracut/systemd. We can only check if libselinux1 - # exists - if [ -f lib64/libselinux.so.1 ]; then - # if this exists - FLG1=0 - FLG2=0 - fi - fi + INITRD_FORMAT=$(file $TD/initrd | awk -F' ' '{print $2}') + case $INITRD_FORMAT in + 'XZ' ) + xz -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'ASCII' ) + /usr/lib/dracut/skipcpio $TD/initrd | zstd -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'gzip' ) + gzip -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + 'Zstandard' ) + zstd -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; + * ) + printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n" + return 2 + esac + if [ -d boot ]; then + grep -E -- $MCMD boot/* 2>&1 >/dev/null + FLG1=$? + grep -E -- load_policy boot/* 2>&1 >/dev/null + FLG2=$? + else + # looks like we're using dracut/systemd. We can only check if libselinux1 + # exists + if [ -f lib64/libselinux.so.1 ]; then + # if this exists + FLG1=0 + FLG2=0 + fi + fi popd 2>&1>/dev/null if [ $FLG1 == 0 -a $FLG2 == 0 ];then