Accepting request 988988 from security:SELinux

OBS-URL: https://build.opensuse.org/request/show/988988
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libselinux?expand=0&rev=71
This commit is contained in:
Richard Brown 2022-07-18 16:32:42 +00:00 committed by Git OBS Bridge
commit 7a7e3bbc03
5 changed files with 184 additions and 38 deletions

View File

@ -36,6 +36,7 @@ Patch4: readv-proto.patch
# Make linking working even when default pkg-config doesnt provide -lpython<ver> # Make linking working even when default pkg-config doesnt provide -lpython<ver>
Patch5: python3.8-compat.patch Patch5: python3.8-compat.patch
Patch6: swig4_moduleimport.patch Patch6: swig4_moduleimport.patch
Patch7: restorecon_pin_file.patch
BuildRequires: libsepol-devel-static >= %{libsepol_ver} BuildRequires: libsepol-devel-static >= %{libsepol_ver}
BuildRequires: python-rpm-macros BuildRequires: python-rpm-macros
BuildRequires: python3-devel BuildRequires: python3-devel

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Thu Jul 7 12:16:45 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Fixed initrd check in selinux-ready (bnc#1186127)
-------------------------------------------------------------------
Tue May 31 15:10:26 UTC 2022 - Johannes Segitz <jsegitz@suse.com>
- Added restorecon_pin_file.patch. Fixes issus when running
fixfiles/restorecon
------------------------------------------------------------------- -------------------------------------------------------------------
Mon May 9 10:23:32 UTC 2022 - Johannes Segitz <jsegitz@suse.com> Mon May 9 10:23:32 UTC 2022 - Johannes Segitz <jsegitz@suse.com>

View File

@ -32,6 +32,7 @@ Source4: baselibs.conf
# PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype # PATCH-FIX-UPSTREAM Include <sys/uio.h> for readv prototype
Patch4: readv-proto.patch Patch4: readv-proto.patch
Patch5: skip_cycles.patch Patch5: skip_cycles.patch
Patch7: restorecon_pin_file.patch
BuildRequires: fdupes BuildRequires: fdupes
BuildRequires: libsepol-devel >= %{libsepol_ver} BuildRequires: libsepol-devel >= %{libsepol_ver}
BuildRequires: pkgconfig BuildRequires: pkgconfig
@ -101,6 +102,7 @@ necessary to develop your own software using libselinux.
%setup -q -n libselinux-%{version} %setup -q -n libselinux-%{version}
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch7 -p1
%build %build
%define _lto_cflags %{nil} %define _lto_cflags %{nil}

139
restorecon_pin_file.patch Normal file
View File

@ -0,0 +1,139 @@
Index: libselinux-3.4/src/selinux_restorecon.c
===================================================================
--- libselinux-3.4.orig/src/selinux_restorecon.c
+++ libselinux-3.4/src/selinux_restorecon.c
@@ -623,13 +623,13 @@ out:
return rc;
}
-static int restorecon_sb(const char *pathname, struct rest_flags *flags, bool first)
+static int restorecon_sb(const char *pathname, const struct stat *sb,
+ struct rest_flags *flags, bool first)
{
char *newcon = NULL;
char *curcon = NULL;
char *newtypecon = NULL;
- int fd = -1, rc;
- struct stat stat_buf;
+ int rc;
bool updated = false;
const char *lookup_path = pathname;
float pc;
@@ -644,21 +644,13 @@ static int restorecon_sb(const char *pat
lookup_path += rootpathlen;
}
- fd = open(pathname, O_PATH | O_NOFOLLOW | O_EXCL);
- if (fd < 0)
- goto err;
-
- rc = fstat(fd, &stat_buf);
- if (rc < 0)
- goto err;
-
if (rootpath != NULL && lookup_path[0] == '\0')
/* this is actually the root dir of the alt root. */
rc = selabel_lookup_raw(fc_sehandle, &newcon, "/",
- stat_buf.st_mode);
+ sb->st_mode);
else
rc = selabel_lookup_raw(fc_sehandle, &newcon, lookup_path,
- stat_buf.st_mode);
+ sb->st_mode);
if (rc < 0) {
if (errno == ENOENT) {
@@ -667,10 +659,10 @@ static int restorecon_sb(const char *pat
"Warning no default label for %s\n",
lookup_path);
- goto out; /* no match, but not an error */
+ return 0; /* no match, but not an error */
}
- goto err;
+ return -1;
}
if (flags->progress) {
@@ -690,17 +682,19 @@ static int restorecon_sb(const char *pat
}
if (flags->add_assoc) {
- rc = filespec_add(stat_buf.st_ino, newcon, pathname, flags);
+ rc = filespec_add(sb->st_ino, newcon, pathname, flags);
if (rc < 0) {
selinux_log(SELINUX_ERROR,
"filespec_add error: %s\n", pathname);
- goto out1;
+ freecon(newcon);
+ return -1;
}
if (rc > 0) {
/* Already an association and it took precedence. */
- goto out;
+ freecon(newcon);
+ return 0;
}
}
@@ -708,7 +702,7 @@ static int restorecon_sb(const char *pat
selinux_log(SELINUX_INFO, "%s matched by %s\n",
pathname, newcon);
- if (fgetfilecon_raw(fd, &curcon) < 0) {
+ if (lgetfilecon_raw(pathname, &curcon) < 0) {
if (errno != ENODATA)
goto err;
@@ -741,7 +735,7 @@ static int restorecon_sb(const char *pat
}
if (!flags->nochange) {
- if (fsetfilecon(fd, newcon) < 0)
+ if (lsetfilecon(pathname, newcon) < 0)
goto err;
updated = true;
}
@@ -766,8 +760,6 @@ static int restorecon_sb(const char *pat
out:
rc = 0;
out1:
- if (fd >= 0)
- close(fd);
freecon(curcon);
freecon(newcon);
return rc;
@@ -865,6 +857,7 @@ static void *selinux_restorecon_thread(v
FTSENT *ftsent;
int error;
char ent_path[PATH_MAX];
+ struct stat ent_st;
bool first = false;
if (state->parallel)
@@ -963,11 +956,11 @@ loop_body:
/* fall through */
default:
strcpy(ent_path, ftsent->fts_path);
-
+ ent_st = *ftsent->fts_statp;
if (state->parallel)
pthread_mutex_unlock(&state->mutex);
- error = restorecon_sb(ent_path, &state->flags,
+ error = restorecon_sb(ent_path, &ent_st, &state->flags,
first);
if (state->parallel) {
@@ -1163,7 +1156,7 @@ static int selinux_restorecon_common(con
goto cleanup;
}
- error = restorecon_sb(pathname, &state.flags, true);
+ error = restorecon_sb(pathname, &sb, &state.flags, true);
goto cleanup;
}

View File

@ -67,36 +67,29 @@ check_boot()
check_mkinitrd() check_mkinitrd()
{ {
if [ "$INITRD" == "unknown" ]; then
return 1
fi
MCMD="mount.*/root/proc.*" MCMD="mount.*/root/proc.*"
if ! [ -f "/boot/$INITRD" ];then if ! [ -f "/boot/initrd" ];then
printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/$INITRD'\n" printf "\tcheck_mkinitrd: ERR. Unable to locate '/boot/initrd'\n"
return 2
fi
cp /boot/$INITRD $TD/ 2>/dev/null
if ! [ -f "$TD/$INITRD" ];then
printf "\tcheck_mkinitrd: ERR. Error while copying initrd file.'\n"
return 2 return 2
fi fi
cp /boot/initrd $TD/ 2>/dev/null
pushd . 2>&1>/dev/null pushd . 2>&1>/dev/null
cd $TD cd $TD
mkdir initrd-extracted mkdir initrd-extracted
cd initrd-extracted cd initrd-extracted
INITRD_FORMAT=$(file $TD/$INITRD | awk -F' ' '{print $2}') INITRD_FORMAT=$(file $TD/initrd | awk -F' ' '{print $2}')
case $INITRD_FORMAT in case $INITRD_FORMAT in
'XZ' ) 'XZ' )
xz -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; xz -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'ASCII' ) 'ASCII' )
/usr/lib/dracut/skipcpio $TD/$INITRD | xz -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; /usr/lib/dracut/skipcpio $TD/initrd | zstd -d | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'gzip' ) 'gzip' )
gzip -d -c $TD/$INITRD | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;; gzip -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
'Zstandard' )
zstd -d -c $TD/initrd | cpio -i --force-local --no-absolute-filenames 2>/dev/null ;;
* ) * )
printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n" printf "\tcheck_mkinitrd: ERR. Error while extracting initrd file.'\n"
return 2 return 2