From 4d1c9147031835fd3fec6b5b0c930c144f90ecd1862105dc8e6f606ec6423b34 Mon Sep 17 00:00:00 2001 From: Hu Date: Wed, 14 Aug 2024 12:09:35 +0000 Subject: [PATCH] - Drop varrun-convert.sh script as it causes issues with container-selinux update (bsc#1228951) OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=252 --- selinux-policy.changes | 6 +++ selinux-policy.spec | 9 ---- varrun-convert.sh | 105 ----------------------------------------- 3 files changed, 6 insertions(+), 114 deletions(-) delete mode 100644 varrun-convert.sh diff --git a/selinux-policy.changes b/selinux-policy.changes index 1191cd2..4c8b08b 100644 --- a/selinux-policy.changes +++ b/selinux-policy.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Aug 14 07:00:34 UTC 2024 - Cathy Hu + +- Drop varrun-convert.sh script as it causes issues with + container-selinux update (bsc#1228951) + ------------------------------------------------------------------- Mon Aug 12 15:30:47 UTC 2024 - cathy.hu@suse.com diff --git a/selinux-policy.spec b/selinux-policy.spec index 4db403c..c1463db 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -61,9 +61,6 @@ Source30: setrans-targeted.conf Source31: setrans-mls.conf Source32: setrans-minimum.conf -# Script to convert /var/run file context entries to /run -Source37: varrun-convert.sh - Source40: securetty_types-targeted Source41: securetty_types-mls Source42: securetty_types-minimum @@ -221,7 +218,6 @@ rm -f %{buildroot}%{_sharedstatedir}/selinux/%1/active/*.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/policy.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/seusers.linked \ %ghost %{_sharedstatedir}/selinux/%1/active/users_extra.linked \ -%ghost %{_sharedstatedir}/selinux/%1/active/modules/400/extra_varrun \ %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/file_contexts.homedirs \ %nil @@ -258,7 +254,6 @@ fi; %define postInstall() \ . %{_sysconfdir}/selinux/config; \ -%{_libexecdir}/selinux/varrun-convert.sh %2; \ if [ -e %{_sysconfdir}/selinux/%2/.rebuild ]; then \ rm %{_sysconfdir}/selinux/%2/.rebuild; \ /usr/sbin/semodule -B -n -s %2; \ @@ -315,7 +310,6 @@ of systems and used as the basis for creating other policies. %ghost %config(noreplace) %{_sysconfdir}/selinux/config %{_tmpfilesdir}/selinux-policy.conf %{_rpmconfigdir}/macros.d/macros.selinux-policy -%{_libexecdir}/selinux/varrun-convert.sh %package sandbox Summary: SELinux policy sandbox @@ -383,9 +377,6 @@ for i in %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} cp $i selinux_config done -mkdir -p %{buildroot}%{_libexecdir}/selinux -install -m 755 %{SOURCE37} %{buildroot}%{_libexecdir}/selinux - make clean %if %{BUILD_TARGETED} %makeCmds targeted mcs allow diff --git a/varrun-convert.sh b/varrun-convert.sh deleted file mode 100644 index 270ce1e..0000000 --- a/varrun-convert.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash -### varrun-convert.sh -### convert legacy filecontext entries containing /var/run to /run -### and load an extra selinux module with the new content -### the script takes a policy name as an argument - -# Set DEBUG=yes before running the script to get more verbose output -# on the terminal and to the $LOG file -if [ "${DEBUG}" = "yes" ]; then - set -x -fi - -# Auxiliary and log files will be created in OUTPUTDIR -OUTPUTDIR="/run/selinux-policy" -LOG="$OUTPUTDIR/log" -mkdir -p ${OUTPUTDIR} - -if [ -z ${1} ]; then - [ "${DEBUG}" = "yes" ] && echo "Error: Policy name required as an argument (e.g. targeted)" >> $LOG - exit -fi - -SEMODULEOPT="-s ${1}" -[ "${DEBUG}" = "yes" ] && SEMODULEOPT="-v ${SEMODULEOPT}" - -# Take current file_contexts and unify whitespace separators -FILE_CONTEXTS="/etc/selinux/${1}/contexts/files/file_contexts" -FILE_CONTEXTS_UNIFIED="$OUTPUTDIR/file_contexts_unified" -if [ ! -f ${FILE_CONTEXTS} ]; then - [ "${DEBUG}" = "yes" ] && echo "Error: File context database file does not exist" >> $LOG - exit -fi - -if ! grep -q ^/var/run ${FILE_CONTEXTS}; then - [ "${DEBUG}" = "yes" ] && echo "Info: No entries containing /var/run" >> $LOG - exit 0 -fi - -EXTRA_VARRUN_ENTRIES_WITHDUP="$OUTPUTDIR/extra_varrun_entries_dup.txt" -EXTRA_VARRUN_ENTRIES_WITHDUP_TMP="$OUTPUTDIR/extra_varrun_entries_dup.tmp" -EXTRA_VARRUN_ENTRIES="$OUTPUTDIR/extra_varrun_entries.txt" -EXTRA_VARRUN_CIL="$OUTPUTDIR/extra_varrun.cil" - -# Print only /var/run entries -grep ^/var/run ${FILE_CONTEXTS} > ${EXTRA_VARRUN_ENTRIES_WITHDUP} - -# Unify whitespace separators -sed -i 's/[ \t]\+/ /g' ${EXTRA_VARRUN_ENTRIES_WITHDUP} -sed 's/[ \t]\+/ /g' ${FILE_CONTEXTS} > ${FILE_CONTEXTS_UNIFIED} - -rm -f $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP -touch $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP -# Deduplicate already existing /var/run=/run entries -while read line -do - subline="${line#/var}" - if ! grep -q "^${subline}" ${FILE_CONTEXTS_UNIFIED}; then - # check for overal duplicate entries - subline2=$(echo $line | sed -E -e 's/ \S+$//') - if ! grep -q "^${subline2}" ${EXTRA_VARRUN_ENTRIES_WITHDUP_TMP}; then - echo "$line" - echo "$line" >> $EXTRA_VARRUN_ENTRIES_WITHDUP_TMP - else - >&2 echo "DUP: $line" - fi - fi -done < ${EXTRA_VARRUN_ENTRIES_WITHDUP} > ${EXTRA_VARRUN_ENTRIES} - -# Change /var/run to /run -sed -i 's|^/var/run|/run|' ${EXTRA_VARRUN_ENTRIES} - -# Exception handling: packages with already duplicate entries -sed -i '/^\/run\/snapd/d' ${EXTRA_VARRUN_ENTRIES} -sed -i '/^\/run\/vfrnav/d' ${EXTRA_VARRUN_ENTRIES} -sed -i '/^\/run\/waydroid/d' ${EXTRA_VARRUN_ENTRIES} - -# Change format to cil -sed -i 's/^\([^ ]\+\) \([^-]\)/\1 any \2/' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -- /\1 file /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -b /\1 block /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -c /\1 char /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -d /\1 dir /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -l /\1 symlink /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -p /\1 pipe /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) -s /\1 socket /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/^\([^ ]\+\) /(filecon "\1" /' ${EXTRA_VARRUN_ENTRIES} -sed -i 's/system_u:object_r:\([^:]*\):\(.*\)$/(system_u object_r \1 ((\2) (\2))))/' ${EXTRA_VARRUN_ENTRIES} - -# Handle entries with <> which do not match previous regexps -sed -i s'/ <>$/ ())/' ${EXTRA_VARRUN_ENTRIES} - -# Wrap each line with an optional block -i=1 -while read line -do - echo "(optional extra_var_run_${i}" - echo " $line" - echo ")" - ((i++)) -done < ${EXTRA_VARRUN_ENTRIES} > ${EXTRA_VARRUN_CIL} - -# Load module -[ -s ${EXTRA_VARRUN_CIL} ] && -/usr/sbin/semodule ${SEMODULEOPT} -i ${EXTRA_VARRUN_CIL} -