From e06bdb7b8d86fe1ad0095429e7cdf5a78760edea9c3e912c6594275eb9f53945 Mon Sep 17 00:00:00 2001 From: Johannes Segitz Date: Wed, 15 Jan 2020 13:35:11 +0000 Subject: [PATCH] Accepting request 764641 from home:jsegitz:branches:security:SELinux - Added r_opts_global.patch to fix build problems with gcc due to multiple definitions for global symbols (bsc#1160290) OBS-URL: https://build.opensuse.org/request/show/764641 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/restorecond?expand=0&rev=9 --- r_opts_global.patch | 109 ++++++++++++++++++++++++++++++++++++++++++++ restorecond.changes | 6 +++ restorecond.spec | 5 +- 3 files changed, 119 insertions(+), 1 deletion(-) create mode 100644 r_opts_global.patch diff --git a/r_opts_global.patch b/r_opts_global.patch new file mode 100644 index 0000000..a8fc97f --- /dev/null +++ b/r_opts_global.patch @@ -0,0 +1,109 @@ +commit ad2208ec220f55877a4d31084be2b4d6413ee082 +Author: Baichuan Kong +Date: Thu Nov 14 10:48:07 2019 +0800 + + restorecond: Fix redundant console log output error + + When starting restorecond without any option the following redundant + console log is outputed: + + /dev/log 100.0% + /var/volatile/run/syslogd.pid 100.0% + ... + + This is caused by two global variables of same name r_opts. When + executes r_opts = opts in restore_init(), it originally intends + to assign the address of struct r_opts in "restorecond.c" to the + pointer *r_opts in "restore.c". + + However, the address is assigned to the struct r_opts and covers + the value of low eight bytes in it. That causes unexpected value + of member varibale 'nochange' and 'verbose' in struct r_opts, thus + affects value of 'restorecon_flags' and executes unexpected operations + when restorecon the files such as the redundant console log output or + file label nochange. + + Cause restorecond/restore.c is copied from policycoreutils/setfiles, + which share the same pattern. It also has potential risk to generate + same problems, So fix it in case. + + Signed-off-by: Baichuan Kong + +diff --git a/restorecond/restore.c b/restorecond/restore.c +index f6e30001..b93b5fdb 100644 +--- a/restorecond/restore.c ++++ b/restorecond/restore.c +@@ -12,39 +12,36 @@ + char **exclude_list; + int exclude_count; + +-struct restore_opts *r_opts; +- + void restore_init(struct restore_opts *opts) + { + int rc; + +- r_opts = opts; + struct selinux_opt selinux_opts[] = { +- { SELABEL_OPT_VALIDATE, r_opts->selabel_opt_validate }, +- { SELABEL_OPT_PATH, r_opts->selabel_opt_path }, +- { SELABEL_OPT_DIGEST, r_opts->selabel_opt_digest } ++ { SELABEL_OPT_VALIDATE, opts->selabel_opt_validate }, ++ { SELABEL_OPT_PATH, opts->selabel_opt_path }, ++ { SELABEL_OPT_DIGEST, opts->selabel_opt_digest } + }; + +- r_opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); +- if (!r_opts->hnd) { +- perror(r_opts->selabel_opt_path); ++ opts->hnd = selabel_open(SELABEL_CTX_FILE, selinux_opts, 3); ++ if (!opts->hnd) { ++ perror(opts->selabel_opt_path); + exit(1); + } + +- r_opts->restorecon_flags = 0; +- r_opts->restorecon_flags = r_opts->nochange | r_opts->verbose | +- r_opts->progress | r_opts->set_specctx | +- r_opts->add_assoc | r_opts->ignore_digest | +- r_opts->recurse | r_opts->userealpath | +- r_opts->xdev | r_opts->abort_on_error | +- r_opts->syslog_changes | r_opts->log_matches | +- r_opts->ignore_noent | r_opts->ignore_mounts; ++ opts->restorecon_flags = 0; ++ opts->restorecon_flags = opts->nochange | opts->verbose | ++ opts->progress | opts->set_specctx | ++ opts->add_assoc | opts->ignore_digest | ++ opts->recurse | opts->userealpath | ++ opts->xdev | opts->abort_on_error | ++ opts->syslog_changes | opts->log_matches | ++ opts->ignore_noent | opts->ignore_mounts; + + /* Use setfiles, restorecon and restorecond own handles */ +- selinux_restorecon_set_sehandle(r_opts->hnd); ++ selinux_restorecon_set_sehandle(opts->hnd); + +- if (r_opts->rootpath) { +- rc = selinux_restorecon_set_alt_rootpath(r_opts->rootpath); ++ if (opts->rootpath) { ++ rc = selinux_restorecon_set_alt_rootpath(opts->rootpath); + if (rc) { + fprintf(stderr, + "selinux_restorecon_set_alt_rootpath error: %s.\n", +@@ -75,7 +72,6 @@ int process_glob(char *name, struct restore_opts *opts) + size_t i = 0; + int len, rc, errors; + +- r_opts = opts; + memset(&globbuf, 0, sizeof(globbuf)); + + errors = glob(name, GLOB_TILDE | GLOB_PERIOD | +@@ -90,7 +86,7 @@ int process_glob(char *name, struct restore_opts *opts) + if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) + continue; + rc = selinux_restorecon(globbuf.gl_pathv[i], +- r_opts->restorecon_flags); ++ opts->restorecon_flags); + if (rc < 0) + errors = rc; + } diff --git a/restorecond.changes b/restorecond.changes index 2f62741..7450bdf 100644 --- a/restorecond.changes +++ b/restorecond.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jan 15 10:11:33 UTC 2020 - Johannes Segitz + +- Added r_opts_global.patch to fix build problems with gcc due to + multiple definitions for global symbols (bsc#1160290) + ------------------------------------------------------------------- Thu Dec 5 10:06:43 UTC 2019 - Martin Liška diff --git a/restorecond.spec b/restorecond.spec index 5d1ea17..cb4bfb6 100644 --- a/restorecond.spec +++ b/restorecond.spec @@ -1,7 +1,7 @@ # # spec file for package restorecond # -# Copyright (c) 2019 SUSE LLC +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,6 +25,8 @@ License: GPL-2.0-or-later Group: Productivity/Security URL: https://github.com/SELinuxProject/selinux.git Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-%{version}.tar.gz +# can be dropped with 3.0 +Patch0: r_opts_global.patch BuildRequires: dbus-1-glib-devel BuildRequires: libselinux-devel >= %{libselinux_ver} Requires: libselinux1 >= %{libselinux_ver} @@ -35,6 +37,7 @@ Daemon that watches for file creation and then sets the default SELinux file con %prep %setup -q +%patch0 -p2 %build export CFLAGS="%optflags"