|
 |
83a7c7 |
From 8cbe8baf9c3ff4754369bcd29441df14ecc6889d Mon Sep 17 00:00:00 2001
|
|
|
83a7c7 |
Message-Id: <8cbe8baf9c3ff4754369bcd29441df14ecc6889d.1554982512.git.pmatilai@redhat.com>
|
|
|
83a7c7 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
|
83a7c7 |
Date: Thu, 14 Feb 2019 13:12:49 +0200
|
|
|
83a7c7 |
Subject: [PATCH] Log RPMLOG_ERR level messages on actual errors in selinux
|
|
|
83a7c7 |
plugin, doh.
|
|
|
83a7c7 |
|
|
|
83a7c7 |
When there's an actual error, people will want to know without having
|
|
|
83a7c7 |
to rerun in verbose mode. Such as in RhBug:1641631 where configured
|
|
|
83a7c7 |
selinux policy differs from what is installed - the former message
|
|
|
83a7c7 |
|
|
|
83a7c7 |
error: Plugin selinux: hook tsm_pre failed
|
|
|
83a7c7 |
|
|
|
83a7c7 |
...is not particularly helpful to anybody, whereas this actually provides
|
|
|
83a7c7 |
some clues now:
|
|
|
83a7c7 |
|
|
|
83a7c7 |
error: selabel_open: (/etc/selinux/ponies/contexts/files/file_contexts) No such file or directory
|
|
|
83a7c7 |
error: Plugin selinux: hook tsm_pre failed
|
|
|
83a7c7 |
---
|
|
|
83a7c7 |
plugins/selinux.c | 19 +++++++++----------
|
|
|
83a7c7 |
1 file changed, 9 insertions(+), 10 deletions(-)
|
|
|
83a7c7 |
|
|
|
83a7c7 |
diff --git a/plugins/selinux.c b/plugins/selinux.c
|
|
|
83a7c7 |
index accd47416..f1caf257c 100644
|
|
|
83a7c7 |
--- a/plugins/selinux.c
|
|
|
83a7c7 |
+++ b/plugins/selinux.c
|
|
|
83a7c7 |
@@ -12,6 +12,11 @@
|
|
|
83a7c7 |
|
|
|
83a7c7 |
static struct selabel_handle * sehandle = NULL;
|
|
|
83a7c7 |
|
|
|
83a7c7 |
+static inline rpmlogLvl loglvl(int iserror)
|
|
|
83a7c7 |
+{
|
|
|
83a7c7 |
+ return iserror ? RPMLOG_ERR : RPMLOG_DEBUG;
|
|
|
83a7c7 |
+}
|
|
|
83a7c7 |
+
|
|
|
83a7c7 |
static void sehandle_fini(int close_status)
|
|
|
83a7c7 |
{
|
|
|
83a7c7 |
if (sehandle) {
|
|
|
83a7c7 |
@@ -47,7 +52,7 @@ static rpmRC sehandle_init(int open_status)
|
|
|
83a7c7 |
|
|
|
83a7c7 |
sehandle = selabel_open(SELABEL_CTX_FILE, opts, 1);
|
|
|
83a7c7 |
|
|
|
83a7c7 |
- rpmlog(RPMLOG_DEBUG, "selabel_open: (%s) %s\n",
|
|
|
83a7c7 |
+ rpmlog(loglvl(sehandle == NULL), "selabel_open: (%s) %s\n",
|
|
|
83a7c7 |
path, (sehandle == NULL ? strerror(errno) : ""));
|
|
|
83a7c7 |
|
|
|
83a7c7 |
return (sehandle != NULL) ? RPMRC_OK : RPMRC_FAIL;
|
|
|
83a7c7 |
@@ -125,10 +130,8 @@ static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
|
|
|
83a7c7 |
if ((xx = setexeccon(newcon)) == 0)
|
|
|
83a7c7 |
rc = RPMRC_OK;
|
|
|
83a7c7 |
|
|
|
83a7c7 |
- if (rpmIsDebug()) {
|
|
|
83a7c7 |
- rpmlog(RPMLOG_DEBUG, "setexeccon: (%s, %s) %s\n",
|
|
|
83a7c7 |
+ rpmlog(loglvl(xx < 0), "setexeccon: (%s, %s) %s\n",
|
|
|
83a7c7 |
path, newcon, (xx < 0 ? strerror(errno) : ""));
|
|
|
83a7c7 |
- }
|
|
|
83a7c7 |
|
|
|
83a7c7 |
exit:
|
|
|
83a7c7 |
context_free(con);
|
|
|
83a7c7 |
@@ -143,10 +146,8 @@ exit:
|
|
|
83a7c7 |
if ((xx = setexecfilecon(path, "rpm_script_t") == 0))
|
|
|
83a7c7 |
rc = RPMRC_OK;
|
|
|
83a7c7 |
|
|
|
83a7c7 |
- if (rpmIsDebug()) {
|
|
|
83a7c7 |
- rpmlog(RPMLOG_DEBUG, "setexecfilecon: (%s) %s\n",
|
|
|
83a7c7 |
+ rpmlog(loglvl(xx < 0), "setexecfilecon: (%s) %s\n",
|
|
|
83a7c7 |
path, (xx < 0 ? strerror(errno) : ""));
|
|
|
83a7c7 |
- }
|
|
|
83a7c7 |
#endif
|
|
|
83a7c7 |
/* If selinux is not enforcing, we don't care either */
|
|
|
83a7c7 |
if (rc && security_getenforce() < 1)
|
|
|
83a7c7 |
@@ -167,10 +168,8 @@ static rpmRC selinux_fsm_file_prepare(rpmPlugin plugin, rpmfi fi,
|
|
|
83a7c7 |
if (selabel_lookup_raw(sehandle, &scon, dest, file_mode) == 0) {
|
|
|
83a7c7 |
int conrc = lsetfilecon(path, scon);
|
|
|
83a7c7 |
|
|
|
83a7c7 |
- if (rpmIsDebug()) {
|
|
|
83a7c7 |
- rpmlog(RPMLOG_DEBUG, "lsetfilecon: (%s, %s) %s\n",
|
|
|
83a7c7 |
+ rpmlog(loglvl(conrc < 0), "lsetfilecon: (%s, %s) %s\n",
|
|
|
83a7c7 |
path, scon, (conrc < 0 ? strerror(errno) : ""));
|
|
|
83a7c7 |
- }
|
|
|
83a7c7 |
|
|
|
83a7c7 |
if (conrc == 0 || (conrc < 0 && errno == EOPNOTSUPP))
|
|
|
83a7c7 |
rc = RPMRC_OK;
|
|
|
83a7c7 |
--
|
|
|
83a7c7 |
2.20.1
|
|
|
83a7c7 |
|