|
 |
613fc7 |
From db81de97febc8c79bfe7c54f57ae313cc5ba0728 Mon Sep 17 00:00:00 2001
|
|
|
613fc7 |
From: Ondrej Mosnacek <omosnace@redhat.com>
|
|
|
613fc7 |
Date: Wed, 8 Jun 2022 19:09:53 +0200
|
|
|
613fc7 |
Subject: [PATCH] libsemanage: always write kernel policy when
|
|
|
613fc7 |
check_ext_changes is specified
|
|
|
613fc7 |
|
|
|
613fc7 |
For the use case of rebuilding the policy after package updates, we need
|
|
|
613fc7 |
the check_ext_changes operation to always do at least the do_write_kernel
|
|
|
613fc7 |
step, because the various semanage dbs may have also changed content
|
|
|
613fc7 |
relative to the current binary policy. As this step is itself relatively
|
|
|
613fc7 |
fast, we can do it unconditionally.
|
|
|
613fc7 |
|
|
|
613fc7 |
Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
|
|
|
613fc7 |
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
|
|
|
613fc7 |
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
|
|
|
613fc7 |
---
|
|
|
613fc7 |
libsemanage/include/semanage/handle.h | 2 +-
|
|
|
613fc7 |
libsemanage/src/direct_api.c | 8 +++++---
|
|
|
613fc7 |
2 files changed, 6 insertions(+), 4 deletions(-)
|
|
|
613fc7 |
|
|
|
613fc7 |
diff --git a/libsemanage/include/semanage/handle.h b/libsemanage/include/semanage/handle.h
|
|
|
613fc7 |
index 7f298a49..df919a14 100644
|
|
|
613fc7 |
--- a/libsemanage/include/semanage/handle.h
|
|
|
613fc7 |
+++ b/libsemanage/include/semanage/handle.h
|
|
|
613fc7 |
@@ -67,7 +67,7 @@ void semanage_set_reload(semanage_handle_t * handle, int do_reload);
|
|
|
613fc7 |
void semanage_set_rebuild(semanage_handle_t * handle, int do_rebuild);
|
|
|
613fc7 |
|
|
|
613fc7 |
/* set whether to rebuild the policy on commit when potential changes
|
|
|
613fc7 |
- * to module files since last rebuild are detected,
|
|
|
613fc7 |
+ * to store files since last rebuild are detected,
|
|
|
613fc7 |
* 1 for yes (default), 0 for no */
|
|
|
613fc7 |
extern void semanage_set_check_ext_changes(semanage_handle_t * handle, int do_check);
|
|
|
613fc7 |
|
|
|
613fc7 |
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
|
|
|
613fc7 |
index bbdca2b2..252fc5bb 100644
|
|
|
613fc7 |
--- a/libsemanage/src/direct_api.c
|
|
|
613fc7 |
+++ b/libsemanage/src/direct_api.c
|
|
|
613fc7 |
@@ -1430,13 +1430,15 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
|
|
613fc7 |
* Determine what else needs to be done.
|
|
|
613fc7 |
* We need to write the kernel policy if we are rebuilding
|
|
|
613fc7 |
* or if any other policy component that lives in the kernel
|
|
|
613fc7 |
- * policy has been modified.
|
|
|
613fc7 |
+ * policy has been modified. We also want to force it when
|
|
|
613fc7 |
+ * check_ext_changes was specified as the various dbases may have
|
|
|
613fc7 |
+ * changes as well.
|
|
|
613fc7 |
* We need to install the policy files if any of the managed files
|
|
|
613fc7 |
* that live under /etc/selinux (kernel policy, seusers, file contexts)
|
|
|
613fc7 |
* will be modified.
|
|
|
613fc7 |
*/
|
|
|
613fc7 |
- do_write_kernel = do_rebuild | ports_modified | ibpkeys_modified |
|
|
|
613fc7 |
- ibendports_modified |
|
|
|
613fc7 |
+ do_write_kernel = do_rebuild | sh->check_ext_changes |
|
|
|
613fc7 |
+ ports_modified | ibpkeys_modified | ibendports_modified |
|
|
|
613fc7 |
bools->dtable->is_modified(bools->dbase) |
|
|
|
613fc7 |
ifaces->dtable->is_modified(ifaces->dbase) |
|
|
|
613fc7 |
nodes->dtable->is_modified(nodes->dbase) |
|
|
|
613fc7 |
--
|
|
|
613fc7 |
2.35.3
|
|
|
613fc7 |
|