diff --git a/SOURCES/0004-libsemanage-genhomedircon-check-usepasswd.patch b/SOURCES/0004-libsemanage-genhomedircon-check-usepasswd.patch deleted file mode 100644 index 19b56da..0000000 --- a/SOURCES/0004-libsemanage-genhomedircon-check-usepasswd.patch +++ /dev/null @@ -1,40 +0,0 @@ -From f0eb192096e3c06dad10dcb0737ab3434f3ce655 Mon Sep 17 00:00:00 2001 -From: Vit Mojzis -Date: Fri, 30 Oct 2020 17:42:17 +0100 -Subject: [PATCH] libsemanage/genhomedircon: check usepasswd - -Only add user homedir contexts when usepasswd = True - -Resolves: - # grep usepasswd /etc/selinux/semanage.conf - usepasswd=False - # useradd -Z unconfined_u -d /tmp test - # matchpathcon /tmp - /tmp unconfined_u:object_r:user_home_dir_t:s0 - -Signed-off-by: Vit Mojzis - -(cherry-picked from SElinuxProject -commit ce46daab7cc90a6b9cd3bff9f99cf40ff19c3d9a) - -Resolves: rhbz#1871786 ---- - libsemanage/src/genhomedircon.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c -index e5f8d371..1298bc77 100644 ---- a/libsemanage/src/genhomedircon.c -+++ b/libsemanage/src/genhomedircon.c -@@ -1330,7 +1330,7 @@ static int write_context_file(genhomedircon_settings_t * s, FILE * out) - s->fallback->home = NULL; - } - } -- if (user_context_tpl || username_context_tpl) { -+ if ((s->usepasswd) && (user_context_tpl || username_context_tpl)) { - if (write_username_context(s, out, username_context_tpl, - s->fallback) != STATUS_SUCCESS) { - retval = STATUS_ERR; --- -2.28.0 - diff --git a/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch b/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch new file mode 100644 index 0000000..112c7ca --- /dev/null +++ b/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch @@ -0,0 +1,55 @@ +From 11e381e5aa3468aa5c2634f14706336c7824f226 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 27 Jan 2021 12:00:55 +0100 +Subject: [PATCH] libsemanage: sync filesystem with sandbox + +Commit 331a109f91ea ("libsemanage: fsync final files before rename") +added fsync() for policy files and improved situation when something +unexpected happens right after rename(). However the module store could +be affected as well. After the following steps module files could be 0 +size: + +1. Run `semanage fcontext -a -t var_t "/tmp/abc"` +2. Force shutdown the server during the command is run, or right after + it's finished +3. Boot the system and look for empty files: + # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l + 1266 + +It looks like this situation can be avoided if the filesystem with the +sandbox is sync()ed before we start to rename() directories in the +store. + +Signed-off-by: Petr Lautrbach +Acked-by: Nicolas Iooss +--- + libsemanage/src/semanage_store.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 733df8da37c2..ae023582e907 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -1737,6 +1737,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + } + close(fd); + ++ /* sync changes in sandbox to filesystem */ ++ fd = open(sandbox, O_DIRECTORY); ++ if (fd == -1) { ++ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); ++ return -1; ++ } ++ if (syncfs(fd) == -1) { ++ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); ++ close(fd); ++ return -1; ++ } ++ close(fd); ++ + retval = commit_number; + + if (semanage_get_active_lock(sh) < 0) { +-- +2.30.0 + diff --git a/SOURCES/semanage.conf b/SOURCES/semanage.conf index 9045021..8d30db4 100644 --- a/SOURCES/semanage.conf +++ b/SOURCES/semanage.conf @@ -42,14 +42,16 @@ module-store = direct expand-check=0 # usepasswd check tells semanage to scan all pass word records for home directories -# and setup the labeling correctly. If this is turned off, SELinux will label /home -# correctly only. You will need to use semanage fcontext command. +# and setup the labeling correctly. If this is turned off, SELinux will label only /home +# and home directories of users with SELinux login mappings defined, see +# semanage login -l for the list of such users. +# If you want to use a different home directory, you will need to use semanage fcontext command. # For example, if you had home dirs in /althome directory you would have to execute # semanage fcontext -a -e /home /althome usepasswd=False bzip-small=true bzip-blocksize=5 -ignoredirs=/root +ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var [sefcontext_compile] path = /usr/sbin/sefcontext_compile diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index acc9c0c..17ab3fb 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -4,14 +4,14 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.9 -Release: 4%{?dist} +Release: 6%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch Patch0002: 0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch Patch0003: 0003-libsemanage-fsync-final-files-before-rename.patch -Patch0004: 0004-libsemanage-genhomedircon-check-usepasswd.patch +Patch0004: 0004-libsemanage-sync-filesystem-with-sandbox.patch URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -157,6 +157,14 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ %{_libexecdir}/selinux/semanage_migrate_store %changelog +* Mon Feb 1 2021 Petr Lautrbach - 2.9-6 +- sync filesystem with sandbox (#1913224) + +* Mon Dec 21 2020 Petr Lautrbach - 2.9-5 +- Revert "genhomedircon: check usepasswd" (rhbz#1871786) +- semanage.conf - improve usepasswd=False explanation (rhbz#1871786) +- semanage.conf - expand list of ignoredirs (rhbz#1871786) + * Sun Nov 22 2020 Vit Mojzis - 2.9-4 - genhomedircon: check usepasswd (rhbz#1871786)