diff --git a/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch b/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch new file mode 100644 index 0000000..112c7ca --- /dev/null +++ b/SOURCES/0004-libsemanage-sync-filesystem-with-sandbox.patch @@ -0,0 +1,55 @@ +From 11e381e5aa3468aa5c2634f14706336c7824f226 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 27 Jan 2021 12:00:55 +0100 +Subject: [PATCH] libsemanage: sync filesystem with sandbox + +Commit 331a109f91ea ("libsemanage: fsync final files before rename") +added fsync() for policy files and improved situation when something +unexpected happens right after rename(). However the module store could +be affected as well. After the following steps module files could be 0 +size: + +1. Run `semanage fcontext -a -t var_t "/tmp/abc"` +2. Force shutdown the server during the command is run, or right after + it's finished +3. Boot the system and look for empty files: + # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l + 1266 + +It looks like this situation can be avoided if the filesystem with the +sandbox is sync()ed before we start to rename() directories in the +store. + +Signed-off-by: Petr Lautrbach +Acked-by: Nicolas Iooss +--- + libsemanage/src/semanage_store.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index 733df8da37c2..ae023582e907 100644 +--- a/libsemanage/src/semanage_store.c ++++ b/libsemanage/src/semanage_store.c +@@ -1737,6 +1737,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + } + close(fd); + ++ /* sync changes in sandbox to filesystem */ ++ fd = open(sandbox, O_DIRECTORY); ++ if (fd == -1) { ++ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); ++ return -1; ++ } ++ if (syncfs(fd) == -1) { ++ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); ++ close(fd); ++ return -1; ++ } ++ close(fd); ++ + retval = commit_number; + + if (semanage_get_active_lock(sh) < 0) { +-- +2.30.0 + diff --git a/SOURCES/semanage.conf b/SOURCES/semanage.conf index 9045021..8d30db4 100644 --- a/SOURCES/semanage.conf +++ b/SOURCES/semanage.conf @@ -42,14 +42,16 @@ module-store = direct expand-check=0 # usepasswd check tells semanage to scan all pass word records for home directories -# and setup the labeling correctly. If this is turned off, SELinux will label /home -# correctly only. You will need to use semanage fcontext command. +# and setup the labeling correctly. If this is turned off, SELinux will label only /home +# and home directories of users with SELinux login mappings defined, see +# semanage login -l for the list of such users. +# If you want to use a different home directory, you will need to use semanage fcontext command. # For example, if you had home dirs in /althome directory you would have to execute # semanage fcontext -a -e /home /althome usepasswd=False bzip-small=true bzip-blocksize=5 -ignoredirs=/root +ignoredirs=/root;/bin;/boot;/dev;/etc;/lib;/lib64;/proc;/run;/sbin;/sys;/tmp;/usr;/var [sefcontext_compile] path = /usr/sbin/sefcontext_compile diff --git a/SPECS/libsemanage.spec b/SPECS/libsemanage.spec index d8b4c23..17ab3fb 100644 --- a/SPECS/libsemanage.spec +++ b/SPECS/libsemanage.spec @@ -4,13 +4,14 @@ Summary: SELinux binary policy manipulation library Name: libsemanage Version: 2.9 -Release: 3%{?dist} +Release: 6%{?dist} License: LGPLv2+ Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsemanage-2.9.tar.gz # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done Patch0001: 0001-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch Patch0002: 0002-libsemanage-Add-support-for-DCCP-and-SCTP-protocols.patch Patch0003: 0003-libsemanage-fsync-final-files-before-rename.patch +Patch0004: 0004-libsemanage-sync-filesystem-with-sandbox.patch URL: https://github.com/SELinuxProject/selinux/wiki Source1: semanage.conf @@ -156,6 +157,17 @@ rm %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store~ %{_libexecdir}/selinux/semanage_migrate_store %changelog +* Mon Feb 1 2021 Petr Lautrbach - 2.9-6 +- sync filesystem with sandbox (#1913224) + +* Mon Dec 21 2020 Petr Lautrbach - 2.9-5 +- Revert "genhomedircon: check usepasswd" (rhbz#1871786) +- semanage.conf - improve usepasswd=False explanation (rhbz#1871786) +- semanage.conf - expand list of ignoredirs (rhbz#1871786) + +* Sun Nov 22 2020 Vit Mojzis - 2.9-4 +- genhomedircon: check usepasswd (rhbz#1871786) + * Mon Jun 29 2020 Vit Mojzis - 2.9-3 - Fsync final files before rename (#1838762)