From 63a09f826d15c6db665f8a2514731f8287d7df04 Mon Sep 17 00:00:00 2001 From: Florian Festi Date: Dec 05 2022 11:15:30 +0000 Subject: Handle SELinux log messages Resolves: #2123719 --- diff --git a/rpm-4.18-libselinux-log.patch b/rpm-4.18-libselinux-log.patch new file mode 100644 index 0000000..5a55cb4 --- /dev/null +++ b/rpm-4.18-libselinux-log.patch @@ -0,0 +1,78 @@ +From 96888e99c5103d9dea5230c917b946732de2d302 Mon Sep 17 00:00:00 2001 +From: Panu Matilainen +Date: Thu, 22 Sep 2022 11:54:47 +0300 +Subject: [PATCH] Add a handler for libselinux log messages (RhBug:2123719, + RhBug:2050774) + +libselinux logs to stderr by default, which up to now has been just fine +with us. However somewhere around libselinux 3.2 it begun issuing +log messages for events discovered in selinux_status_updated(). +We only call that to see whether the status *was* updated behind our +back and are not interested in these audit-style messages for our +functionality, but to suppress them while preserving actually relevant +errors and warnings, we need to have a log callback of our own. Might as +well forward them to rpmlog then. + +SELINUX_ERROR and SELINUX_WARNING are pretty obvious, of SELINUX_AVC +selinux_set_callback(3) says it should be treated as SELINUX_ERROR if +not audited. The rest we suppress to debug messages, they may be handy +for diagnostics some day. + +Note that this intentionally avoids explicit SELINUX_POLICYLOAD and +SELINUX_SETENFORCE cases in the switch: we don't want to introduce +libselinux >= 3.2 dependency just because of this silly thing. +--- + plugins/selinux.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/plugins/selinux.c b/plugins/selinux.c +index 747f62d05..0f10331f0 100644 +--- a/plugins/selinux.c ++++ b/plugins/selinux.c +@@ -18,6 +18,35 @@ static inline rpmlogLvl loglvl(int iserror) + return iserror ? RPMLOG_ERR : RPMLOG_DEBUG; + } + ++static int logcb(int type, const char *fmt, ...) ++{ ++ char *buf = NULL; ++ va_list ap; ++ int lvl; ++ ++ switch (type) { ++ case SELINUX_ERROR: ++ case SELINUX_AVC: ++ lvl = RPMLOG_ERR; ++ break; ++ case SELINUX_WARNING: ++ lvl = RPMLOG_WARNING; ++ break; ++ default: ++ lvl = RPMLOG_DEBUG; ++ break; ++ } ++ ++ va_start(ap, fmt); ++ rvasprintf(&buf, fmt, ap); ++ va_end(ap); ++ ++ rpmlog(lvl, "libselinux: type %d: %s", type, buf); ++ free(buf); ++ ++ return 0; ++} ++ + static void sehandle_fini(int close_status) + { + if (sehandle) { +@@ -44,6 +73,7 @@ static rpmRC sehandle_init(int open_status) + if (selinux_status_open(0) < 0) { + return RPMRC_FAIL; + } ++ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &logcb); + } else if (!selinux_status_updated() && sehandle) { + return RPMRC_OK; + } +-- +2.38.1 + diff --git a/rpm.spec b/rpm.spec index 5043311..ebac7d9 100644 --- a/rpm.spec +++ b/rpm.spec @@ -87,6 +87,7 @@ Patch115: rpm-4.16.1.3-fapolicyd-make-write-nonblocking.patch Patch116: rpm-4.16.1.3-bcond-macros.patch Patch117: rpm-4.16.1.3-caret-query.patch Patch118: rpm-4.16.1.3-caret-query2.patch +Patch119: rpm-4.18-libselinux-log.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch @@ -624,6 +625,7 @@ fi - Add bcond macros (#2129060) - Fix db queries with carets (#2129468) - Remove spurious Python rpm module (#2135731) +- Handle SELinux log messages (#2123719) * Fri Oct 21 2022 Michal Domonkos - 4.16.1.3-19 - Bump release for rebuild