packages/libsemanage
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!45 [sync] PR-43: backport patchs from upstream

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2023-12-20 09:36:45 +00:00 committed by Gitee
commit 1b3ea0db67
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
backport-libsemanage-sync-filesystem-with-sandbox.patch Normal file
View File

@ -0,0 +1,55 @@
From c35919a703302bd571476f245d856174a1fe1926 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 27 Jan 2021 12:00:55 +0100
Subject: [PATCH] libsemanage: sync filesystem with sandbox
Commit 331a109f91ea ("libsemanage: fsync final files before rename")
added fsync() for policy files and improved situation when something
unexpected happens right after rename(). However the module store could
be affected as well. After the following steps module files could be 0
size:
1. Run `semanage fcontext -a -t var_t "/tmp/abc"`
2. Force shutdown the server during the command is run, or right after
it's finished
3. Boot the system and look for empty files:
# find /var/lib/selinux/targeted/ -type f -size 0 | wc -l
1266
It looks like this situation can be avoided if the filesystem with the
sandbox is sync()ed before we start to rename() directories in the
store.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
libsemanage/src/semanage_store.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c
index cd5e46bb..c6a736fe 100644
--- a/src/semanage_store.c
+++ b/src/semanage_store.c
@@ -1736,6 +1736,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh)
}
close(fd);
+ /* sync changes in sandbox to filesystem */
+ fd = open(sandbox, O_DIRECTORY);
+ if (fd == -1) {
+ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno);
+ return -1;
+ }
+ if (syncfs(fd) == -1) {
+ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno);
+ close(fd);
+ return -1;
+ }
+ close(fd);
+
retval = commit_number;
if (semanage_get_active_lock(sh) < 0) {
--
2.33.0

6
libsemanage.spec
View File

@ -3,13 +3,14 @@
Name: libsemanage
Version: 3.1
Release: 3
Release: 4
License: LGPLv2+
Summary: SELinux binary policy manipulation library
URL: https://github.com/SELinuxProject/selinux/wiki
Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsemanage-3.1.tar.gz
Source1: semanage.conf
Patch0: backport-libsemanage-sync-filesystem-with-sandbox.patch
Patch9000: fix-test-failure-with-secilc.patch
Patch9001: libsemanage-Fix-use-after-free-in-parse_module_store.patch
@ -121,6 +122,9 @@ make test
%changelog
* Mon Dec 18 2023 zhangruifang <zhangruifang@h-partners.com> - 3.1-4
- backport patchs from upstream
* Thu Jul 17 2021 luhuaxin <1539327763@qq.com> - 3.1-3
- fix use after free in semanage config parse