solve the error of setexecfilecon
This commit is contained in:
Yangyang Shen
parent
bf22e8bbe2
commit
1b545e1a52
113
Use-common-error-logic-regardless-of-setexecfilecon-.patch
Normal file
113
Use-common-error-logic-regardless-of-setexecfilecon-.patch
Normal file
@ -0,0 +1,113 @@
|
||||
From 153c5c219844f0f294862c9043b20f4d24f7fa69 Mon Sep 17 00:00:00 2001
|
||||
From: Panu Matilainen <pmatilai@redhat.com>
|
||||
Date: Tue, 18 Feb 2020 15:50:40 +0200
|
||||
Subject: [PATCH] Use common error logic regardless of setexecfilecon()
|
||||
availability
|
||||
|
||||
Refactor the custom exec context setting code to look like setexecfilecon()
|
||||
in case the real one is not available to eliminate pesky behavioral
|
||||
differences between the two cases.
|
||||
|
||||
This fixes a concrete bug of libselinux setexecfilecon() returning with
|
||||
an error when security_getenforce() returns with -1 (such as a bare
|
||||
chroot with no /sys mounts etc), causing us to spit out useless error
|
||||
messages in that case ever since fixing the bogus if-logic in
|
||||
commit ab601b882b9d9d8248250111317615db1aa7b7c6.
|
||||
|
||||
Fixes: #1077
|
||||
---
|
||||
plugins/selinux.c | 44 +++++++++++++++++++++-----------------------
|
||||
1 file changed, 21 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/plugins/selinux.c b/plugins/selinux.c
|
||||
index ba37ffabe..12545174d 100644
|
||||
--- a/plugins/selinux.c
|
||||
+++ b/plugins/selinux.c
|
||||
@@ -94,65 +94,63 @@ static rpmRC selinux_psm_pre(rpmPlugin plugin, rpmte te)
|
||||
return rc;
|
||||
}
|
||||
|
||||
-static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
|
||||
- const char *path, int type)
|
||||
-{
|
||||
- rpmRC rc = RPMRC_FAIL;
|
||||
- int xx;
|
||||
#ifndef HAVE_SETEXECFILECON
|
||||
+static int setexecfilecon(const char *path, const char *fallback_type)
|
||||
+{
|
||||
+ int rc = -1;
|
||||
security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
|
||||
context_t con = NULL;
|
||||
|
||||
- if (sehandle == NULL)
|
||||
- return RPMRC_OK;
|
||||
-
|
||||
/* Figure the context to for next exec() */
|
||||
if (getcon(&mycon) < 0)
|
||||
goto exit;
|
||||
if (getfilecon(path, &fcon) < 0)
|
||||
goto exit;
|
||||
- if (security_compute_create(mycon, fcon, string_to_security_class("process"), &newcon) < 0)
|
||||
+ if (security_compute_create(mycon, fcon,
|
||||
+ string_to_security_class("process"), &newcon) < 0)
|
||||
goto exit;
|
||||
|
||||
if (rstreq(mycon, newcon)) {
|
||||
- /* No default transition, use rpm_script_t for now. */
|
||||
- const char * script_type = "rpm_script_t";
|
||||
-
|
||||
con = context_new(mycon);
|
||||
if (!con)
|
||||
goto exit;
|
||||
- if (context_type_set(con, script_type))
|
||||
+ if (context_type_set(con, fallback_type))
|
||||
goto exit;
|
||||
freecon(newcon);
|
||||
newcon = xstrdup(context_str(con));
|
||||
}
|
||||
|
||||
- if ((xx = setexeccon(newcon)) == 0)
|
||||
- rc = RPMRC_OK;
|
||||
-
|
||||
- rpmlog(loglvl(xx < 0), "setexeccon: (%s, %s) %s\n",
|
||||
- path, newcon, (xx < 0 ? strerror(errno) : ""));
|
||||
+ rc = setexeccon(newcon);
|
||||
|
||||
exit:
|
||||
context_free(con);
|
||||
freecon(newcon);
|
||||
freecon(fcon);
|
||||
freecon(mycon);
|
||||
+ return rc;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
|
||||
+ const char *path, int type)
|
||||
+{
|
||||
+ /* No default transition, use rpm_script_t for now. */
|
||||
+ const char *script_type = "rpm_script_t";
|
||||
+ rpmRC rc = RPMRC_FAIL;
|
||||
|
||||
-#else
|
||||
if (sehandle == NULL)
|
||||
return RPMRC_OK;
|
||||
|
||||
- if ((xx = setexecfilecon(path, "rpm_script_t")) == 0)
|
||||
+ if (setexecfilecon(path, script_type) == 0)
|
||||
rc = RPMRC_OK;
|
||||
|
||||
- rpmlog(loglvl(xx < 0), "setexecfilecon: (%s) %s\n",
|
||||
- path, (xx < 0 ? strerror(errno) : ""));
|
||||
-#endif
|
||||
/* If selinux is not enforcing, we don't care either */
|
||||
if (rc && security_getenforce() < 1)
|
||||
rc = RPMRC_OK;
|
||||
|
||||
+ rpmlog(loglvl(rc), "setexecfilecon: (%s, %s) %s\n",
|
||||
+ path, script_type, rc ? strerror(errno) : "");
|
||||
+
|
||||
return rc;
|
||||
}
|
||||
|
||||
--
|
||||
9
rpm.spec
9
rpm.spec
@ -1,6 +1,6 @@
|
||||
Name: rpm
|
||||
Version: 4.15.1
|
||||
Release: 15
|
||||
Release: 16
|
||||
Summary: RPM Package Manager
|
||||
License: GPLv2+
|
||||
URL: http://www.rpm.org/
|
||||
@ -18,6 +18,7 @@ Patch8: change-rpmsigdig-test-s-SHA256HEADER-SHA1HEADER-SIGM.patch
|
||||
Patch9: bugfix-rpm-4.11.3-add-aarch64_ilp32-arch.patch
|
||||
Patch10: bugfix-rpm-4.14.2-fix-tty-failed.patch
|
||||
Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
|
||||
Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch
|
||||
|
||||
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
|
||||
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
|
||||
@ -286,6 +287,12 @@ make check || (cat tests/rpmtests.log; exit 0)
|
||||
%{_mandir}/man1/gendiff.1*
|
||||
|
||||
%changelog
|
||||
* Fri May 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.15.1-16
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:solve the error of setexecfilecon
|
||||
|
||||
* Wed May 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.15.1-15
|
||||
- Type:bugfix
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user