packages/rpm
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

solve the error of setexecfilecon

Browse Source
This commit is contained in:
Yangyang Shen 2020-05-22 21:08:12 +08:00
parent bf22e8bbe2
commit 1b545e1a52
2 changed files with 121 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
Use-common-error-logic-regardless-of-setexecfilecon-.patch Normal file
View File

@ -0,0 +1,113 @@
From 153c5c219844f0f294862c9043b20f4d24f7fa69 Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Tue, 18 Feb 2020 15:50:40 +0200
Subject: [PATCH] Use common error logic regardless of setexecfilecon()
availability
Refactor the custom exec context setting code to look like setexecfilecon()
in case the real one is not available to eliminate pesky behavioral
differences between the two cases.
This fixes a concrete bug of libselinux setexecfilecon() returning with
an error when security_getenforce() returns with -1 (such as a bare
chroot with no /sys mounts etc), causing us to spit out useless error
messages in that case ever since fixing the bogus if-logic in
commit ab601b882b9d9d8248250111317615db1aa7b7c6.
Fixes: #1077
---
plugins/selinux.c | 44 +++++++++++++++++++++-----------------------
1 file changed, 21 insertions(+), 23 deletions(-)
diff --git a/plugins/selinux.c b/plugins/selinux.c
index ba37ffabe..12545174d 100644
--- a/plugins/selinux.c
+++ b/plugins/selinux.c
@@ -94,65 +94,63 @@ static rpmRC selinux_psm_pre(rpmPlugin plugin, rpmte te)
return rc;
}
-static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
- const char *path, int type)
-{
- rpmRC rc = RPMRC_FAIL;
- int xx;
#ifndef HAVE_SETEXECFILECON
+static int setexecfilecon(const char *path, const char *fallback_type)
+{
+ int rc = -1;
security_context_t mycon = NULL, fcon = NULL, newcon = NULL;
context_t con = NULL;
- if (sehandle == NULL)
- return RPMRC_OK;
-
/* Figure the context to for next exec() */
if (getcon(&mycon) < 0)
goto exit;
if (getfilecon(path, &fcon) < 0)
goto exit;
- if (security_compute_create(mycon, fcon, string_to_security_class("process"), &newcon) < 0)
+ if (security_compute_create(mycon, fcon,
+ string_to_security_class("process"), &newcon) < 0)
goto exit;
if (rstreq(mycon, newcon)) {
- /* No default transition, use rpm_script_t for now. */
- const char * script_type = "rpm_script_t";
-
con = context_new(mycon);
if (!con)
goto exit;
- if (context_type_set(con, script_type))
+ if (context_type_set(con, fallback_type))
goto exit;
freecon(newcon);
newcon = xstrdup(context_str(con));
}
- if ((xx = setexeccon(newcon)) == 0)
- rc = RPMRC_OK;
-
- rpmlog(loglvl(xx < 0), "setexeccon: (%s, %s) %s\n",
- path, newcon, (xx < 0 ? strerror(errno) : ""));
+ rc = setexeccon(newcon);
exit:
context_free(con);
freecon(newcon);
freecon(fcon);
freecon(mycon);
+ return rc;
+}
+#endif
+
+static rpmRC selinux_scriptlet_fork_post(rpmPlugin plugin,
+ const char *path, int type)
+{
+ /* No default transition, use rpm_script_t for now. */
+ const char *script_type = "rpm_script_t";
+ rpmRC rc = RPMRC_FAIL;
-#else
if (sehandle == NULL)
return RPMRC_OK;
- if ((xx = setexecfilecon(path, "rpm_script_t")) == 0)
+ if (setexecfilecon(path, script_type) == 0)
rc = RPMRC_OK;
- rpmlog(loglvl(xx < 0), "setexecfilecon: (%s) %s\n",
- path, (xx < 0 ? strerror(errno) : ""));
-#endif
/* If selinux is not enforcing, we don't care either */
if (rc && security_getenforce() < 1)
rc = RPMRC_OK;
+ rpmlog(loglvl(rc), "setexecfilecon: (%s, %s) %s\n",
+ path, script_type, rc ? strerror(errno) : "");
+
return rc;
}
--

9
rpm.spec
View File

@ -1,6 +1,6 @@
Name: rpm Name: rpm
Version: 4.15.1 Version: 4.15.1
Release: 15 Release: 16
Summary: RPM Package Manager Summary: RPM Package Manager
License: GPLv2+ License: GPLv2+
URL: http://www.rpm.org/ URL: http://www.rpm.org/
@ -18,6 +18,7 @@ Patch8: change-rpmsigdig-test-s-SHA256HEADER-SHA1HEADER-SIGM.patch
Patch9: bugfix-rpm-4.11.3-add-aarch64_ilp32-arch.patch Patch9: bugfix-rpm-4.11.3-add-aarch64_ilp32-arch.patch
Patch10: bugfix-rpm-4.14.2-fix-tty-failed.patch Patch10: bugfix-rpm-4.14.2-fix-tty-failed.patch
Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch Patch11: bugfix-rpm-4.14.2-wait-once-get-rpmlock-fail.patch
Patch12: Use-common-error-logic-regardless-of-setexecfilecon-.patch
BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel libdb-devel
BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel BuildRequires: zlib-devel libzstd-devel xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel
@ -286,6 +287,12 @@ make check || (cat tests/rpmtests.log; exit 0)
%{_mandir}/man1/gendiff.1* %{_mandir}/man1/gendiff.1*
%changelog %changelog
* Fri May 22 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.15.1-16
- Type:bugfix
- ID:NA
- SUG:NA
- DESC:solve the error of setexecfilecon
* Wed May 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.15.1-15 * Wed May 13 2020 openEuler Buildteam <buildteam@openeuler.org> - 4.15.1-15
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA