Resolves: #1025126
- Enhance NSCD's SELinux support to use dynamic permission names (#1025126).
This commit is contained in:
parent
56999f00cc
commit
91f5f14b93
135
glibc-rh1025126.patch
Normal file
135
glibc-rh1025126.patch
Normal file
@ -0,0 +1,135 @@
|
||||
diff --git a/nscd/selinux.c b/nscd/selinux.c
|
||||
index 0866c44..ba55b04 100644
|
||||
--- a/nscd/selinux.c
|
||||
+++ b/nscd/selinux.c
|
||||
@@ -44,35 +44,31 @@
|
||||
/* Global variable to tell if the kernel has SELinux support. */
|
||||
int selinux_enabled;
|
||||
|
||||
-/* Define mappings of access vector permissions to request types. */
|
||||
-static const access_vector_t perms[LASTREQ] =
|
||||
+/* Define mappings of request type to AVC permission name. */
|
||||
+static const char *perms[LASTREQ] =
|
||||
{
|
||||
- [GETPWBYNAME] = NSCD__GETPWD,
|
||||
- [GETPWBYUID] = NSCD__GETPWD,
|
||||
- [GETGRBYNAME] = NSCD__GETGRP,
|
||||
- [GETGRBYGID] = NSCD__GETGRP,
|
||||
- [GETHOSTBYNAME] = NSCD__GETHOST,
|
||||
- [GETHOSTBYNAMEv6] = NSCD__GETHOST,
|
||||
- [GETHOSTBYADDR] = NSCD__GETHOST,
|
||||
- [GETHOSTBYADDRv6] = NSCD__GETHOST,
|
||||
- [GETSTAT] = NSCD__GETSTAT,
|
||||
- [SHUTDOWN] = NSCD__ADMIN,
|
||||
- [INVALIDATE] = NSCD__ADMIN,
|
||||
- [GETFDPW] = NSCD__SHMEMPWD,
|
||||
- [GETFDGR] = NSCD__SHMEMGRP,
|
||||
- [GETFDHST] = NSCD__SHMEMHOST,
|
||||
- [GETAI] = NSCD__GETHOST,
|
||||
- [INITGROUPS] = NSCD__GETGRP,
|
||||
-#ifdef NSCD__GETSERV
|
||||
- [GETSERVBYNAME] = NSCD__GETSERV,
|
||||
- [GETSERVBYPORT] = NSCD__GETSERV,
|
||||
- [GETFDSERV] = NSCD__SHMEMSERV,
|
||||
-#endif
|
||||
-#ifdef NSCD__GETNETGRP
|
||||
- [GETNETGRENT] = NSCD__GETNETGRP,
|
||||
- [INNETGR] = NSCD__GETNETGRP,
|
||||
- [GETFDNETGR] = NSCD__SHMEMNETGRP,
|
||||
-#endif
|
||||
+ [GETPWBYNAME] = "getpwd",
|
||||
+ [GETPWBYUID] = "getpwd",
|
||||
+ [GETGRBYNAME] = "getgrp",
|
||||
+ [GETGRBYGID] = "getgrp",
|
||||
+ [GETHOSTBYNAME] = "gethost",
|
||||
+ [GETHOSTBYNAMEv6] = "gethost",
|
||||
+ [GETHOSTBYADDR] = "gethost",
|
||||
+ [GETHOSTBYADDRv6] = "gethost",
|
||||
+ [SHUTDOWN] = "admin",
|
||||
+ [GETSTAT] = "getstat",
|
||||
+ [INVALIDATE] = "admin",
|
||||
+ [GETFDPW] = "shmempwd",
|
||||
+ [GETFDGR] = "shmemgrp",
|
||||
+ [GETFDHST] = "shmemhost",
|
||||
+ [GETAI] = "gethost",
|
||||
+ [INITGROUPS] = "getgrp",
|
||||
+ [GETSERVBYNAME] = "getserv",
|
||||
+ [GETSERVBYPORT] = "getserv",
|
||||
+ [GETFDSERV] = "shmemserv",
|
||||
+ [GETNETGRENT] = "getnetgrp",
|
||||
+ [INNETGR] = "getnetgrp",
|
||||
+ [GETFDNETGR] = "shmemnetgrp",
|
||||
};
|
||||
|
||||
/* Store an entry ref to speed AVC decisions. */
|
||||
@@ -344,7 +340,18 @@ nscd_avc_init (void)
|
||||
|
||||
|
||||
/* Check the permission from the caller (via getpeercon) to nscd.
|
||||
- Returns 0 if access is allowed, 1 if denied, and -1 on error. */
|
||||
+ Returns 0 if access is allowed, 1 if denied, and -1 on error.
|
||||
+
|
||||
+ Implementation note:
|
||||
+ The SELinux policy, enablement, and permission bits are all dynamic
|
||||
+ and the caching done by glibc is not entirely correct. This nscd
|
||||
+ support should be rewritten to use selinux_check_permission.
|
||||
+ A rewrite is risky though and requires some refactoring fist.
|
||||
+ Instead we use symbolic mappings instead of compile time
|
||||
+ constants (which selinux upstream says are going away), and use
|
||||
+ security_deny_unknown to determine what to do if selinux-policy
|
||||
+ doesn't have a definition for the the permission or object class
|
||||
+ we are looking up. */
|
||||
int
|
||||
nscd_request_avc_has_perm (int fd, request_type req)
|
||||
{
|
||||
@@ -354,6 +361,33 @@ nscd_request_avc_has_perm (int fd, request_type req)
|
||||
security_id_t ssid = NULL;
|
||||
security_id_t tsid = NULL;
|
||||
int rc = -1;
|
||||
+ security_class_t sc_nscd = 0;
|
||||
+ access_vector_t perm = 0;
|
||||
+ int avc_deny_unknown = 0;
|
||||
+
|
||||
+ /* Check if SELinux denys or allows unknown object classes
|
||||
+ and permissions. It is 0 if they are allowed, 1 if they
|
||||
+ are not allowed and -1 on error. */
|
||||
+ if ((avc_deny_unknown = security_deny_unknown ()) == -1)
|
||||
+ dbg_log (_("Error querying policy for undefined object classes "
|
||||
+ "or permissions."));
|
||||
+
|
||||
+ /* Get the security class for nscd. If this fails we will likely be
|
||||
+ unable to do anything unless avc_deny_unknown is 0. */
|
||||
+ if ((sc_nscd = string_to_security_class ("nscd")) == 0
|
||||
+ && avc_deny_unknown == 1)
|
||||
+ dbg_log (_("Error getting security class for nscd."));
|
||||
+
|
||||
+ /* Convert permission to AVC bits. */
|
||||
+ perm = string_to_av_perm (sc_nscd, perms[req]);
|
||||
+ if (perm == 0 && avc_deny_unknown == 1)
|
||||
+ dbg_log (_("Error translating permission name "
|
||||
+ "\"%s\" to access vector bit."), perms[req]);
|
||||
+
|
||||
+ /* If the nscd security class was not found or perms were not
|
||||
+ found and AVC does not deny unknown values then allow it. */
|
||||
+ if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0)
|
||||
+ return 0;
|
||||
|
||||
if (getpeercon (fd, &scon) < 0)
|
||||
{
|
||||
@@ -372,15 +406,7 @@ nscd_request_avc_has_perm (int fd, request_type req)
|
||||
goto out;
|
||||
}
|
||||
|
||||
-#ifndef NSCD__GETSERV
|
||||
- if (perms[req] == 0)
|
||||
- {
|
||||
- dbg_log (_("compile-time support for database policy missing"));
|
||||
- goto out;
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
- rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0;
|
||||
+ rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0;
|
||||
|
||||
out:
|
||||
if (scon)
|
@ -1,6 +1,6 @@
|
||||
%define glibcsrcdir glibc-2.18-332-gb125d3e
|
||||
%define glibcversion 2.18.90
|
||||
%define glibcrelease 13%{?dist}
|
||||
%define glibcrelease 14%{?dist}
|
||||
# Pre-release tarballs are pulled in from git using a command that is
|
||||
# effectively:
|
||||
#
|
||||
@ -211,6 +211,9 @@ Patch2026: %{name}-rh841787.patch
|
||||
# Upstream BZ 14185
|
||||
Patch2027: %{name}-rh819430.patch
|
||||
|
||||
# Fix nscd to use permission names not constants.
|
||||
Patch2028: %{name}-rh1025126.patch
|
||||
|
||||
##############################################################################
|
||||
# End of glibc patches.
|
||||
##############################################################################
|
||||
@ -535,6 +538,7 @@ package or when debugging this package.
|
||||
%patch0043 -p1
|
||||
%patch0044 -p1
|
||||
%patch0046 -p1
|
||||
%patch2028 -p1
|
||||
|
||||
##############################################################################
|
||||
# %%prep - Additional prep required...
|
||||
@ -1620,6 +1624,9 @@ rm -f *.filelist*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Nov 8 2013 Carlos O'Donell <carlos@redhat.com> - 2.18.90-14
|
||||
- Enhance NSCD's SELinux support to use dynamic permission names (#1025126).
|
||||
|
||||
* Mon Oct 28 2013 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.18.90-13
|
||||
- Sync with upstream master.
|
||||
- Skip over unimplemented timezone format specifier in strptime (#947722).
|
||||
|
Loading…
Reference in New Issue
Block a user