Add workaround for selinux preventing use of selinux status page

2020-10-27 19:50:43 +01:00 · 2020-10-27 19:50:43 +01:00 · a734fa3ff3
parent b6a8363c43
commit a734fa3ff3
2 changed files with 68 additions and 0 deletions
--- a/0001-selinux-fall-back-to-the-netlink-based-API.patch
+++ b/0001-selinux-fall-back-to-the-netlink-based-API.patch
@ -0,0 +1,65 @@
+From bef6d96b5aa48ce4b90633c847158f0ae27c7a10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 27 Oct 2020 19:47:26 +0100
+Subject: [PATCH] selinux: fall back to the netlink-based API
+
+Fedora Rawhide still has the old policy, so selinux prevents our selinux code
+from checking if selinux is enabled. But it seems smart to fall back to the old
+API anyway.
+
+Follow-up for fd5e402fa9377f2860e02bdb5b84d5f5942e73f4.
+---
+ src/basic/selinux-util.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
+index 1791aeecde..c239634e48 100644
+--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
+@@ -133,6 +133,7 @@ static int open_label_db(void) {
+ int mac_selinux_init(void) {
+ #if HAVE_SELINUX
+         int r;
+        bool have_status_page = false;
+ 
+         if (initialized)
+                 return 0;
+@@ -140,9 +141,15 @@ int mac_selinux_init(void) {
+         if (!mac_selinux_use())
+                 return 0;
+ 
+-        r = selinux_status_open(/* no netlink fallback */ 0);
+-        if (r < 0)
+-                return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+        r = selinux_status_open(/* netlink fallback */ 1);
+        if (r < 0) {
+                if (!ERRNO_IS_PRIVILEGE(errno))
+                        return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+                log_warning_errno(errno, "selinux_status_open() failed, using the netlink fallback: %m");
+        } else if (r == 1)
+                log_warning("selinux_status_open() failed to open the status page, using the netlink fallback.");
+        else
+                have_status_page = true;
+ 
+         r = open_label_db();
+         if (r < 0) {
+@@ -150,13 +157,14 @@ int mac_selinux_init(void) {
+                 return r;
+         }
+ 
+-        /* save the current policyload sequence number, so `mac_selinux_maybe_reload()` does
+-           not trigger on first call without any actual change */
+        /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
+         * first call without any actual change. */
+         last_policyload = selinux_status_policyload();
+ 
+-        /* now that the SELinux status page has been successfully opened,
+-           retrieve the enforcing status over it (to avoid system calls in `security_getenforce()`) */
+-        enforcing_status_func = selinux_status_getenforce;
+        if (have_status_page)
+                /* Now that the SELinux status page has been successfully opened, retrieve the enforcing
+                 * status over it (to avoid system calls in security_getenforce()). */
+                enforcing_status_func = selinux_status_getenforce;
+ 
+         initialized = true;
+ #endif
--- a/systemd.spec
+++ b/systemd.spec
@ -71,6 +71,9 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
 # https://bugzilla.redhat.com/show_bug.cgi?id=1738828
 Patch0001:      use-bfq-scheduler.patch

+# While we don't have https://github.com/SELinuxProject/refpolicy/pull/308
+Patch0002:      0001-selinux-fall-back-to-the-netlink-based-API.patch
+
 Patch0009:      https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch

 %ifarch %{ix86} x86_64 aarch64