diff --git a/0001-selinux-fall-back-to-the-netlink-based-API.patch b/0001-selinux-fall-back-to-the-netlink-based-API.patch new file mode 100644 index 0000000..8db8193 --- /dev/null +++ b/0001-selinux-fall-back-to-the-netlink-based-API.patch @@ -0,0 +1,65 @@ +From bef6d96b5aa48ce4b90633c847158f0ae27c7a10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 27 Oct 2020 19:47:26 +0100 +Subject: [PATCH] selinux: fall back to the netlink-based API + +Fedora Rawhide still has the old policy, so selinux prevents our selinux code +from checking if selinux is enabled. But it seems smart to fall back to the old +API anyway. + +Follow-up for fd5e402fa9377f2860e02bdb5b84d5f5942e73f4. +--- + src/basic/selinux-util.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c +index 1791aeecde..c239634e48 100644 +--- a/src/basic/selinux-util.c ++++ b/src/basic/selinux-util.c +@@ -133,6 +133,7 @@ static int open_label_db(void) { + int mac_selinux_init(void) { + #if HAVE_SELINUX + int r; ++ bool have_status_page = false; + + if (initialized) + return 0; +@@ -140,9 +141,15 @@ int mac_selinux_init(void) { + if (!mac_selinux_use()) + return 0; + +- r = selinux_status_open(/* no netlink fallback */ 0); +- if (r < 0) +- return log_enforcing_errno(errno, "Failed to open SELinux status page: %m"); ++ r = selinux_status_open(/* netlink fallback */ 1); ++ if (r < 0) { ++ if (!ERRNO_IS_PRIVILEGE(errno)) ++ return log_enforcing_errno(errno, "Failed to open SELinux status page: %m"); ++ log_warning_errno(errno, "selinux_status_open() failed, using the netlink fallback: %m"); ++ } else if (r == 1) ++ log_warning("selinux_status_open() failed to open the status page, using the netlink fallback."); ++ else ++ have_status_page = true; + + r = open_label_db(); + if (r < 0) { +@@ -150,13 +157,14 @@ int mac_selinux_init(void) { + return r; + } + +- /* save the current policyload sequence number, so `mac_selinux_maybe_reload()` does +- not trigger on first call without any actual change */ ++ /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on ++ * first call without any actual change. */ + last_policyload = selinux_status_policyload(); + +- /* now that the SELinux status page has been successfully opened, +- retrieve the enforcing status over it (to avoid system calls in `security_getenforce()`) */ +- enforcing_status_func = selinux_status_getenforce; ++ if (have_status_page) ++ /* Now that the SELinux status page has been successfully opened, retrieve the enforcing ++ * status over it (to avoid system calls in security_getenforce()). */ ++ enforcing_status_func = selinux_status_getenforce; + + initialized = true; + #endif diff --git a/systemd.spec b/systemd.spec index ca3cd4f..fb96642 100644 --- a/systemd.spec +++ b/systemd.spec @@ -71,6 +71,9 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: use-bfq-scheduler.patch +# While we don't have https://github.com/SELinuxProject/refpolicy/pull/308 +Patch0002: 0001-selinux-fall-back-to-the-netlink-based-API.patch + Patch0009: https://github.com/systemd/systemd/pull/17050/commits/f58b96d3e8d1cb0dd3666bc74fa673918b586612.patch %ifarch %{ix86} x86_64 aarch64