diff --git a/backport-libsemanage-sync-filesystem-with-sandbox.patch b/backport-libsemanage-sync-filesystem-with-sandbox.patch new file mode 100644 index 0000000000000000000000000000000000000000..dda127e7a54ebe9f69302367f403af07f3898edd --- /dev/null +++ b/backport-libsemanage-sync-filesystem-with-sandbox.patch @@ -0,0 +1,55 @@ +From c35919a703302bd571476f245d856174a1fe1926 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 27 Jan 2021 12:00:55 +0100 +Subject: [PATCH] libsemanage: sync filesystem with sandbox + +Commit 331a109f91ea ("libsemanage: fsync final files before rename") +added fsync() for policy files and improved situation when something +unexpected happens right after rename(). However the module store could +be affected as well. After the following steps module files could be 0 +size: + +1. Run `semanage fcontext -a -t var_t "/tmp/abc"` +2. Force shutdown the server during the command is run, or right after + it's finished +3. Boot the system and look for empty files: + # find /var/lib/selinux/targeted/ -type f -size 0 | wc -l + 1266 + +It looks like this situation can be avoided if the filesystem with the +sandbox is sync()ed before we start to rename() directories in the +store. + +Signed-off-by: Petr Lautrbach +Acked-by: Nicolas Iooss +--- + libsemanage/src/semanage_store.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c +index cd5e46bb..c6a736fe 100644 +--- a/src/semanage_store.c ++++ b/src/semanage_store.c +@@ -1736,6 +1736,19 @@ static int semanage_commit_sandbox(semanage_handle_t * sh) + } + close(fd); + ++ /* sync changes in sandbox to filesystem */ ++ fd = open(sandbox, O_DIRECTORY); ++ if (fd == -1) { ++ ERR(sh, "Error while opening %s for syncfs(): %d", sandbox, errno); ++ return -1; ++ } ++ if (syncfs(fd) == -1) { ++ ERR(sh, "Error while syncing %s to filesystem: %d", sandbox, errno); ++ close(fd); ++ return -1; ++ } ++ close(fd); ++ + retval = commit_number; + + if (semanage_get_active_lock(sh) < 0) { +-- +2.33.0 + diff --git a/libsemanage.spec b/libsemanage.spec index 8241ecdb88295b7c91912c50529d796161384b78..05d17139fc55faee390794fe733d55a9a4c7f949 100644 --- a/libsemanage.spec +++ b/libsemanage.spec @@ -3,13 +3,14 @@ Name: libsemanage Version: 3.1 -Release: 3 +Release: 4 License: LGPLv2+ Summary: SELinux binary policy manipulation library URL: https://github.com/SELinuxProject/selinux/wiki Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsemanage-3.1.tar.gz Source1: semanage.conf +Patch0: backport-libsemanage-sync-filesystem-with-sandbox.patch Patch9000: fix-test-failure-with-secilc.patch Patch9001: libsemanage-Fix-use-after-free-in-parse_module_store.patch @@ -121,6 +122,9 @@ make test %changelog +* Mon Dec 18 2023 zhangruifang - 3.1-4 +- backport patchs from upstream + * Thu Jul 17 2021 luhuaxin <1539327763@qq.com> - 3.1-3 - fix use after free in semanage config parse