Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ENT-10429: Guarded against race condition in install scriptlets with restorecon #1300

Merged
merged 1 commit into from
Sep 29, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 8 additions & 6 deletions packaging/common/cfengine-hub/postinstall.sh
Original file line number Diff line number Diff line change
Expand Up @@ -1088,6 +1088,14 @@ if ! [ -f "$PREFIX/UPGRADED_FROM.txt" ] || egrep '3\.([0-6]\.|7\.0)' "$PREFIX/UP
cf_console platform_service cfengine3 stop
fi

# Let's make sure all files and directories created above have correct SELinux
# labels. We do this while the database is stopped on purpose, restorecon caches its list of
# files up-front and the database often adds/removes files as it starts up, especially pg_internal.init
# files inside /var/cfengine/state/pg/data/base/<oid> directories. ENT-10429
if command -v restorecon >/dev/null; then
restorecon -iR /var/cfengine /opt/cfengine
fi

if is_upgrade && [ -f "$PREFIX/UPGRADED_FROM_STATE.txt" ]; then
cf_console restore_cfengine_state "$PREFIX/UPGRADED_FROM_STATE.txt"
rm -f "$PREFIX/UPGRADED_FROM_STATE.txt"
Expand All @@ -1097,10 +1105,4 @@ fi

rm -f "$PREFIX/UPGRADED_FROM.txt"

# Let's make sure all files and directories created above have correct SELinux
# labels.
if command -v restorecon >/dev/null; then
restorecon -iR /var/cfengine /opt/cfengine
fi

exit 0
17 changes: 13 additions & 4 deletions packaging/common/cfengine-non-hub/postinstall.sh
Original file line number Diff line number Diff line change
Expand Up @@ -149,13 +149,21 @@ systemctl restart cfengine3"
fi
fi

restorecon_run=0
if [ -f $PREFIX/policy_server.dat ]; then
if ! [ -f "$PREFIX/UPGRADED_FROM.txt" ] || egrep '3\.([0-6]\.|7\.0)' "$PREFIX/UPGRADED_FROM.txt" > /dev/null; then
# Versions <= 3.7.0 are unreliable in their daemon killing. Kill them one
# more time now that we have upgraded.
cf_console platform_service cfengine3 stop
fi

# Let's make sure all files and directories created above have correct SELinux labels.
# run this BEFORE we start services again to avoid race conditions in restorecon
if command -v restorecon >/dev/null; then
restorecon -iR /var/cfengine /opt/cfengine
restorecon_run=1
fi

if is_upgrade && [ -f "$PREFIX/UPGRADED_FROM_STATE.txt" ]; then
cf_console restore_cfengine_state "$PREFIX/UPGRADED_FROM_STATE.txt"
rm -f "$PREFIX/UPGRADED_FROM_STATE.txt"
Expand All @@ -166,10 +174,11 @@ fi

rm -f "$PREFIX/UPGRADED_FROM.txt"

# Let's make sure all files and directories created above have correct SELinux
# labels.
if command -v restorecon >/dev/null; then
restorecon -iR /var/cfengine /opt/cfengine
if [ $restorecon_run = 0 ]; then
# if we didn't run restorecon above in the already bootstrapped/upgrade case then run it now
if command -v restorecon >/dev/null; then
restorecon -iR /var/cfengine /opt/cfengine
fi
fi

exit 0
Loading