From c9c1cc72b533a112f46b483bdc0230adef221404 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Wed, 17 Jan 2024 17:57:40 +0100 Subject: [PATCH] SELinux: Work around "semanage import bug" RHEL-3295 https://issues.redhat.com/browse/RHEL-3295 The bug can be triggered with customizations such as: semanage port -m -t ssh_port_t -p tcp 8021 semanage port -m -t ssh_port_t -p tcp 2888 semanage user -m user_u -R user_r -R staff_r semanage user -m staff_u -R user_r semanage login -m -s guest_u __default__ -r s0 semanage fcontext -m -t httpd_sys_content_t "/vmlinuz.*" -f l semanage fcontext -m -t httpd_sys_content_t "/xen(/.*)?" Signed-off-by: Vit Mojzis --- .../actors/selinux/selinuxapplycustom/actor.py | 11 ++++++++++- .../libraries/selinuxapplycustom.py | 13 +++++++++++++ .../tests/component_test_selinuxapplycustom.py | 10 ++++++++-- 3 files changed, 31 insertions(+), 3 deletions(-) diff --git a/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/actor.py b/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/actor.py index 52502e96ed..b7f8376f01 100644 --- a/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/actor.py +++ b/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/actor.py @@ -141,7 +141,16 @@ def process(self): run(['semanage', 'import'], stdin='{}\n'.format(cmd)) except CalledProcessError as e: self.log.warning('Error applying "semanage {}": {}'.format(cmd, e.stderr)) - failed_custom.append(cmd) + # retry with "-m" instead of -a + cmd_m = selinuxapplycustom.modify_instead_of_add(cmd) + if cmd_m: + try: + run(['semanage', 'import'], stdin='{}\n'.format(cmd_m)) + except CalledProcessError as e: + self.log.warning('Error applying "semanage {}": {}'.format(cmd_m, e.stderr)) + failed_custom.append(cmd) + else: + failed_custom.append(cmd) continue # clean-up diff --git a/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/libraries/selinuxapplycustom.py b/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/libraries/selinuxapplycustom.py index 5113f71a26..c2be147d9f 100644 --- a/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/libraries/selinuxapplycustom.py +++ b/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/libraries/selinuxapplycustom.py @@ -5,6 +5,7 @@ from leapp.libraries.stdlib import api, CalledProcessError, run BACKUP_DIRECTORY = '/var/lib/selinux/leapp-backup' +SEMANAGE_MODIFY_BUG = ["port", "user", "login", "fcontext", "ibpkey", "ibendport", "node", "interface"] def list_selinux_modules(): @@ -70,3 +71,15 @@ def back_up_failed(module_path): except OSError: api.current_logger().warning('Failed to back-up: {}!'.format(module_path)) return + + +# Work around a "semanage import bug" by replacing "-a" (add) with -m (modify) +def modify_instead_of_add(command): + com = command.split() + if len(com) < 2: + return None + if com[0] in SEMANAGE_MODIFY_BUG and com[1] == "-a": + com[1] = "-m" + return " ".join(com) + + return None diff --git a/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/tests/component_test_selinuxapplycustom.py b/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/tests/component_test_selinuxapplycustom.py index 0b340da0bf..8a4665c13d 100644 --- a/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/tests/component_test_selinuxapplycustom.py +++ b/repos/system_upgrade/common/actors/selinux/selinuxapplycustom/tests/component_test_selinuxapplycustom.py @@ -22,12 +22,18 @@ # [0] will be passed to the actor as "removed" # [1] will not be passed to the actor and should not be removed -# rest are valid and should be applied by the actor +# the rest will be passed as valid and should be applied by the actor +# [4]-[7] cannot be added without tweaking the commands (testing the fix for +# "semanage export" bug where "-a" is exported instead of "-m") SEMANAGE_COMMANDS = [ ['fcontext', '-t', 'cgdcbxd_var_run_t', "'/ganesha(/.*)?'"], ['user', 'yolo', '-R', 'user_r'], ['fcontext', '-t', 'httpd_sys_content_t', "'/web(/.*)?'"], - ['port', '-t', 'http_port_t', '-p', 'udp', '81'] + ['port', '-t', 'http_port_t', '-p', 'udp', '81'], + ['port', '-t', 'ssh_port_t', '-p', 'tcp', '8021'], + ['user', 'user_u', '-R', 'user_r', '-R', 'staff_r'], + ['login', '-s', 'guest_u', '__default__', '-r', 's0'], + ['fcontext', '-t', 'httpd_sys_content_t', "'/vmlinuz.*'", '-f', 'l'] ]