Skip to content

Commit

Permalink
SELinux: Work around "semanage import bug" RHEL-3295
Browse files Browse the repository at this point in the history
https://issues.redhat.com/browse/RHEL-3295

The bug can be triggered with customizations such as:
  semanage port -m -t ssh_port_t -p tcp 8021
  semanage port -m -t ssh_port_t -p tcp 2888
  semanage user -m user_u -R user_r -R staff_r
  semanage user -m staff_u -R user_r
  semanage login -m -s guest_u __default__ -r s0
  semanage fcontext -m -t httpd_sys_content_t "/vmlinuz.*" -f l
  semanage fcontext -m -t httpd_sys_content_t "/xen(/.*)?"

Signed-off-by: Vit Mojzis <[email protected]>
  • Loading branch information
vmojzis committed Jan 17, 2024
1 parent 946f8c6 commit cddf785
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,16 @@ def process(self):
run(['semanage', 'import'], stdin='{}\n'.format(cmd))
except CalledProcessError as e:
self.log.warning('Error applying "semanage {}": {}'.format(cmd, e.stderr))
failed_custom.append(cmd)
# retry with "-m" instead of -a
cmd_m = selinuxapplycustom.modify_instead_of_add(cmd)
if cmd_m:
try:
run(['semanage', 'import'], stdin='{}\n'.format(cmd_m))
except CalledProcessError as e:
self.log.warning('Error applying "semanage {}": {}'.format(cmd_m, e.stderr))
failed_custom.append(cmd)
else:
failed_custom.append(cmd)
continue

# clean-up
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
from leapp.libraries.stdlib import api, CalledProcessError, run

BACKUP_DIRECTORY = '/var/lib/selinux/leapp-backup'
SEMANAGE_MODIFY_BUG = ["port", "user", "login", "fcontext", "ibpkey", "ibendport", "node", "interface"]


def list_selinux_modules():
Expand Down Expand Up @@ -70,3 +71,15 @@ def back_up_failed(module_path):
except OSError:
api.current_logger().warning('Failed to back-up: {}!'.format(module_path))
return


# Work around a "semanage import bug" by replacing "-a" (add) with -m (modify)
def modify_instead_of_add(command):
com = command.split()
if len(com) < 2:
return None
if com[0] in SEMANAGE_MODIFY_BUG and com[1] == "-a":
com[1] = "-m"
return " ".join(com)

return None
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,18 @@

# [0] will be passed to the actor as "removed"
# [1] will not be passed to the actor and should not be removed
# rest are valid and should be applied by the actor
# the rest will be passed as valid and should be applied by the actor
# [4]-[7] cannot be added without tweaking the commands (testing the fix for
# "semanage export" bug where "-a" is exported instead of "-m")
SEMANAGE_COMMANDS = [
['fcontext', '-t', 'cgdcbxd_var_run_t', "'/ganesha(/.*)?'"],
['user', 'yolo', '-R', 'user_r'],
['fcontext', '-t', 'httpd_sys_content_t', "'/web(/.*)?'"],
['port', '-t', 'http_port_t', '-p', 'udp', '81']
['port', '-a', '-t', 'ssh_port_t', '-p', 'tcp', '8021'],
['user', '-a', 'user_u', '-R', 'user_r', '-R', 'staff_r'],
['login', '-a', '-s', 'guest_u', '__default__', '-r', 's0'],
['fcontext', '-a', '-t', 'httpd_sys_content_t', "'/vmlinuz.*'", '-f', 'l']
]


Expand Down

0 comments on commit cddf785

Please sign in to comment.