From 91f5f14b937066131cdbba55051ddf0a6f2948b8 Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Nov 09 2013 07:15:56 +0000 Subject: Resolves: #1025126 - Enhance NSCD's SELinux support to use dynamic permission names (#1025126). --- diff --git a/glibc-rh1025126.patch b/glibc-rh1025126.patch new file mode 100644 index 0000000..ac6b481 --- /dev/null +++ b/glibc-rh1025126.patch @@ -0,0 +1,135 @@ +diff --git a/nscd/selinux.c b/nscd/selinux.c +index 0866c44..ba55b04 100644 +--- a/nscd/selinux.c ++++ b/nscd/selinux.c +@@ -44,35 +44,31 @@ + /* Global variable to tell if the kernel has SELinux support. */ + int selinux_enabled; + +-/* Define mappings of access vector permissions to request types. */ +-static const access_vector_t perms[LASTREQ] = ++/* Define mappings of request type to AVC permission name. */ ++static const char *perms[LASTREQ] = + { +- [GETPWBYNAME] = NSCD__GETPWD, +- [GETPWBYUID] = NSCD__GETPWD, +- [GETGRBYNAME] = NSCD__GETGRP, +- [GETGRBYGID] = NSCD__GETGRP, +- [GETHOSTBYNAME] = NSCD__GETHOST, +- [GETHOSTBYNAMEv6] = NSCD__GETHOST, +- [GETHOSTBYADDR] = NSCD__GETHOST, +- [GETHOSTBYADDRv6] = NSCD__GETHOST, +- [GETSTAT] = NSCD__GETSTAT, +- [SHUTDOWN] = NSCD__ADMIN, +- [INVALIDATE] = NSCD__ADMIN, +- [GETFDPW] = NSCD__SHMEMPWD, +- [GETFDGR] = NSCD__SHMEMGRP, +- [GETFDHST] = NSCD__SHMEMHOST, +- [GETAI] = NSCD__GETHOST, +- [INITGROUPS] = NSCD__GETGRP, +-#ifdef NSCD__GETSERV +- [GETSERVBYNAME] = NSCD__GETSERV, +- [GETSERVBYPORT] = NSCD__GETSERV, +- [GETFDSERV] = NSCD__SHMEMSERV, +-#endif +-#ifdef NSCD__GETNETGRP +- [GETNETGRENT] = NSCD__GETNETGRP, +- [INNETGR] = NSCD__GETNETGRP, +- [GETFDNETGR] = NSCD__SHMEMNETGRP, +-#endif ++ [GETPWBYNAME] = "getpwd", ++ [GETPWBYUID] = "getpwd", ++ [GETGRBYNAME] = "getgrp", ++ [GETGRBYGID] = "getgrp", ++ [GETHOSTBYNAME] = "gethost", ++ [GETHOSTBYNAMEv6] = "gethost", ++ [GETHOSTBYADDR] = "gethost", ++ [GETHOSTBYADDRv6] = "gethost", ++ [SHUTDOWN] = "admin", ++ [GETSTAT] = "getstat", ++ [INVALIDATE] = "admin", ++ [GETFDPW] = "shmempwd", ++ [GETFDGR] = "shmemgrp", ++ [GETFDHST] = "shmemhost", ++ [GETAI] = "gethost", ++ [INITGROUPS] = "getgrp", ++ [GETSERVBYNAME] = "getserv", ++ [GETSERVBYPORT] = "getserv", ++ [GETFDSERV] = "shmemserv", ++ [GETNETGRENT] = "getnetgrp", ++ [INNETGR] = "getnetgrp", ++ [GETFDNETGR] = "shmemnetgrp", + }; + + /* Store an entry ref to speed AVC decisions. */ +@@ -344,7 +340,18 @@ nscd_avc_init (void) + + + /* Check the permission from the caller (via getpeercon) to nscd. +- Returns 0 if access is allowed, 1 if denied, and -1 on error. */ ++ Returns 0 if access is allowed, 1 if denied, and -1 on error. ++ ++ Implementation note: ++ The SELinux policy, enablement, and permission bits are all dynamic ++ and the caching done by glibc is not entirely correct. This nscd ++ support should be rewritten to use selinux_check_permission. ++ A rewrite is risky though and requires some refactoring fist. ++ Instead we use symbolic mappings instead of compile time ++ constants (which selinux upstream says are going away), and use ++ security_deny_unknown to determine what to do if selinux-policy ++ doesn't have a definition for the the permission or object class ++ we are looking up. */ + int + nscd_request_avc_has_perm (int fd, request_type req) + { +@@ -354,6 +361,33 @@ nscd_request_avc_has_perm (int fd, request_type req) + security_id_t ssid = NULL; + security_id_t tsid = NULL; + int rc = -1; ++ security_class_t sc_nscd = 0; ++ access_vector_t perm = 0; ++ int avc_deny_unknown = 0; ++ ++ /* Check if SELinux denys or allows unknown object classes ++ and permissions. It is 0 if they are allowed, 1 if they ++ are not allowed and -1 on error. */ ++ if ((avc_deny_unknown = security_deny_unknown ()) == -1) ++ dbg_log (_("Error querying policy for undefined object classes " ++ "or permissions.")); ++ ++ /* Get the security class for nscd. If this fails we will likely be ++ unable to do anything unless avc_deny_unknown is 0. */ ++ if ((sc_nscd = string_to_security_class ("nscd")) == 0 ++ && avc_deny_unknown == 1) ++ dbg_log (_("Error getting security class for nscd.")); ++ ++ /* Convert permission to AVC bits. */ ++ perm = string_to_av_perm (sc_nscd, perms[req]); ++ if (perm == 0 && avc_deny_unknown == 1) ++ dbg_log (_("Error translating permission name " ++ "\"%s\" to access vector bit."), perms[req]); ++ ++ /* If the nscd security class was not found or perms were not ++ found and AVC does not deny unknown values then allow it. */ ++ if ((sc_nscd == 0 || perm == 0) && avc_deny_unknown == 0) ++ return 0; + + if (getpeercon (fd, &scon) < 0) + { +@@ -372,15 +406,7 @@ nscd_request_avc_has_perm (int fd, request_type req) + goto out; + } + +-#ifndef NSCD__GETSERV +- if (perms[req] == 0) +- { +- dbg_log (_("compile-time support for database policy missing")); +- goto out; +- } +-#endif +- +- rc = avc_has_perm (ssid, tsid, SECCLASS_NSCD, perms[req], &aeref, NULL) < 0; ++ rc = avc_has_perm (ssid, tsid, sc_nscd, perm, &aeref, NULL) < 0; + + out: + if (scon) diff --git a/glibc.spec b/glibc.spec index 72477fe..ef9d642 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,6 +1,6 @@ %define glibcsrcdir glibc-2.18-332-gb125d3e %define glibcversion 2.18.90 -%define glibcrelease 13%{?dist} +%define glibcrelease 14%{?dist} # Pre-release tarballs are pulled in from git using a command that is # effectively: # @@ -211,6 +211,9 @@ Patch2026: %{name}-rh841787.patch # Upstream BZ 14185 Patch2027: %{name}-rh819430.patch +# Fix nscd to use permission names not constants. +Patch2028: %{name}-rh1025126.patch + ############################################################################## # End of glibc patches. ############################################################################## @@ -535,6 +538,7 @@ package or when debugging this package. %patch0043 -p1 %patch0044 -p1 %patch0046 -p1 +%patch2028 -p1 ############################################################################## # %%prep - Additional prep required... @@ -1620,6 +1624,9 @@ rm -f *.filelist* %endif %changelog +* Fri Nov 8 2013 Carlos O'Donell - 2.18.90-14 +- Enhance NSCD's SELinux support to use dynamic permission names (#1025126). + * Mon Oct 28 2013 Siddhesh Poyarekar - 2.18.90-13 - Sync with upstream master. - Skip over unimplemented timezone format specifier in strptime (#947722).